Browsers hijacked, SpyBot and other installations blocked

OK, those are likely clean or then 0 detection.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.
 
Shaba, here is the Kaspersky log. I am concerned about this liine:

C:\Documents and Settings\Jean Manna\My Documents\A9installer_77075202.exe Infected: Trojan-Downloader.Win32.FraudLoad.vdtp 1

I forgot to run HijackThis again before coming back to this computer. If you need it let me know and I will provide it but if the FraudLoad Trojan is installed on this machine perhaps we should to remove it beforehand.

Thanks again for all your help...I think I understand now what you mean by 'something worse' than the rootkit :-(


KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, June 25, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, June 25, 2009 20:19:53
Records in database: 2389318
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 98901
Threat name: 9
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 02:09:11


File name / Threat name / Threats count
C:\Documents and Settings\Jean Manna\My Documents\A9installer_77075202.exe Infected: Trojan-Downloader.Win32.FraudLoad.vdtp 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\TDSS1a4a.tmp Infected: Trojan.Win32.Patched.dy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\__.zip Infected: Backdoor.Win32.TDSS.bkw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ieupdates.exe.vir Infected: Trojan.Win32.FraudPack.gso 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSbrsr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoiqh.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSxfum.dll.vir Infected: Rootkit.Win32.TDSS.dbg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winsrc.dll.vir Infected: Trojan.Win32.FraudPack.gxq 1
 
HiJackThis log after the Kaspersky scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:29 AM, on 6/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152598524593
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GameConsoleService - Unknown owner - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe (file missing)
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 10553 bytes
 
Please click this link-->Jotti

Copy/paste file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\Documents and Settings\Jean Manna\My Documents\A9installer_77075202.exe
Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
 
Shaba,

Your hunch was correct, thanks for all your help. I hope this is the last infection on this poor machine....what a nightmare!

VirusTotal log for C:\Documents and Settings\Jean Manna\My Documents\A9installer_77075202.exe:

