Infected with Trojan Horse; am i clean?

[ILLZNIK31]

I noticed two days ago that my AVG 8.5 had stopped performing its daily scan as it's set to do. It had been nearly 2 weeks. When I opened the interface and clicked the "overview" tab, it said "there are no active components", and the program would not allow me to update. I redownloaded AVG 8.5 and it was working properly. I updated and performed a full scan, returning zero results. Yesterday it DID NOT automatically perform a scan for some reason, and then this morning it DID perform a scan, returning one infection, "Trojan Horse Downloader.Generic8.AJIL". It said the infection was healed. Now, the problem before with it showing no active components and not allowing me to update is back again (problem with the program, or product of the virus?). I updated and performed a scan with MBAM, returning zero results, and overall the computer seems to be running perfectly. I'm running XP SP3, AVG 8.5, MBAM, Spyware Blaster, & Online Armor. Registry has been backed up and here is the HJT log, thanks in advance:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:49 AM, on 5/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Tall Emu\Online Armor\OAui.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {0f02af4e-34c6-4072-9943-cd722ea0fb3d} - (no file)
O2 - BHO: (no name) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {B43A4B2F-12BF-4C30-8C96-690574AF4E3D} - (no file)
O2 - BHO: (no name) - {cca082d2-b67c-415c-883c-9c22cfffd418} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\OAui.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: tuvSjJcC - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 5468 bytes

[Blade81]

Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

[ILLZNIK31]

Thanks:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Matt at 10:25:52.18 on Sat 05/23/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.64 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Tall Emu\Online Armor\OAui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Matt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: {0f02af4e-34c6-4072-9943-cd722ea0fb3d} - No File
BHO: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {B43A4B2F-12BF-4C30-8C96-690574AF4E3D} - No File
BHO: {cca082d2-b67c-415c-883c-9c22cfffd418} - No File
TB: {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\OAui.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\matt\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\75zeoy3f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-26 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-26 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-26 108552]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-2-7 196688]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-2-7 31824]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-2-7 29776]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-2-7 361160]
R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-2-7 3049160]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-26 298776]

=============== Created Last 30 ================

2009-05-21 14:44 <DIR> --dsh--- c:\documents and settings\matt\IETldCache
2009-05-21 14:40 <DIR> --d----- c:\windows\ie8updates
2009-05-21 14:40 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-21 14:39 <DIR> -cd-h--- c:\windows\ie8
2009-05-16 12:49 <DIR> --d----- c:\program files\iPod
2009-05-16 12:49 <DIR> --d----- c:\program files\iTunes
2009-05-16 12:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-05-16 12:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-28 09:36 <DIR> --d----- c:\docume~1\matt\applic~1\Blitware

==================== Find3M ====================

2009-05-05 09:57 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-05 09:57 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-05 09:57 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-16 06:35 29,776 a------- c:\windows\system32\drivers\OAnet.sys
2009-04-16 05:49 31,824 a------- c:\windows\system32\drivers\OAmon.sys
2009-04-16 05:49 196,688 a------- c:\windows\system32\drivers\OADriver.sys
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll

============= FINISH: 10:27:29.60 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskDmVolumes\Matt-fcf9487023Dg0\Volume1
Install Date: 3/18/2007 7:16:29 PM
System Uptime: 5/23/2009 10:03:08 AM (0 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-7142
Processor: AMD Sempron(tm) Processor 2600+ | Socket 940 | 1599/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 190 GiB total, 159.53 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VIA Compatable Fast Ethernet Adapter
Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_71421462&REV_78\3&13C0B0C5&0&90
Manufacturer: VIA Technologies, Inc.
Name: VIA Compatable Fast Ethernet Adapter
PNP Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_71421462&REV_78\3&13C0B0C5&0&90
Service: FETNDIS

