PDA

View Full Version : Virtumonde Trojan- Please Help



sssmiley
2009-07-07, 07:47
Hi,

I have a Virtumonde Trojan and need help getting rid of it.

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:05 PM, on 7/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINXP\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINXP\system32\HPZipm12.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINXP\system32\cidaemon.exe
C:\WINXP\stsystra.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINXP\System32\DLA\DLACTRLW.EXE
C:\Program Files\PeoplePC\ISP7130\Browser\Bartshel.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PeoplePC\ISP7130\Browser\PPShared.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/websearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINXP\System32\DLA\DLASHX_W.DLL
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\PEOPLE~1\PRPL_I~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP7130\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IDTSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DLA] C:\WINXP\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212268998159
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{02B7C4C4-CBE2-400B-B476-246D034045CC}: NameServer = 207.69.188.167 207.69.188.166
O17 - HKLM\System\CS1\Services\Tcpip\..\{02B7C4C4-CBE2-400B-B476-246D034045CC}: NameServer = 207.69.188.167 207.69.188.166
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXP\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINXP\system32\HPZipm12.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\WINXP\system32\STacSV.exe

--
End of file - 9065 bytes

Blade81
2009-07-08, 15:57
Hi,


In which item(s) is the infection located in and what program made the detection?


Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.

sssmiley
2009-07-12, 06:07
Hi,

I used Spybot Search & Destroy to find the trojan. It was found in file:
C:\WINXP\system32\zipfldr.dll

DDS.txt :


DDS (Ver_09-06-26.01) - NTFSx86
Run by Smiley at 20:01:47.10 on Sat 07/11/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3710.2895 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090711-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\system32\svchost -k DcomLaunch
svchost.exe
C:\WINXP\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINXP\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINXP\system32\HPZipm12.exe
C:\WINXP\stsystra.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINXP\System32\DLA\DLACTRLW.EXE
C:\Program Files\PeoplePC\ISP7130\Browser\Bartshel.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINXP\system32\svchost.exe -k imgsvc
C:\WINXP\system32\SearchIndexer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINXP\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PeoplePC\ISP7130\Browser\PPShared.exe
C:\WINXP\system32\cidaemon.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Alwil Software\Avast4\ashSimp2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PeoplePC\ISP7130\Browser\Bartshel.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINXP\system32\SearchProtocolHost.exe
C:\Documents and Settings\Smiley\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://home.peoplepc.com/search
uStart Page = hxxp://home.peoplepc.com/websearch
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://home.peoplepc.com/search
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\winxp\system32\dla\DLASHX_W.DLL
BHO: Accelerator Plugin: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\progra~1\people~1\PRPL_I~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: PeoplePal Toolbar: {a8fb8eb3-183b-4598-924d-86f0e5e37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
TB: PeoplePal Toolbar: {a8fb8eb3-183b-4598-924d-86f0e5e37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\winxp\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Bart Station] c:\program files\peoplepc\isp7130\bin\PPCOLink.exe -STATION
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [IDTSysTrayApp] sttray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DLA] c:\winxp\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: azstcu.org
Trusted Zone: peoplepc.com\search
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212268998159
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
TCP: {02B7C4C4-CBE2-400B-B476-246D034045CC} = 207.69.188.167 207.69.188.166
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winxp\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\winxp\system32\drivers\aswSP.sys [2008-8-27 114768]
R2 aswFsBlk;aswFsBlk;c:\winxp\system32\drivers\aswFsBlk.sys [2008-8-27 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-5-27 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-5-27 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-5-27 352920]

=============== Created Last 30 ================


==================== Find3M ====================

2009-05-25 00:24 350,208 a------- c:\winxp\system32\mssph.dll
2009-05-22 08:51 44,944 -------- c:\winxp\system32\drivers\pxhelp20.sys
2009-05-12 22:15 915,456 a------- c:\winxp\system32\wininet.dll
2009-05-12 15:12 26,144 a------- c:\winxp\system32\spupdsvc.exe
2009-05-07 08:32 345,600 a------- c:\winxp\system32\localspl.dll
2009-04-17 05:26 1,847,168 a------- c:\winxp\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\winxp\system32\rpcrt4.dll
2008-06-17 16:36 32,768 a--sh--- c:\winxp\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052620080602\index.dat
2008-06-17 16:36 32,768 a--sh--- c:\winxp\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061720080618\index.dat

