There's something hiding in here somewhere [Archive]

View Full Version : There's something hiding in here somewhere

dowdtim

2010-06-16, 21:50

Hello,

I'm sure there's something hiding on my PC. Can't quite put my finger on it, but something doesn't feel right.

Symptoms:
- Internet explorer (or rather the first-use wizard, as I use Firefox) often randomly appears
- Some new names appearing on the process list

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Tim at 20:45:23.76 on 16/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.1770 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\Program Files\SDL International\License Server\Lmgrd.exe
C:\Program Files\O2 Assistant\bin\sprtsvc.exe
C:\Program Files\SDL International\License Server\Lmgrd.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\O2 Assistant\bin\tgsrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\rundll32.exe
C:\program files\windows live\messenger\msnmsgr .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\o2 assistant\bin\sprtcmd .exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tim\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
mWinlogon: Userinit=c:\windows\system32\userinit.exe
mWinlogon: Taskman=c:\documents and settings\tim\application data\zdrvj.exe
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr .exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Dhatedi] rundll32.exe "c:\windows\mtervcn.dll",Startup
uRun: [userini] c:\windows\system32\userini.exe
uRun: [MSConfig] c:\documents and settings\tim\ery.exe \u
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [userini] c:\windows\system32\userini.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [O2DA] "c:\program files\o2 assistant\bin\sprtcmd.exe" /P O2DA
uExplorerRun: [userini] c:\windows\system32\userini.exe
mExplorerRun: [userini] c:\windows\system32\userini.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\HP Digital Imaging Monitor.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\dell wireless\PRISMCFG.exe
uPolicies-explorer: GreyMSIAds = 0 (0x0)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: DisableStatusMessages = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
Trusted Zone: adecco.com\*.xpert
Trusted Zone: ketsujin.com\fighterace
Trusted Zone: ketsujin.com\primary
Trusted Zone: ketsujin.com\update
Trusted Zone: ketsujin.com\www
Trusted Zone: o2.co.uk\*.broadband
Trusted Zone: stormofaces.com\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145652825717
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: PRISMAPI.DLL - PRISMAPI.DLL
AppInit_DLLs: app_dll.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tim\applic~1\mozilla\firefox\profiles\o4yrvs9c.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2006-5-30 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2006-5-30 5248]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-13 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-13 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-13 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-13 308064]
R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2006-3-22 61526]
R2 SDL FLEXlm License Server;SDL FLEXlm License Server;c:\program files\sdl international\license server\lmgrd.exe [2008-7-1 1372160]
R2 sprtsvc_O2DA;SupportSoft Sprocket Service (O2DA);c:\program files\o2 assistant\bin\sprtsvc.exe [2010-4-23 206120]
R2 tgsrvc_O2DA;SupportSoft Repair Service (O2DA);c:\program files\o2 assistant\bin\tgsrvc.exe [2010-4-23 185640]
R3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2009-10-3 30560]
S1 txnzeedo;txnzeedo;\??\c:\windows\system32\drivers\txnzeedo.sys --> c:\windows\system32\drivers\txnzeedo.sys [?]
S2 CoLinuxDriver;CoLinuxDriver;\??\c:\program files\colinux\linux.sys --> c:\program files\colinux\linux.sys [?]
S2 gupdate1c999314d0ec792;Google Update Service (gupdate1c999314d0ec792);c:\program files\google\update\GoogleUpdate.exe [2009-2-28 133104]
S3 fweobdsz;fweobdsz;\??\c:\windows\system32\drivers\fweobdsz.sys --> c:\windows\system32\drivers\fweobdsz.sys [?]
S3 hbvxvacg;hbvxvacg;\??\c:\windows\system32\drivers\hbvxvacg.sys --> c:\windows\system32\drivers\hbvxvacg.sys [?]
S3 lknoaqbz;lknoaqbz;\??\c:\windows\system32\drivers\lknoaqbz.sys --> c:\windows\system32\drivers\lknoaqbz.sys [?]
S3 SaxNDIS;Ax3soft Packet Driver (SaxNDIS);c:\windows\system32\drivers\SAXNDIS.sys [2010-3-3 35840]
S3 sjvqlqcy;sjvqlqcy;\??\c:\windows\system32\drivers\sjvqlqcy.sys --> c:\windows\system32\drivers\sjvqlqcy.sys [?]
S3 snxfvsxq;snxfvsxq;\??\c:\windows\system32\drivers\snxfvsxq.sys --> c:\windows\system32\drivers\snxfvsxq.sys [?]
S3 sqshnbwi;sqshnbwi;\??\c:\windows\system32\drivers\sqshnbwi.sys --> c:\windows\system32\drivers\sqshnbwi.sys [?]
S3 tap0801co;TAP-Win32 Adapter V8 (coLinux);c:\windows\system32\drivers\tap0801co.sys [2005-5-15 24576]
S3 usb2vcom;USB Data Cable;c:\windows\system32\drivers\usb2vcom.sys [2006-8-7 28704]
S3 Wsetc_xorcn;Wsetc_xorcn; [x]

