Hi,
My first post here, I've taken a look at the advice on posting but let me know if I do anything wrong!
I seem to have got infected by a few nasties. AVG alerted me to this but too late! I would imagine it is worth me including the AVG logs from both the resident component and a scan. Once I was aware there was a problem I updated and ran Spybot SD (it is not in teatimer mode). This comes up with some items and then exits with several Out of System Resources messages. The malware seems to prevent me from using both Internet Explorer and Google Chrome.
AVG logs are below, followed by the HJT v2.02 log.
AVG Resident Shield:
Trojan horse Crypt.KYI;"C:\System Volume Information\_restore{20409EED-2503-4FBB-BED3-5FFA5EA06261}\RP138\A0014859.dll";"Infected";"22/12/2009, 07:29:41";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Crypt.KYI;"C:\System Volume Information\_restore{20409EED-2503-4FBB-BED3-5FFA5EA06261}\RP138\A0014859.dll";"Infected";"22/12/2009, 06:29:41";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Crypt.KYI;"C:\System Volume Information\_restore{20409EED-2503-4FBB-BED3-5FFA5EA06261}\RP138\A0014859.dll";"Infected";"22/12/2009, 05:29:41";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Crypt.KYI;"C:\System Volume Information\_restore{20409EED-2503-4FBB-BED3-5FFA5EA06261}\RP138\A0014859.dll";"Infected";"22/12/2009, 04:29:41";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Crypt.KYI;"C:\System Volume Information\_restore{20409EED-2503-4FBB-BED3-5FFA5EA06261}\RP138\A0014859.dll";"Infected";"22/12/2009, 03:29:41";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Crypt.KYI;"C:\System Volume Information\_restore{20409EED-2503-4FBB-BED3-5FFA5EA06261}\RP138\A0014859.dll";"Infected";"22/12/2009, 02:29:41";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Crypt.KYI;"C:\System Volume Information\_restore{20409EED-2503-4FBB-BED3-5FFA5EA06261}\RP138\A0014859.dll";"Infected";"22/12/2009, 01:29:41";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Crypt.KYI;"C:\System Volume Information\_restore{20409EED-2503-4FBB-BED3-5FFA5EA06261}\RP138\A0014859.dll";"Infected";"22/12/2009, 00:29:42";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Crypt.KYI;"C:\System Volume Information\_restore{20409EED-2503-4FBB-BED3-5FFA5EA06261}\RP138\A0014859.dll";"Infected";"21/12/2009, 23:29:43";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Crypt.KYI;"C:\System Volume Information\_restore{20409EED-2503-4FBB-BED3-5FFA5EA06261}\RP138\A0014859.dll";"Moved to Virus Vault";"21/12/2009, 23:13:38";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Downloader.Generic9.ZGL;"C:\System Volume Information\_restore{20409EED-2503-4FBB-BED3-5FFA5EA06261}\RP137\A0014717.exe";"Moved to Virus Vault";"19/12/2009, 15:24:47";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Crypt.KYI;"C:\WINDOWS\system32\iebho.dll";"Infected";"19/12/2009, 14:49:28";"file";"C:\WINDOWS\system32\wbem\wmiprvse.exe"
Trojan horse Crypt.KYI;"C:\WINDOWS\system32\iebho.dll";"Moved to Virus Vault";"19/12/2009, 14:47:35";"file";"C:\WINDOWS\system32\wbem\wmiprvse.exe"
Trojan horse SHeur2.BZPQ;"C:\Documents and Settings\David Sutton\Local Settings\Temp\441c.exe";"Moved to Virus Vault";"19/12/2009, 14:12:30";"file";"C:\DOCUME~1\DAVIDS~1\LOCALS~1\Temp\ie5C.tmp"
Trojan horse Generic16.BVD;"C:\Documents and Settings\David Sutton\Local Settings\Temp\39cb.exe";"Moved to Virus Vault";"19/12/2009, 14:12:29";"file";"C:\DOCUME~1\DAVIDS~1\LOCALS~1\Temp\ie5C.tmp"
AVG Scan:
Infections
File;"Infection";"Result"
C:\Documents and Settings\David Sutton\Local Settings\Temporary Internet Files\Content.IE5\1CKUSKQ1\247-new[1].exe;"Trojan horse Generic16.DHF";"Moved to Virus Vault"
C:\Documents and Settings\David Sutton\Local Settings\Temporary Internet Files\Content.IE5\8BU7GRWB\pdf[1].pdf;"Virus found Exploit";"Moved to Virus Vault"
Spyware
File;"Infection";"Result"
C:\Documents and Settings\David Sutton\My Documents\MPC-6.4.9.exe;"Adware Generic4.SV";"Moved to Virus Vault"
C:\Documents and Settings\David Sutton\My Documents\MPC-6.4.9.exe:\$CE\mplayerplgn.dll;"Adware Generic4.SV";"Moved to Virus Vault"
HJT 2.02 Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:02:30, on 22/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Software\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {D032570A-5F63-4812-A094-87D007C23012} - C:\WINDOWS\system32\iebho.dll (file missing)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DMHotKey] C:\Program Files\Samsung\Easy Display Manager\DMLoader.exe
O4 - HKLM\..\Run: [BatteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\David Sutton\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WAB] C:\Documents and Settings\David Sutton\Application Data\Macromedia\Common\859e604819.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/Messen....cab109791.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1235123549250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1235160550171
O16 - DPF: {BA2CB6B1-03EE-4068-87CC-F5E4DD772A9B} (CCAOControl Object) - https://bemobile-silver.com/CitrixLo.../CitrixCAO.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Update Service (gupdate1ca1dc1bf5be126) (gupdate1ca1dc1bf5be126) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SNM WLAN Service - Unknown owner - C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)
--
End of file - 7907 bytes