============= FINISH: 20:02:10.93 ===============



Attach.txt :


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 5/31/2008 1:36:16 PM
System Uptime: 7/9/2009 4:56:08 AM (64 hours ago)

Motherboard: Dell Inc. | | 0J8885
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 146 GiB total, 110.112 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP358: 4/13/2009 3:00:15 AM - Software Distribution Service 3.0
RP359: 4/14/2009 9:48:03 AM - System Checkpoint
RP360: 4/14/2009 10:24:03 AM - Software Distribution Service 3.0
RP361: 4/14/2009 10:36:57 AM - Software Distribution Service 3.0
RP362: 4/15/2009 11:31:26 AM - System Checkpoint
RP363: 4/15/2009 9:44:05 PM - Software Distribution Service 3.0
RP364: 4/16/2009 6:43:01 PM - Software Distribution Service 3.0
RP365: 4/17/2009 7:11:12 AM - Software Distribution Service 3.0
RP366: 4/18/2009 3:58:25 AM - Software Distribution Service 3.0
RP367: 4/19/2009 5:35:36 AM - System Checkpoint
RP368: 4/19/2009 6:09:51 AM - Software Distribution Service 3.0
RP369: 4/20/2009 9:40:56 AM - System Checkpoint
RP370: 4/20/2009 11:11:03 AM - Software Distribution Service 3.0
RP371: 4/20/2009 4:04:16 PM - Software Distribution Service 3.0
RP372: 4/21/2009 4:48:43 PM - System Checkpoint
RP373: 4/22/2009 3:00:14 AM - Software Distribution Service 3.0
RP374: 4/23/2009 3:00:15 AM - Software Distribution Service 3.0
RP375: 4/23/2009 9:12:21 AM - Software Distribution Service 3.0
RP376: 4/24/2009 4:45:34 AM - Software Distribution Service 3.0
RP377: 4/25/2009 3:00:14 AM - Software Distribution Service 3.0
RP378: 4/26/2009 6:07:03 AM - System Checkpoint
RP379: 4/27/2009 6:43:37 AM - System Checkpoint
RP380: 4/27/2009 11:54:28 AM - Software Distribution Service 3.0
RP381: 4/27/2009 5:43:38 PM - Software Distribution Service 3.0
RP382: 4/28/2009 5:49:05 PM - System Checkpoint
RP383: 4/29/2009 3:00:20 AM - Software Distribution Service 3.0
RP384: 4/29/2009 9:01:55 AM - Software Distribution Service 3.0
RP385: 4/30/2009 7:45:24 AM - Software Distribution Service 3.0
RP386: 5/1/2009 4:23:09 AM - Software Distribution Service 3.0
RP387: 5/2/2009 3:00:17 AM - Software Distribution Service 3.0
RP388: 5/3/2009 5:27:39 AM - System Checkpoint
RP389: 5/4/2009 3:00:16 AM - Software Distribution Service 3.0
RP390: 5/4/2009 11:11:26 AM - Software Distribution Service 3.0
RP391: 5/5/2009 12:09:16 PM - Software Distribution Service 3.0
RP392: 5/6/2009 3:00:15 AM - Software Distribution Service 3.0
RP393: 5/6/2009 8:15:23 PM - Software Distribution Service 3.0
RP394: 5/7/2009 3:00:14 AM - Software Distribution Service 3.0
RP395: 5/7/2009 6:25:10 AM - Software Distribution Service 3.0
RP396: 5/8/2009 6:07:00 AM - Software Distribution Service 3.0
RP397: 5/9/2009 7:54:23 AM - System Checkpoint
RP398: 5/10/2009 3:00:15 AM - Software Distribution Service 3.0
RP399: 5/11/2009 3:08:04 AM - System Checkpoint
RP400: 5/11/2009 9:58:38 AM - Software Distribution Service 3.0
RP401: 5/11/2009 5:56:37 PM - Software Distribution Service 3.0
RP402: 5/12/2009 6:45:35 PM - System Checkpoint
RP403: 5/12/2009 9:35:05 PM - Software Distribution Service 3.0
RP404: 5/13/2009 9:44:30 PM - System Checkpoint
RP405: 5/14/2009 3:00:15 AM - Software Distribution Service 3.0
RP406: 5/15/2009 3:44:29 AM - System Checkpoint
RP407: 5/16/2009 4:32:02 AM - Software Distribution Service 3.0
RP408: 5/19/2009 10:54:40 AM - System Checkpoint
RP409: 5/20/2009 3:00:15 AM - Software Distribution Service 3.0
RP410: 5/20/2009 7:48:48 AM - Software Distribution Service 3.0
RP411: 5/20/2009 4:54:29 PM - Software Distribution Service 3.0
RP412: 5/20/2009 10:18:24 PM - Software Distribution Service 3.0
RP413: 5/21/2009 6:03:53 AM - Software Distribution Service 3.0
RP414: 5/22/2009 3:00:15 AM - Software Distribution Service 3.0
RP415: 5/23/2009 3:08:25 AM - System Checkpoint
RP416: 5/24/2009 3:26:59 AM - System Checkpoint
RP417: 5/24/2009 5:53:37 AM - Software Distribution Service 3.0
