Malware removal problem

[dharmaj]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, September 29, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, September 29, 2009 16:23:14
Records in database: 2934985
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
Z:\

Scan statistics:
Objects scanned: 247828
Threats found: 14
Infected objects found: 17
Suspicious objects found: 30
Scan duration: 04:47:27


File name / Threat / Threats count
C:\Documents and Settings\Jordan Van Voast\Application Data\Thunderbird\Profiles\s5kxaktj.default\Mail\mail.communichi.org\Inbox Infected: Worm.Win32.AutoRun.qma 1
C:\Documents and Settings\Jordan Van Voast\Application Data\Thunderbird\Profiles\s5kxaktj.default\Mail\mail.communichi.org\Inbox Infected: Worm.Win32.AutoRun.qzg 1
C:\Documents and Settings\Jordan Van Voast\Application Data\Thunderbird\Profiles\s5kxaktj.default\Mail\mail.communichi.org\Inbox Infected: Trojan.Win32.Agent.anae 1
C:\Documents and Settings\Jordan Van Voast\Application Data\Thunderbird\Profiles\s5kxaktj.default\Mail\mail.communichi.org\Inbox Infected: Trojan.Win32.Agent.amzt 1
C:\Documents and Settings\Jordan Van Voast\Application Data\Thunderbird\Profiles\s5kxaktj.default\Mail\mail.communichi.org\Inbox Infected: Trojan-Dropper.Win32.Agent.aarg 1
C:\Documents and Settings\Jordan Van Voast\Application Data\Thunderbird\Profiles\s5kxaktj.default\Mail\mail.communichi.org\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 5
C:\Documents and Settings\Jordan Van Voast\Application Data\Thunderbird\Profiles\s5kxaktj.default\Mail\mail.communichi.org\Junk Infected: Worm.Win32.AutoRun.ngp 1
C:\Documents and Settings\Jordan Van Voast\Application Data\Thunderbird\Profiles\s5kxaktj.default\Mail\mail.communichi.org\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 16
C:\Documents and Settings\Jordan Van Voast\Application Data\Thunderbird\Profiles\s5kxaktj.default\Mail\mail.communichi.org\Junk Infected: Worm.Win32.AutoRun.qzg 1
C:\Documents and Settings\Jordan Van Voast\Application Data\Thunderbird\Profiles\s5kxaktj.default\Mail\mail.communichi.org\Junk Infected: Trojan.Win32.Agent.amzt 1
C:\Documents and Settings\Jordan Van Voast\Application Data\Thunderbird\Profiles\s5kxaktj.default\Mail\mail.communichi.org\Junk Infected: Trojan-Dropper.Win32.Agent.aarg 1
C:\Documents and Settings\Jordan Van Voast\Application Data\Thunderbird\Profiles\s5kxaktj.default\Mail\mail.dharmafriendship.org\Inbox Infected: Trojan-Spy.Win32.Goldun.azl 1
C:\Documents and Settings\Jordan Van Voast\Application Data\Thunderbird\Profiles\s5kxaktj.default\Mail\mail.dharmafriendship.org\Inbox Infected: Trojan-Spy.Win32.Goldun.bcf 1
C:\Documents and Settings\Jordan Van Voast\Application Data\Thunderbird\Profiles\s5kxaktj.default\Mail\mail.dharmafriendship.org\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 4
C:\Documents and Settings\Jordan Van Voast\Application Data\Thunderbird\Profiles\s5kxaktj.default\Mail\mail.dharmafriendship.org\Inbox Infected: Backdoor.Win32.Bredolab.mn 1
C:\Documents and Settings\Jordan Van Voast\My Documents\Downloads\Flash.Player.HD.45124(2).exe Infected: Trojan.Win32.FraudPack.ubt 1
F:\StorageSync\Drive_C\Documents and Settings\user\Application Data\Thunderbird\Profiles\547fsfrf.default\Mail\mail.dharmafriendship-2.org\Inbox Infected: Exploit.JS.Pdfka.c 1
F:\StorageSync\Drive_C\Documents and Settings\user\Application Data\Thunderbird\Profiles\547fsfrf.default\Mail\mail.dharmafriendship-2.org\Inbox Infected: Trojan-Dropper.MSPPoint.Agent.bf 1
F:\StorageSync\Drive_C\Documents and Settings\user\Application Data\Thunderbird\Profiles\547fsfrf.default\Mail\mail.dharmafriendship-2.org\Sent Infected: Exploit.JS.Pdfka.c 1
F:\StorageSync\Drive_C\Documents and Settings\user\Application Data\Thunderbird\Profiles\547fsfrf.default\Mail\mail.mandalaacupuncture.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 5
F:\StorageSync\Drive_C\Documents and Settings\user\Application Data\Thunderbird\Profiles\547fsfrf.default\Mail\mail.mandalaacupuncture.com\Inbox Infected: Trojan-Spy.HTML.Fraud.as 1

Selected area has been scanned.

AND

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:11 PM, on 9/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dharmafriendship.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080604
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1213297287406
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2007\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: DM1Service - OLYMPUS IMAGING CORP. - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Online Protection System - Unknown owner - C:\PROGRA~1\QUICKH~1\QUICKH~1\opssvc.exe (file missing)
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 6065 bytes

[Shaba]

Empty Junk folder from Thunderbird mail accounts and delete all suspicious mails from Inbox.

Delete this:

C:\Documents and Settings\Jordan Van Voast\My Documents\Downloads\Flash.Player.HD.45124(2).exe

Empty Recycle Bin.

Still problems?

[dharmaj]

Okay, I've deleted and emptied as you have suggested. I'm not aware of any current problems though I'm not completely sure what I would be looking for. However, the issue of having Google searches redirected to advertisement web sites does not seem to be happening. Please advise.

[Shaba]

Good

Is Norton Antivirus installed?

[dharmaj]

No, I don't have Norton AnitVirus installed. It expired recently and I tried to save a few bucks and purchased Quickheal for considerably less...though perhaps that wasn't a wise move.

[dharmaj]

[Shaba]

Is QuickHeal active? I don't see it running.

[dharmaj]

I uninstalled it so that it wouldn't interfere with the other programs you had me download and use. Probably should reinstall it.

[Shaba]

Yes please do that and post back a fresh HijackThis log afterwards

[dharmaj]

I am looking for a link to download it - I have my serial number and activation code, but had to email quick heal support, so I am waiting for that. Would you like me to run a system check with the quick heal and THEN run Hijack This, or just install quickheal.

thanks