I get popups and Trojans, AVG and S&B dn't remove them, or they reappear

**miekiemoes** · 2007-06-11, 10:46

Hi,

Can you also post a new HijackThislog please?

Concerning your Security center complaining about your Antivirus, make sure it's up to date (Your AVG).
Also, I recommend you install a desktop Firewall instead of using the Windows Firewall, because the Windows Firewall is not powerful enough.
Take a look at this link for the firewalls I recommend: http://users.telenet.be/bluepatchy/m...html#Firewalls

You were dealing with A LOT of infections including backdoors - for which you feared.
That's why I suggest you change all your passwords.

Also, I am a bit disappointed that you already had AVG Antivirus installed and it actually didn't find/removed that much, because when I look at the Combofix log - it still deleted a LOT of malware afterwards.

There's still another thing I would like to check though.;

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
(fsbl.exe - graphical user interface)
Double-click fsbl.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply as well...

**ruckus** · 2007-06-11, 11:32

In all fairness, I didn't install AVG untill AFTER I started to have problems

**miekiemoes** · 2007-06-11, 11:35

Then it looks like you never scanned with it previously after you got infected, because as i already said, it's hard to believe that AVG didn't delete so many malware present...

**ruckus** · 2007-06-11, 12:45

Ok, I'm not sure whats going on anymore...is all this working or is it likely I'll have to reformatt? Here are the latest logs you need.

Logfile of HijackThis v1.99.1
Scan saved at 9:18:27 p.m., on 11/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1177964292875
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by19fd.bay19.hotmail.msn.com/...x/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F5A8DAA-D9CB-45B8-B519-C1F3D46ECCBF}: NameServer = 202.74.207.10,202.74.207.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

06/11/07 22:11:33 [Info]: BlackLight Engine 1.0.61 initialized
06/11/07 22:11:33 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/11/07 22:11:33 [Note]: 7019 4
06/11/07 22:11:33 [Note]: 7005 0
06/11/07 22:11:37 [Note]: 7006 0
06/11/07 22:11:37 [Note]: 7011 3188
06/11/07 22:11:37 [Note]: 7026 0
06/11/07 22:11:37 [Note]: 7026 0
06/11/07 22:11:38 [Note]: FSRAW library version 1.7.1021
06/11/07 22:11:40 [Info]: Hidden file: c:\sccfg.sys
06/11/07 22:11:40 [Note]: 10002 1
06/11/07 22:11:42 [Note]: 7006 0
06/11/07 22:11:42 [Note]: 7011 3188
06/11/07 22:11:42 [Note]: 7026 0
06/11/07 22:11:42 [Note]: 7026 0
06/11/07 22:11:44 [Note]: FSRAW library version 1.7.1021
06/11/07 22:11:44 [Info]: Hidden file: c:\sccfg.sys
06/11/07 22:11:44 [Note]: 10002 1
06/11/07 22:37:41 [Note]: 7007 0

**miekiemoes** · 2007-06-11, 12:57

Hi,

No need to reformat. The malware you were dealing with were not that nasty and we could deal with it without any problems. But I always recommend to change passwords after being infected.
Your logs look ok again.
As I already explained previously, the hidden file c:\sccfg.sys is related with FolderLock, so don't worry about that one.

How are things now?

**ruckus** · 2007-06-11, 13:44

Everything seems to be running good.

What harm can someone do with the passwords for my email and logins? I don't bank online all though I have used my credit card once not to long ago to order some records/vinyl online... should I call the bank and change that?
Do you think my PC is now safe and is AVG Free + Spybot enough to keep me safe? I went to the link you gave me for firewalls and downloaded one, I clicked 'run' on the d/l prompt but I never got an install prompt, so, I guess I might need to redo that, do you think?
AND..............Thanks so much, it is so good to know there are people like you in the world who don't EXPECT a C/C number.

I'm doin a scan with AVG trial and its picked up a few things but they look like legitimate entries.
Would you like to look at logs from any particular scan programmes before I let you go to be sure... or do you think I am safe... you are the expert so I will trust what you say

Thanks again, Sincerely, David

**miekiemoes** · 2007-06-11, 14:04

What harm can someone do with the passwords for my email and logins?

well, if they could gather your username and password, they can just change your password so you won't have access to it anymore.

I don't bank online all though I have used my credit card once not to long ago to order some records/vinyl online... should I call the bank and change that?

You should be ok here.

I went to the link you gave me for firewalls and downloaded one, I clicked 'run' on the d/l prompt but I never got an install prompt

I don't know which one you tried to download, but I always save the installer on my desktop and then run it from there...

I'm doin a scan with AVG trial and its picked up a few things but they look like legitimate entries.

Yes, let me know what it is finding...

**ruckus** · 2007-06-11, 16:13

It found these and says action taken (deleted)

TrackingCookie.Addynamix
TrackingCookie.Casalmedia
TrackingCookie.Doubleclick
TrackingCookie.Fastclick
TrackingCookie.2o7
TrackingCookie.Msn
TrackingCookie.Tribalfusion

Do you think I'm good to go... If u like, you can add me in msn, I would like to learn more from you

You have been really, really awesome
Dj_Ruckus01 AT hotmail.com

**miekiemoes** · 2007-06-11, 16:24

Hi,

Please don't worry about tracking cookies. You'll always get them and they will always return. This just depends what sites you visit.
Everyone has them. They are even present on the MSN startpage, Yahoo startpage...
You may also want to read next:
http://www.spywareinfo.com/articles/cookies/
http://www.mvps.org/winhelp2002/cookies.htm

If you want to manage your cookies you can use next programs:

For Internet explorer: CookieWall

For Firefox: CookieSafe

Keep in mind that you're not supposed to block every cookie, because some cookies are required.
Most people don't use an additional cookie manager, because it may be annoying in some cases to manually filter all cookies in the beginning, so they clean their cookies once in a while via the "clean cookies" option in their browser settings.

I've "munged" your mailaddress, because it's a bad idea to post mailaddresses in public. This since spambots may harvest your address and send you spam - unless you like spam :P

Thank you for the msn offer, but I don't use instant messengers anymore, this since I don't have the time for it anyway (too busy with helping people and analyzing malware

)

Yes, your system should be ok now. Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!

**ruckus** · 2007-06-11, 16:36

Thankyou

Thread: I get popups and Trojans, AVG and S&B dn't remove them, or they reappear

Thread Tools

Display

well...

Yea, I'm a dick

Hey Thanks

AVG Scan

Just A Thankyou

Posting Permissions