RP418: 5/25/2009 10:57:15 AM - System Checkpoint
RP419: 5/25/2009 4:24:45 PM - Software Distribution Service 3.0
RP420: 5/26/2009 3:00:15 AM - Software Distribution Service 3.0
RP421: 5/27/2009 3:00:15 AM - Software Distribution Service 3.0
RP422: 5/28/2009 3:54:22 AM - System Checkpoint
RP423: 5/28/2009 8:20:58 PM - Software Distribution Service 3.0
RP424: 5/29/2009 8:34:44 PM - System Checkpoint
RP425: 5/30/2009 3:00:15 AM - Software Distribution Service 3.0
RP426: 5/31/2009 3:03:03 AM - System Checkpoint
RP427: 6/1/2009 3:00:16 AM - Software Distribution Service 3.0
RP428: 6/2/2009 12:26:26 AM - Software Distribution Service 3.0
RP429: 6/3/2009 12:44:57 AM - System Checkpoint
RP430: 6/3/2009 3:00:15 AM - Software Distribution Service 3.0
RP431: 6/3/2009 10:59:00 AM - Software Distribution Service 3.0
RP432: 6/3/2009 11:25:47 AM - Software Distribution Service 3.0
RP433: 6/4/2009 3:00:15 AM - Software Distribution Service 3.0
RP434: 6/5/2009 3:00:15 AM - Software Distribution Service 3.0
RP435: 6/6/2009 3:56:02 AM - System Checkpoint
RP436: 6/7/2009 3:00:14 AM - Software Distribution Service 3.0
RP437: 6/8/2009 10:35:18 AM - System Checkpoint
RP438: 6/9/2009 3:00:15 AM - Software Distribution Service 3.0
RP439: 6/10/2009 3:00:34 AM - Software Distribution Service 3.0
RP440: 6/10/2009 10:10:44 AM - Software Distribution Service 3.0
RP441: 6/11/2009 3:00:16 AM - Software Distribution Service 3.0
RP442: 6/12/2009 3:02:00 AM - System Checkpoint
RP443: 6/12/2009 8:17:07 AM - Software Distribution Service 3.0
RP444: 6/13/2009 3:00:15 AM - Software Distribution Service 3.0
RP445: 6/14/2009 3:00:17 AM - Software Distribution Service 3.0
RP446: 6/15/2009 3:53:16 AM - System Checkpoint
RP447: 6/15/2009 11:12:28 PM - Software Distribution Service 3.0
RP448: 6/16/2009 8:07:30 PM - Software Distribution Service 3.0
RP449: 6/17/2009 11:21:13 AM - Software Distribution Service 3.0
RP450: 6/18/2009 3:00:16 AM - Software Distribution Service 3.0
RP451: 6/19/2009 7:06:46 AM - System Checkpoint
RP452: 6/20/2009 3:00:15 AM - Software Distribution Service 3.0
RP453: 6/21/2009 6:22:18 AM - System Checkpoint
RP454: 6/21/2009 6:50:00 AM - Software Distribution Service 3.0
RP455: 6/22/2009 3:00:15 AM - Software Distribution Service 3.0
RP456: 6/22/2009 9:42:56 AM - Software Distribution Service 3.0
RP457: 6/22/2009 10:42:56 AM - Software Distribution Service 3.0
RP458: 6/22/2009 10:18:39 PM - Software Distribution Service 3.0
RP459: 6/23/2009 3:00:16 AM - Software Distribution Service 3.0
RP460: 6/24/2009 3:00:16 AM - Software Distribution Service 3.0
RP461: 6/25/2009 3:06:42 AM - System Checkpoint
RP462: 6/25/2009 6:57:07 AM - Software Distribution Service 3.0
RP463: 6/26/2009 3:00:15 AM - Software Distribution Service 3.0
RP464: 6/27/2009 3:00:16 AM - Software Distribution Service 3.0
RP465: 6/28/2009 3:40:13 AM - System Checkpoint
RP466: 6/29/2009 3:00:16 AM - Software Distribution Service 3.0
RP467: 6/30/2009 3:00:16 AM - Software Distribution Service 3.0
RP468: 6/30/2009 2:34:50 PM - Software Distribution Service 3.0
RP469: 6/30/2009 6:44:31 PM - Software Distribution Service 3.0
RP470: 7/1/2009 7:39:59 PM - System Checkpoint
RP471: 7/1/2009 10:45:22 PM - Software Distribution Service 3.0
RP472: 7/2/2009 6:13:06 AM - Software Distribution Service 3.0
RP473: 7/3/2009 3:00:18 AM - Software Distribution Service 3.0
RP474: 7/4/2009 3:46:44 AM - System Checkpoint
RP475: 7/4/2009 1:13:36 PM - Software Distribution Service 3.0
RP476: 7/4/2009 1:45:38 PM - Software Distribution Service 3.0
RP477: 7/5/2009 6:23:41 AM - Software Distribution Service 3.0
RP478: 7/6/2009 7:20:08 AM - System Checkpoint
RP479: 7/7/2009 7:36:01 AM - System Checkpoint
RP480: 7/8/2009 8:22:10 AM - System Checkpoint
RP481: 7/9/2009 9:00:28 AM - System Checkpoint
RP482: 7/10/2009 10:24:28 AM - System Checkpoint
RP483: 7/11/2009 12:07:15 PM - System Checkpoint