=============== Created Last 30 ================

2010-06-11 17:24:28 0 d-----w- c:\windows\system32\MpEngineStore
2010-06-11 14:29:43 0 d-----w- c:\program files\O2 Assistant
2010-06-11 14:22:34 0 d-----w- c:\docume~1\alluse~1\applic~1\O2
2010-06-10 22:20:29 220 ----a-w- c:\windows\system32\MRT.INI
2010-06-10 18:39:23 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-01 16:35:36 54156 ---ha-w- c:\windows\QTFont.qfn
2010-06-01 16:35:36 1409 ----a-w- c:\windows\QTFont.for
2010-05-29 13:19:39 0 d-----w- C:\Programme
2010-05-22 17:01:06 0 d-----w- c:\docume~1\tim\applic~1\Foxit Software

==================== Find3M ====================

2010-06-16 18:20:48 27648 ----a-w- c:\windows\system32\userini.exe
2010-06-15 16:54:20 27648 ----a-w- c:\documents and settings\tim\rundll32.exe
2010-06-15 16:54:19 27648 ----a-w- c:\documents and settings\tim\ery.exe
2010-06-11 17:24:27 125056 ----a-w- c:\windows\system32\drivers\ftdisk.sys
2010-06-02 20:52:51 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-18 15:54:27 27648 ----a-w- c:\documents and settings\tim\ery .exe
2010-05-17 18:18:55 27648 ----a-w- c:\windows\system32\userini .exe
2010-05-16 22:09:19 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-05-16 22:09:19 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-05-07 15:17:12 1033728 ----a-w- c:\windows\system32\dllcache\explorer.exe
2010-05-07 15:17:12 1033728 ----a-w- c:\windows\explorer.exe
2010-05-06 16:55:09 45568 ---h--w- c:\windows\system32\secupdat.dat
2010-05-06 16:55:09 45568 ---h--w- c:\documents and settings\tim\secupdat.dat
2010-05-06 16:36:23 1033728 ----a-w- c:\windows\explorer .exe
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-06 03:52:46 2462720 ----a-w- c:\windows\system32\dllcache\WMVCore.dll
2010-04-05 16:27:53 737280 ----a-w- c:\windows\iun6002.exe
2010-04-03 21:45:41 27648 ----a-w- c:\documents and settings\tim\rundll32 .exe
2010-03-26 00:09:14 72192 ----a-w- c:\windows\system32\tasklist.exe
2008-06-13 17:55:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061320080614\index.dat

============= FINISH: 20:46:45.67 ===============

Attach.txt is in the attached .zip file.

Thank you in advance for the help.

Regards,
Tim

Dakeyras

2010-06-19, 00:37

Hi,

I have bad news I'm afraid. :sad:

One or more of the identified infections is a Backdoor Trojan.

OK since we are dealing with the aforementioned infection(s) I would be providing your good self with a disservice if I did not make you aware of the ramifications below:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows operating system, and that is the course we strongly recommend.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

I can attempt to clean this machine but I can't guarantee that it will be at all secure afterwords.

Should you have any questions, please feel free to ask.

Please let myself know what you have decided to do in your next post.

dowdtim

2010-06-19, 22:58

Hello,

Many thanks for the warning.

I'll get on with a complete re-format immediately.

Luckily, as I had a funny feeling, I haven't used this PC for my bank account in a while.

Card transactions I have done on here, however. I'll have a think about that one.

Now, where did I put that Dell CD..............?

Out of interest, what was it, specifically, in my original post which highlighted the Backdoor Trojan infection to you??

Best regards,
Tim

Dakeyras

2010-06-20, 16:33

Hi. :)

Many thanks for the warning.You're welcome!