==== System Restore Points ===================

RP24: 2/23/2009 1:46:22 AM - System Checkpoint
RP25: 2/24/2009 2:30:14 AM - System Checkpoint
RP26: 2/25/2009 2:36:04 AM - System Checkpoint
RP27: 2/25/2009 8:22:29 AM - Software Distribution Service 3.0
RP28: 2/26/2009 9:09:55 AM - System Checkpoint
RP29: 2/27/2009 10:20:30 AM - System Checkpoint
RP30: 2/28/2009 10:49:38 AM - System Checkpoint
RP31: 3/1/2009 12:34:34 PM - System Checkpoint
RP32: 3/2/2009 1:26:04 PM - System Checkpoint
RP33: 3/3/2009 1:40:23 PM - System Checkpoint
RP34: 3/4/2009 1:46:19 PM - System Checkpoint
RP35: 3/4/2009 5:32:07 PM - Avg8 Update
RP36: 3/5/2009 5:57:35 PM - System Checkpoint
RP37: 3/6/2009 6:39:25 PM - System Checkpoint
RP38: 3/7/2009 6:50:53 PM - System Checkpoint
RP39: 3/8/2009 7:37:22 PM - System Checkpoint
RP40: 3/9/2009 8:35:40 PM - System Checkpoint
RP41: 3/10/2009 9:35:14 PM - System Checkpoint
RP42: 3/11/2009 4:39:20 PM - Software Distribution Service 3.0
RP43: 3/12/2009 5:00:55 PM - System Checkpoint
RP44: 3/13/2009 2:00:13 AM - Software Distribution Service 3.0
RP45: 3/14/2009 2:15:14 AM - System Checkpoint
RP46: 3/15/2009 4:10:11 AM - System Checkpoint
RP47: 3/16/2009 4:44:27 AM - System Checkpoint
RP48: 3/17/2009 5:09:24 AM - System Checkpoint
RP49: 3/18/2009 5:29:13 AM - System Checkpoint
RP50: 3/18/2009 8:36:04 AM - Avg8 Update
RP51: 3/19/2009 10:09:48 AM - System Checkpoint
RP52: 3/20/2009 10:44:48 AM - System Checkpoint
RP53: 3/21/2009 11:18:15 AM - System Checkpoint
RP54: 3/22/2009 11:32:22 AM - System Checkpoint
RP55: 3/23/2009 11:40:14 AM - System Checkpoint
RP56: 3/24/2009 12:51:02 PM - System Checkpoint
RP57: 3/25/2009 1:47:46 PM - System Checkpoint
RP58: 3/26/2009 8:54:38 AM - Removed AVG Free 8.0
RP59: 3/26/2009 8:55:18 AM - Installed AVG Free 8.0
RP60: 3/26/2009 8:59:36 AM - Installed AVG Free 8.5
RP61: 3/26/2009 9:00:51 AM - Installed AVG Free 8.5
RP62: 3/26/2009 9:54:22 AM - Avg8 Update
RP63: 3/27/2009 10:19:46 AM - System Checkpoint
RP64: 3/28/2009 12:10:46 PM - System Checkpoint
RP65: 3/29/2009 12:30:27 PM - System Checkpoint
RP66: 3/30/2009 1:04:51 PM - System Checkpoint
RP67: 3/31/2009 1:40:53 PM - System Checkpoint
RP68: 4/1/2009 8:56:48 AM - Software Distribution Service 3.0
RP69: 4/2/2009 9:29:07 AM - System Checkpoint
RP70: 4/2/2009 4:49:00 PM - Installed Windows XP WgaNotify.
RP71: 4/3/2009 5:16:49 PM - System Checkpoint
RP72: 4/4/2009 5:37:48 PM - System Checkpoint
RP73: 4/5/2009 5:57:12 PM - System Checkpoint
RP74: 4/6/2009 8:32:10 AM - Avg8 Update
RP75: 4/7/2009 8:43:03 AM - System Checkpoint
RP76: 4/8/2009 8:59:26 AM - System Checkpoint
RP77: 4/9/2009 9:36:26 AM - System Checkpoint
RP78: 4/10/2009 9:06:05 AM - Avg8 Update
RP79: 4/11/2009 9:39:01 AM - System Checkpoint
RP80: 4/12/2009 12:27:13 PM - System Checkpoint
RP81: 4/13/2009 12:37:02 PM - System Checkpoint
RP82: 4/14/2009 2:28:23 PM - System Checkpoint
RP83: 4/15/2009 3:00:14 AM - Software Distribution Service 3.0
RP84: 4/16/2009 3:44:46 AM - System Checkpoint
RP85: 4/16/2009 8:30:10 AM - Avg8 Update
RP86: 4/17/2009 9:51:49 AM - System Checkpoint
RP87: 4/18/2009 9:56:55 AM - System Checkpoint
RP88: 4/19/2009 10:43:35 AM - System Checkpoint
RP89: 4/20/2009 10:51:49 AM - System Checkpoint
RP90: 4/21/2009 11:23:23 AM - System Checkpoint
RP91: 4/22/2009 11:30:46 AM - System Checkpoint
RP92: 4/23/2009 11:42:59 AM - System Checkpoint
RP93: 4/24/2009 12:03:42 PM - System Checkpoint
RP94: 4/25/2009 12:28:10 PM - System Checkpoint
RP95: 4/26/2009 12:46:59 PM - System Checkpoint
RP96: 4/28/2009 12:29:40 AM - System Checkpoint
RP97: 4/29/2009 1:07:33 AM - System Checkpoint
RP98: 4/30/2009 2:07:04 AM - System Checkpoint
RP99: 5/1/2009 2:09:55 AM - System Checkpoint
RP100: 5/2/2009 8:51:04 AM - System Checkpoint
RP101: 5/3/2009 9:35:40 AM - System Checkpoint
RP102: 5/4/2009 10:08:50 AM - System Checkpoint
RP103: 5/5/2009 9:56:28 AM - Avg8 Update
RP104: 5/5/2009 9:57:29 AM - Avg8 Update
RP105: 5/6/2009 10:11:26 AM - System Checkpoint
RP106: 5/7/2009 10:26:35 AM - System Checkpoint
RP107: 5/8/2009 10:30:23 PM - System Checkpoint
RP108: 5/9/2009 11:20:06 PM - System Checkpoint
RP109: 5/10/2009 11:59:37 PM - System Checkpoint
RP110: 5/12/2009 12:58:30 AM - System Checkpoint
RP111: 5/13/2009 1:58:30 AM - System Checkpoint
RP112: 5/13/2009 8:48:26 AM - Software Distribution Service 3.0
RP113: 5/14/2009 10:35:49 AM - System Checkpoint
RP114: 5/15/2009 10:58:19 AM - System Checkpoint
RP115: 5/16/2009 12:50:01 PM - Installed iTunes
RP116: 5/17/2009 12:58:19 PM - System Checkpoint
RP117: 5/18/2009 1:58:21 PM - System Checkpoint
RP118: 5/19/2009 1:03:37 PM - Configured AVG Free 8.5
RP119: 5/20/2009 1:42:56 PM - System Checkpoint
RP120: 5/21/2009 2:18:39 PM - System Checkpoint
RP121: 5/21/2009 2:36:42 PM - Software Distribution Service 3.0
RP122: 5/22/2009 9:39:00 AM - Configured AVG Free 8.5
RP123: 5/22/2009 9:28:52 PM - Configured AVG Free 8.5
RP124: 5/22/2009 9:37:26 PM - Configured AVG Free 8.5