==== Installed Programs ======================

5600
5600_Help
5600Trb
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
AiO_Scan
AiOSoftware
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
avast! Antivirus
Bonjour
BufferChm
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
Dell Media Experience
Dell ResourceCD
Dell Support
Destinations
DeviceManagementQFolder
DocProc
ERUNT 1.1j
eSupportQFolder
Fax
FretPro V.2.00
getPlus(R)_ocx
GoToAssist 8.0.0.514
HijackThis 2.0.2
Hotfix 2050 for SQL Server 2000 ENU (KB948110)
Hotfix 2055 for SQL Server 2000 ENU (KB960082)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Extended Capabilities 5.3
HP Image Zone Express
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
Intel(R) 537EP V9x DF PCI Modem
Intel(R) PRO Network Connections Drivers
iTunes
K-Lite Codec Pack 3.8.0 Basic
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook 2003 with Business Contact Manager Update
Microsoft Office Small Business Edition 2003
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows XP Video Decoder Checkup Utility
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NewCopy
PeoplePC Online
PeoplePC Simple Switch
PeoplePC:PeoplePal Toolbar 7.0
PowerDVD 5.5
ProductContext
QuickTime
Readme
RealPlayer
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
SigmaTel Audio
SolutionCenter
Sonic Update Manager
Spybot - Search & Destroy
Status
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB942763)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

7/5/2009 4:32:38 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\winxp\system32\zipfldr.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
7/4/2009 1:45:37 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800706be: Windows Live Essentials.
7/4/2009 1:45:37 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800706ba: Update for Internet Explorer 8 Compatibility View List for Windows XP (KB971930).
7/4/2009 1:45:37 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800706ba: Office Live add-in 1.4.
7/4/2009 1:45:37 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800706ba: Microsoft Base Smart Card Cryptographic Service Provider Package: x86 (KB909520).
7/4/2009 1:45:37 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x800706ba: Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update for .NET versions 2.0 through 3.5 (KB951847) x86.