Out of interest, what was it, specifically, in my original post which highlighted the Backdoor Trojan infection to you??There are several serious infections on-board:-

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader:Win32/Unruy.C#techdetails_link

http://www.threatexpert.com/report.aspx?md5=54fb4d0420f6aee582abb4a5ff87711a

To name but a few and undoubtedly more that have not been identified. As to how your machine became infected the P2P application you have installed is the most likely culprit.

It's really important, if you value your PC at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, Limewire, Vuze.
Criminals have "planted" thousands upon thousands of infections in the "free" shared files. Some of the recent infections can turn your machine into a doorstop.
It's also very important to avoid any "cracks" or "Keygens" that allow unauthorized use of programs. Besides being illegal, these files also are loaded with "planted" malware.

Would you like some further advice with regard to a reformat and reinstallation of the Windows operating system and some online safety advice?

dowdtim

2010-06-21, 19:23

Hello,

Being a relative amateur, I didn't understand much of the stuff in those links, but the overall picture was clear - not a very nice infection.

I've now re-formatted the computer. Incidentally, the only recovery CD we have at home is the one for my other-half's Dell laptop... Which is a German version. So I now have German windows! My German's not too bad though, so no loss.

Only other hiccup is my Wireless adaptor not working - very strange indeed. Currently have a cable trailing through the house until that one's solved!

I have done the following things to protect my PC:
- Installed Free AVG
- Installed Spybot and have immunised everything
- Installed the latest windows updates
- Windows firewall turned on

Is there anything else that you would recommend? On that same note, the information you've offered there would be very welcome.

With regard to how I got infected, I rarely use those P2P programmes. It's likely to be, therefore, cracks for various stuff and/or looking for forums for rapidshare links. I shall use much more retraint in future.

Many thanks again for the swift diagnosis and I'll be donating a few bob to the Spoybot-pot.

Best regards,
Tim

Dakeyras

2010-06-21, 23:30

Hi. :)

Many thanks again for the swift diagnosis and I'll be donating a few bob to the Spoybot-pot.
You're welcome and I am sure it would be appreciated.

I didn't understand much of the stuff in those links, but the overall picture was clear - not a very nice infection. Aye indeed.

I've now re-formatted the computer. Incidentally, the only recovery CD we have at home is the one for my other-half's Dell laptop... Which is a German version. So I now have German windows! My German's not too bad though, so no loss.
Technically that is not legal far as I am aware, however you must have activated windows or you would not have been able to download/install any updates etc.

To be on the safe side I would validate windows (http://www.microsoft.com/genuine/downloads/SuccessfulActivation.aspx?displaylang=en&Error=0&sGuid=22bf60dd-d89a-4c13-a527-e5f6d8c576f7) and you may need to contact Microsoft and actually purchase a product licence.

Is there anything else that you would recommend? On that same note, the information you've offered there would be very welcome.
What you have is fine and the below will compliment your current security:-

Malwarebytes' Anti-Malware - Download it from here (http://www.malwarebytes.org/mbam-download.php)

The tutorial on how to use MBAM is located here (http://thespykiller.co.uk/index.php?PHPSESSID=12a63a8f9a27c9b153f67c04a5c10955&topic=5946.0)

Install WinPatrol - Download it from here (http://www.winpatrol.com/download.html)

You can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)

Keep your system updated- Microsoft releases patches for Windows and other products regularly:
I advise you visit: http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
Install the Active X
Once installed it will advise set Auto-Updates if not set and you then you will be able to manually check for updates also via:
Start >> All Programs >> Microsoft Updates
Be careful when opening attachments and downloading files:

Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
Never open emails from unknown senders.
Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge (http://sourceforge.net/) or Pricelessware (http://www.pricelesswarehome.org/).
Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript (http://www.symantec.com/avcenter/noscript.exe) by Symantec or Script Defender (http://www.analogx.com/contents/download/system/sdefend.htm) by AnalogX to handle these scripts.

Next:

This is a excellent resource I recommend reading:- How to prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well after the format and the reinstallation of the Windows operating system.

Help! My computer is slow! (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)

Also so is this:

What to do if your Computer is running slowly (http://www.malwareremoval.com/tutorials/runningslowly.php)

With regard to how I got infected, I rarely use those P2P programmes. It's likely to be, therefore, cracks for various stuff and/or looking for forums for rapidshare links. I shall use much more retraint in future.Well I still stand by my former advice concerning such. Any questions feel free to ask, if not stay safe!

Dakeyras

2010-06-23, 12:40

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.