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
AutoUpdate
AVG Free 8.5
Bonjour
Critical Update for Windows Media Player 11 (KB959772)
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
ERUNT 1.1j
FoxyTunes for Firefox
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
iTunes
Java(TM) 6 Update 11
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.10)
Online Armor 3.5
Platform
QuickTime
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Spybot - Search & Destroy
SpywareBlaster 4.1
UltimateBet
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VIA Platform Device Manager
VIA Vinyl Audio Codecs Driver Setup Program
VIA/S3G Display Driver 6.14.10.0297
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

5/22/2009 8:35:01 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
5/22/2009 8:35:01 AM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/22/2009 8:35:00 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
5/21/2009 8:15:19 AM, error: Service Control Manager [7000] - The AVG Free8 WatchDog service failed to start due to the following error: Access is denied.
5/16/2009 12:50:25 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for ImagePath with the following error: Access is denied.

==== End Of File ===========================

[Blade81]

Hi again

Ok. Let's see.. do you have Online Armor configured so that it will allow AVG to update itself?

Start hjt, do a system scan, check (if found):
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {0f02af4e-34c6-4072-9943-cd722ea0fb3d} - (no file)
O2 - BHO: (no name) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: (no name) - {B43A4B2F-12BF-4C30-8C96-690574AF4E3D} - (no file)
O2 - BHO: (no name) - {cca082d2-b67c-415c-883c-9c22cfffd418} - (no file)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) -
O20 - Winlogon Notify: tuvSjJcC - C:\WINDOWS\

Close browsers and fix checked.



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Read the requirements and privacy statement then click on the Accept button.

• The program will launch and start to download the latest definition files.

• You will be prompted to install an application from Kaspersky. Click Run

• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
• Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives

• Click on My Computer under Scan.

• Once the scan is complete, it will display the results. Click on View Scan Report.

• Click on Save Report As....

• Change the Files of type to Text file (.txt) before clicking on the Save button.

• Save this report to a convenient place.

• Copy and paste that information & a fresh hjt log into your topic.

• The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.

If you need a tutorial, see here

[ILLZNIK31]

The scan took 53 minutes and returned nothing. Was I still infected when I made this post? Or did AVG really catch and clean it? Here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:10 PM, on 5/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Tall Emu\Online Armor\OAui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\OAui.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 4665 bytes

[Blade81]

Was I still infected when I made this post? Or did AVG really catch and clean it?

Hi

To me it seems that there were just some leftovers in the registry. Now it looks otherwise good but Java needs updating.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
• Scroll down to where it says
  The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
  
• Click the
  Download
  button to the right.
• Select Windows on platform combobox and check the box that says:
  Accept License Agreement. Click continue.
  
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Note: Uncheck MSN toolbar option if you don't want to install it.

[ILLZNIK31]

I've updated java per your instructions, but some webpages are still skewed and don't load properly or entirely, could it be something with the java? AVG is also still not working properly (all the active components disappear on restart). Any thoughts on that? There isn't any malware or anything left, correct? Thanks in advance.

[Blade81]

Hi

I'd reinstall AVG. It's possible that infection harmed it in some way. If that doesn't help then we'll take a closer look.

Sites should appear ok after browser cache is cleaned. Instructions here.

[Blade81]

Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.