==== End Of File ===========================


Hope this helps.

Thanks

Blade81
2009-07-12, 11:24
Hi,

Have you updated Spybot definitions lately? Please make sure you have latest definitions in use and then run scan again.


Uninstall PeoplePC:PeoplePal Toolbar 7.0


Uninstall old Adobe Reader versions and get the latest one (9.1 + update 9.1.2 for it) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).


Reboot and post a fresh dds.txt log. Let me also know if Spybot with latest definition update still finds the threat.

sssmiley
2009-07-13, 23:11
Hi,

My Spybot definitions are up to date and still found the trojan.

I uninstalled the two programs and installed the latest Adobe Reader.

Here is the DDS.txt:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Smiley at 13:06:42.14 on Mon 07/13/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3710.3059 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090713-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\system32\svchost -k DcomLaunch
svchost.exe
C:\WINXP\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINXP\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINXP\system32\HPZipm12.exe
C:\WINXP\system32\svchost.exe -k imgsvc
C:\WINXP\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINXP\system32\wuauclt.exe
C:\Program Files\PeoplePC\ISP7130\Browser\Bartshel.exe
C:\WINXP\stsystra.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINXP\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINXP\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\Smiley\Desktop\dds.scr
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PeoplePC\ISP7130\Browser\PPShared.exe
C:\WINXP\system32\SearchProtocolHost.exe
C:\Program Files\PeoplePC\ISP7130\Browser\Bartshel.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://home.peoplepc.com/search
uStart Page = hxxp://home.peoplepc.com/websearch
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
mSearchAssistant = hxxp://home.peoplepc.com/search
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\winxp\system32\dla\DLASHX_W.DLL
BHO: Accelerator Plugin: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\progra~1\people~1\PRPL_I~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\winxp\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Bart Station] c:\program files\peoplepc\isp7130\bin\PPCOLink.exe -STATION
mRun: [IDTSysTrayApp] sttray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DLA] c:\winxp\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: azstcu.org
Trusted Zone: peoplepc.com\search
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212268998159
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
TCP: {02B7C4C4-CBE2-400B-B476-246D034045CC} = 207.69.188.167 207.69.188.166
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winxp\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\winxp\system32\drivers\aswSP.sys [2008-8-27 114768]
R2 aswFsBlk;aswFsBlk;c:\winxp\system32\drivers\aswFsBlk.sys [2008-8-27 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-5-27 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-5-27 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-5-27 352920]

=============== Created Last 30 ================

2009-07-06 21:15 <DIR> --d----- c:\program files\Trend Micro
2009-07-05 06:21 1,089,593 -c------ c:\winxp\system32\dllcache\ntprint.cat
2009-07-04 13:49 <DIR> --d----- c:\winxp\system32\XPSViewer
2009-07-04 13:49 1,676,288 -c------ c:\winxp\system32\dllcache\xpssvcs.dll
2009-07-04 13:49 597,504 -c------ c:\winxp\system32\dllcache\printfilterpipelinesvc.exe
2009-07-04 13:49 575,488 -c------ c:\winxp\system32\dllcache\xpsshhdr.dll
2009-07-04 13:49 89,088 -c------ c:\winxp\system32\dllcache\filterpipelineprintproc.dll
2009-07-04 13:49 <DIR> --d----- C:\02709b9313bb0dabc8f9a1
2009-07-04 13:49 1,676,288 -------- c:\winxp\system32\xpssvcs.dll
2009-07-04 13:49 575,488 -------- c:\winxp\system32\xpsshhdr.dll
2009-07-04 13:49 117,760 -------- c:\winxp\system32\prntvpt.dll
2009-06-23 03:56 <DIR> --d----- c:\program files\iPod
2009-06-23 03:56 <DIR> --d----- c:\docume~1\alluse~2.win\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-22 23:57 <DIR> --d----- c:\program files\Bonjour
2009-06-22 10:55 203,776 a------- c:\winxp\system32\clrviddc.dll

==================== Find3M ====================

2009-05-25 00:24 350,208 a------- c:\winxp\system32\mssph.dll
2009-05-22 08:51 44,944 -------- c:\winxp\system32\drivers\pxhelp20.sys
2009-05-12 22:15 915,456 a------- c:\winxp\system32\wininet.dll
2009-05-12 15:12 26,144 a------- c:\winxp\system32\spupdsvc.exe
2009-05-07 08:32 345,600 a------- c:\winxp\system32\localspl.dll
2009-04-17 05:26 1,847,168 a------- c:\winxp\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\winxp\system32\rpcrt4.dll
2008-06-17 16:36 32,768 a--sh--- c:\winxp\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052620080602\index.dat
2008-06-17 16:36 32,768 a--sh--- c:\winxp\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061720080618\index.dat

============= FINISH: 13:07:48.53 ===============

Thanks again

Blade81
2009-07-14, 10:31
Hi again,

Upload C:\WINXP\system32\zipfldr.dll file to http://www.virustotal.com and post back the results or a link to the results.


Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner)

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.



Read the requirements and privacy statement then click on the Accept button.



The program will launch and start to download the latest definition files.



You will be prompted to install an application from Kaspersky. Click Run



Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives



Click on My Computer under Scan.



Once the scan is complete, it will display the results. Click on View Scan Report.



Click on Save Report As....



Change the Files of type to Text file (.txt) before clicking on the Save button.



Save this report to a convenient place.



Copy and paste that information into your topic.



The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)


Start hjt, do a system scan, check if found:
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll (file missing)

Close browsers and fix checked.

Reboot and post a fresh hjt log.

sssmiley
2009-07-15, 05:58
Hi,

Here is the virustotal scan:

Antivirus Version Last Update Result
a-squared 4.5.0.22 2009.07.14 -
AhnLab-V3 5.0.0.2 2009.07.14 -
AntiVir 7.9.0.215 2009.07.14 -
Antiy-AVL 2.0.3.1 2009.07.14 -
Authentium 5.1.2.4 2009.07.14 -
Avast 4.8.1335.0 2009.07.14 -
AVG 8.5.0.387 2009.07.14 -
BitDefender 7.2 2009.07.15 -
CAT-QuickHeal 10.00 2009.07.14 -
ClamAV 0.94.1 2009.07.15 -
Comodo 1653 2009.07.15 -
DrWeb 5.0.0.12182 2009.07.14 -
eSafe 7.0.17.0 2009.07.14 -
eTrust-Vet 31.6.6615 2009.07.14 -
F-Prot 4.4.4.56 2009.07.14 -
F-Secure 8.0.14470.0 2009.07.15 -
Fortinet 3.120.0.0 2009.07.14 -
GData 19 2009.07.15 -
Ikarus T3.1.1.64.0 2009.07.14 -
Jiangmin 11.0.706 2009.07.14 -
K7AntiVirus 7.10.792 2009.07.14 -
Kaspersky 7.0.0.125 2009.07.15 -
McAfee 5676 2009.07.14 -
McAfee+Artemis 5676 2009.07.14 -
McAfee-GW-Edition 6.8.5 2009.07.14 -
Microsoft 1.4803 2009.07.14 -
NOD32 4243 2009.07.14 -
Norman 6.01.09 2009.07.14 -
nProtect 2009.1.8.0 2009.07.14 -
Panda 10.0.0.14 2009.07.14 -
PCTools 4.4.2.0 2009.07.14 -
Prevx 3.0 2009.07.15 -
Rising 21.38.14.00 2009.07.14 -
Sophos 4.43.0 2009.07.15 -
Sunbelt 3.2.1858.2 2009.07.14 -
Symantec 1.4.4.12 2009.07.15 -
TheHacker 6.3.4.3.367 2009.07.14 -
TrendMicro 8.950.0.1094 2009.07.14 -
VBA32 3.12.10.8 2009.07.14 -
ViRobot 2009.7.14.1835 2009.07.14 -
VirusBuster 4.6.5.0 2009.07.14 -
Additional information
File size: 338432 bytes
MD5...: c444b433a340c24b51a2dace9d13fc70
SHA1..: 18db98f46fcdfcdd823517cc5a73e209fca138da
SHA256: 32df665a6267231245235cc90cc17bc8f9869642d2d848e6fc8f9a417ba570fd
ssdeep: 6144:so8yrj4nxum0kKU1gEzXlXZqaYmurx5N0cAQA6sS5w:h8yrjWZdgEz5FwzG
cAL

PEiD..: -
TrID..: File type identification
DirectShow filter (52.6%)
Windows OCX File (32.2%)
Win32 Executable MS Visual C++ (generic) (9.8%)
Win32 Executable Generic (2.2%)
Win32 Dynamic Link Library (generic) (1.9%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x13219
timedatestamp.....: 0x4802a12d (Mon Apr 14 00:11:25 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x33954 0x33a00 6.61 d864c816372a00daff88d150d141db3d
.data 0x35000 0x41bc 0x2600 4.33 09e0199be5b929a0aecf3511b883a249
.rsrc 0x3a000 0x19468 0x19600 5.14 54b99305966f2853a7e341265a8034b4
.reloc 0x54000 0x2fa2 0x3000 5.32 23d75f0953576fadddb7cbbf155859a3

( 9 imports )
> ntdll.dll: RtlUnwind
> KERNEL32.dll: SetCurrentDirectoryW, LeaveCriticalSection, EnterCriticalSection, GetCurrentDirectoryW, RemoveDirectoryW, CreateThread, LocalFree, FormatMessageW, GetLastError, DeleteFileW, CopyFileW, DeleteCriticalSection, InitializeCriticalSection, DisableThreadLibraryCalls, InterlockedIncrement, InterlockedDecrement, FreeLibrary, GetProcAddress, LoadLibraryW, FindNextFileW, CloseHandle, CreateFileW, FileTimeToSystemTime, CreateDirectoryW, CompareFileTime, GetFileTime, lstrcmpiW, GlobalUnlock, GlobalLock, lstrcmpW, lstrcpynW, LocalAlloc, GetCalendarInfoW, TlsSetValue, TlsGetValue, TlsAlloc, TlsFree, GetDiskFreeSpaceExW, MultiByteToWideChar, lstrlenA, GetTempPathW, GetFileSizeEx, GetDriveTypeW, GlobalFree, lstrcpyW, GlobalAlloc, LocalFileTimeToFileTime, SystemTimeToFileTime, SetFileTime, GetFileInformationByHandle, GlobalSize, GetProcessHeap, HeapFree, HeapReAlloc, HeapAlloc, ReadFile, WriteFile, GetCurrentThreadId, GetCommandLineA, GetVersionExA, GetFileAttributesA, SetLastError, ExitProcess, GetModuleHandleA, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleFileNameA, FreeEnvironmentStringsA, FindFirstFileW, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, GetACP, GetOEMCP, GetCPInfo, UnhandledExceptionFilter, VirtualAlloc, LoadLibraryA, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, InterlockedExchange, VirtualQuery, VirtualProtect, GetSystemInfo, GetTimeZoneInformation, SetFilePointer, SetStdHandle, FlushFileBuffers, CompareStringA, CompareStringW, SetEnvironmentVariableA, FindClose, GetFileAttributesW, SetFileAttributesW, lstrlenW, ExitThread, GetVolumeInformationA, SetFileAttributesA, CreateDirectoryA, LocalLock, LocalUnlock, lstrcmpiA, IsDBCSLeadByte, FindFirstFileA, FileTimeToDosDateTime, DeleteFileA, GlobalReAlloc, CreateFileA, GetDriveTypeA, GlobalHandle, SetUnhandledExceptionFilter, GetCurrentProcess, GetWindowsDirectoryW, TerminateProcess, GetSystemTimeAsFileTime, QueryPerformanceCounter, DosDateTimeToFileTime, FileTimeToLocalFileTime, GetTickCount, GetModuleFileNameW, lstrcmpA, MoveFileA, SetVolumeLabelA, FindNextFileA, GetDiskFreeSpaceA, RemoveDirectoryA, SetCurrentDirectoryA, GetTempFileNameA, GetCurrentProcessId, GetSystemWindowsDirectoryW, LoadLibraryExA, GetCurrentDirectoryA, GetEnvironmentStrings, GetFullPathNameA, GetFileSize, GetModuleHandleW
> GDI32.dll: GetStockObject, DeleteObject, GetDeviceCaps, CreateFontIndirectW
> USER32.dll: GetSubMenu, GetParent, SetWindowTextW, GetDlgItem, LoadStringW, SetWindowLongW, EndDialog, ShowCursor, DeleteMenu, CreateWindowExW, CharUpperBuffA, CharPrevA, CharNextA, DispatchMessageA, PeekMessageA, CharUpperA, MessageBoxA, GetActiveWindow, CharLowerA, CharToOemBuffA, CharToOemA, OemToCharBuffA, SetDlgItemTextW, GetDesktopWindow, DialogBoxParamW, LoadMenuW, SendDlgItemMessageW, RemoveMenu, GetForegroundWindow, TrackPopupMenu, RegisterClassW, DefWindowProcW, CharNextW, GetWindowLongW, SystemParametersInfoW, GetWindowRect, SetForegroundWindow, GetDlgItemTextW, InsertMenuW, RegisterClipboardFormatW, LoadCursorW, SetCursor, SetMenuDefaultItem, DestroyMenu, GetAsyncKeyState, CheckDlgButton, SetFocus, EnableWindow, GetWindowTextW, PeekMessageW, IsDialogMessageW, TranslateMessage, DispatchMessageW, MessageBoxW, ShowWindow, IsDlgButtonChecked, DestroyWindow, SendMessageW, PostMessageW
> ADVAPI32.dll: RegQueryValueExW, RegOpenKeyExW, RegCloseKey
> SHELL32.dll: -, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetSpecialFolderLocation, SHGetFolderPathW, SHSetLocalizedName, -, -, -, SHGetFileInfoW, SHGetSpecialFolderPathW, -, DragQueryFileW, -, SHFileOperationW, -, -, -, -, -, -, -, ShellExecuteExW, ShellExecuteW, -, SHGetDesktopFolder, -, SHChangeNotify, SHGetMalloc
> ole32.dll: CreateBindCtx, CoInitializeEx, CoUninitialize, CoCreateInstance, ReleaseStgMedium, OleGetClipboard, CoTaskMemFree, OleSetClipboard
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -
> SHLWAPI.dll: wnsprintfW, PathAppendW, StrCpyNW, PathFileExistsW, PathRemoveBlanksW, SHStrDupW, PathFindFileNameW, StrChrW, PathFindExtensionW, PathCompactPathW, StrStrW, PathCombineW, PathCanonicalizeW, PathIsRelativeW, PathIsPrefixW, PathRemoveFileSpecW, PathSkipRootW, PathStripToRootW, -, StrFormatKBSizeW, PathFindFileNameA, StrCmpNIW, -, -, -, -, -, -, -, -, -, PathCommonPrefixW, PathRemoveBackslashW, PathCompactPathExW, StrCatBuffW, StrToIntW, StrRetToBufW

( 6 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer, RegisterSendto, RouteTheCall

PDFiD.: -
RDS...: NSRL Reference Data Set
-



And here is the Kapersky Scan Report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, July 14, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, July 15, 2009 00:15:39
Records in database: 2469057
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 102711
Threat name: 2
Infected objects: 1
Suspicious objects: 2
Duration of the scan: 02:01:09


File name / Threat name / Threats count
C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt Infected: Hoax.HTML.Secureinvites.b 1
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2

The selected area was scanned.


On the HijackThis System Scan after the Kapersky scan I found this in the log:
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar_7.2.0.0.dll

I fixed it in HijackThis.

I rebooted the computer and here is my new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:37 PM, on 7/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\spoolsv.exe
C:\WINXP\stsystra.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PeoplePC\ISP7300\Browser\Bartshel.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINXP\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINXP\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINXP\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINXP\System32\svchost.exe
C:\PROGRA~1\PeoplePC\ISP7300\Browser\PPShared.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINXP\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/websearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINXP\System32\DLA\DLASHX_W.DLL
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\PEOPLE~1\PRPL_I~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar_7.2.0.0.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP7300\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [IDTSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DLA] C:\WINXP\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212268998159
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXP\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINXP\system32\HPZipm12.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\WINXP\system32\STacSV.exe

--
End of file - 9307 bytes



Thanks

Blade81
2009-07-15, 11:51
Hi,

Delete this file:
C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt

You could open a topic of false positive (fp) here (http://forums.spybot.info/forumdisplay.php?f=16) since C:\WINXP\system32\zipfldr.dll appears to be fp.

Blade81
2009-07-22, 23:47
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.