File A9installer_77075202.exe received on 2009.06.27 01:23:21 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.27 Trojan-Downloader.Win32.FraudLoad!IK
AhnLab-V3 5.0.0.2 2009.06.26 -
AntiVir 7.9.0.199 2009.06.26 TR/Crypt.CFI.Gen
Antiy-AVL 2.0.3.1 2009.06.26 Trojan/Win32.FraudLoad.gen
Authentium 5.1.2.4 2009.06.26 W32/Downldr2.FAIX
Avast 4.8.1335.0 2009.06.26 Win32:Ups
AVG 8.5.0.339 2009.06.26 FakeAlert.CQ
BitDefender 7.2 2009.06.26 Trojan.Generic.1771374
CAT-QuickHeal 10.00 2009.06.26 TrojanDownloader.FraudLoad.vd
ClamAV 0.94.1 2009.06.27 -
Comodo 1445 2009.06.27 TrojWare.Win32.Downloader.FakeAlert
DrWeb 5.0.0.12182 2009.06.27 Trojan.Packed.189
eSafe 7.0.17.0 2009.06.25 -
eTrust-Vet 31.6.6582 2009.06.26 Win32/FakeAV.TF
F-Prot 4.4.4.56 2009.06.26 W32/Downldr2.FAIX
F-Secure 8.0.14470.0 2009.06.27 Rogue:W32/XPAntivirus.gen!G
Fortinet 3.117.0.0 2009.06.27 W32/FraudLoad.VDTP!tr.dldr
GData 19 2009.06.27 Trojan.Generic.1771374
Ikarus T3.1.1.64.0 2009.06.27 Trojan-Downloader.Win32.FraudLoad
Jiangmin 11.0.706 2009.06.26 TrojanDownloader.FraudLoad.cle
K7AntiVirus 7.10.768 2009.06.19 Trojan-Downloader.Win32.FraudLoad.vdtp
Kaspersky 7.0.0.125 2009.06.27 Trojan-Downloader.Win32.FraudLoad.vdtp
McAfee 5658 2009.06.26 Generic Dropper.bw
McAfee+Artemis 5658 2009.06.26 Generic Dropper.bw
McAfee-GW-Edition 6.7.6 2009.06.26 Trojan.Crypt.CFI.Gen
Microsoft 1.4803 2009.06.26 Trojan:Win32/FakeXPA
NOD32 4193 2009.06.26 Win32/Adware.Antivirus2008
Norman 6.01.09 2009.06.26 W32/DLoader.LIII
nProtect 2009.1.8.0 2009.06.26 Trojan-Downloader/W32.FraudLoad.163840.I
Panda 10.0.0.16 2009.06.26 Adware/Antivirus2009
PCTools 4.4.2.0 2009.06.26 Trojan-Downloader.FraudLoad!sd6
Prevx 3.0 2009.06.27 High Risk Cloaked Malware
Rising 21.35.44.00 2009.06.26 -
Sophos 4.43.0 2009.06.27 Mal/FakeVirPk-A
Sunbelt 3.2.1858.2 2009.06.27 Downloader.Win32.Antivirus2009 (v)
Symantec 1.4.4.12 2009.06.27 Packed.Generic.187
TheHacker 6.3.4.3.356 2009.06.27 Trojan/Downloader.FraudLoad.vdtp
TrendMicro 8.950.0.1094 2009.06.26 Mal_FakeAV-9
VBA32 3.12.10.7 2009.06.26 Trojan-Downloader.Win32.FraudLoad.vdtp
ViRobot 2009.6.26.1806 2009.06.26 Spyware.FraudLoad.Do.163840.D
VirusBuster 4.6.5.0 2009.06.26 Trojan.DL.FraudLoad.BME
Additional information
File size: 163840 bytes
MD5...: 9816bfcfa17e9c865f6412672638f826
SHA1..: 02200d3d3531a9a4fc286af9cd511371be8f0235
SHA256: 98e857811fc5e0850e9e29229f43039859a97bcb36a65e3a3daecb3e82245195
ssdeep: 1536:anrEOQwLJGo8rnLEGbnhVlwCwNkJXmIqzN2PoJG3q7VoagH9:yr3QwUo8rL<br>XbnTlwCokJb+cPo4a7Voa<br>
PEiD..: -
TrID..: File type identification<br>Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>VXD Driver (0.1%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x1158<br>timedatestamp.....: 0x45b6704c (Tue Jan 23 20:30:04 2007)<br>machinetype.......: 0x14c (I386)<br><br>( 8 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x5073 0x6000 0.72 e45fdb3e67fdd01f92361214ee2df644<br>.rdata 0x7000 0xcee 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110<br>.data 0x8000 0x4a1285 0x17000 5.83 d8e0f696c6128f037364bd91c6152416<br>.tls 0x4aa000 0xec 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110<br>.rdata 0x4ab000 0x618 0x1000 0.04 5261b24bc62f014db687c91c0c828ed4<br>.idata 0x4ac000 0x94f 0x1000 3.47 52d33fe0dc780197ae84dd6b947dc601<br>.reloc 0x4ad000 0x4b 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110<br>.rsrc 0x4ae000 0x4ffc 0x5000 4.62 8d0fa7b9327d806ca3801754e24b1a8b<br><br>( 5 imports ) <br>> USER32.DLL: DrawIconEx, CreateIcon, GetWindowTextLengthA, DrawIcon, IsMenu, AppendMenuW, CopyImage, CloseWindow, DrawTextW, AppendMenuA, CopyRect, CopyIcon, GetWindowTextA, DialogBoxParamW, DrawTextA, LoadCursorA, IsWindow<br>> GDI32.DLL: AddFontResourceW, ExtTextOutA, ClearBrushAttributes, CancelDC, AddFontResourceA, GetClipBox, AddFontResourceExW, ExcludeClipRect, CloseFigure, GetCurrentPositionEx, GetBrushOrgEx, DeleteObject, AddFontMemResourceEx, ClearBitmapAttributes, RestoreDC, AbortPath, CloseMetaFile, GetPixel, GetDCOrgEx<br>> ADVAPI32.DLL: RegLoadKeyW, RegLoadKeyA, RegQueryValueExA, RegCreateKeyExW, RegReplaceKeyA, RegEnumValueW, RegDeleteValueW, RegEnumValueA, RegOpenKeyW, RegEnumKeyA, RegOpenKeyA, RegEnumKeyExW, RegQueryValueW, RegOpenKeyExA, RegQueryInfoKeyA, RegGetKeySecurity<br>> KERNEL32.DLL: FindFirstFileA, GetConsoleMode, CreateProcessA, GetFileTime, DeleteFileA, SetLastError, GlobalFree, GetCPInfo, ExitThread, CopyFileA, GetLastError, ReadFile, CopyFileExW, GetFileSize, CopyFileExA, DeleteFileW, GetCommandLineA<br>> GDI32.DLL: ClearBitmapAttributes, RestoreDC, GetBrushOrgEx, ExtTextOutA, DeleteDC, AddFontMemResourceEx, ClearBrushAttributes, SetTextColor, AbortPath, GetBitmapBits, AddFontResourceExA, BitBlt, CreateSolidBrush, GetDCOrgEx, DeleteObject, AddFontResourceW, BeginPath, AddFontResourceA, CloseMetaFile, CloseFigure, CopyMetaFileA, GetPixel, GetCurrentPositionEx<br><br>( 0 exports ) <br>
PDFiD.: -
RDS...: NSRL Reference Data Set<br>-
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=9816bfcfa17e9c865f6412672638f826' target='_blank'>http://www.threatexpert.com/report.aspx?md5=9816bfcfa17e9c865f6412672638f826</a>
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=7AD6013A00E7D936801A02B5998AB700E3302516' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=7AD6013A00E7D936801A02B5998AB700E3302516</a>

Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.27 Trojan-Downloader.Win32.FraudLoad!IK
AhnLab-V3 5.0.0.2 2009.06.26 -
AntiVir 7.9.0.199 2009.06.26 TR/Crypt.CFI.Gen
Antiy-AVL 2.0.3.1 2009.06.26 Trojan/Win32.FraudLoad.gen
Authentium 5.1.2.4 2009.06.26 W32/Downldr2.FAIX
Avast 4.8.1335.0 2009.06.26 Win32:Ups
AVG 8.5.0.339 2009.06.26 FakeAlert.CQ
BitDefender 7.2 2009.06.26 Trojan.Generic.1771374
CAT-QuickHeal 10.00 2009.06.26 TrojanDownloader.FraudLoad.vd
ClamAV 0.94.1 2009.06.27 -
Comodo 1445 2009.06.27 TrojWare.Win32.Downloader.FakeAlert
DrWeb 5.0.0.12182 2009.06.27 Trojan.Packed.189
eSafe 7.0.17.0 2009.06.25 -
eTrust-Vet 31.6.6582 2009.06.26 Win32/FakeAV.TF
F-Prot 4.4.4.56 2009.06.26 W32/Downldr2.FAIX
F-Secure 8.0.14470.0 2009.06.27 Rogue:W32/XPAntivirus.gen!G
Fortinet 3.117.0.0 2009.06.27 W32/FraudLoad.VDTP!tr.dldr
GData 19 2009.06.27 Trojan.Generic.1771374
Ikarus T3.1.1.64.0 2009.06.27 Trojan-Downloader.Win32.FraudLoad
Jiangmin 11.0.706 2009.06.26 TrojanDownloader.FraudLoad.cle
K7AntiVirus 7.10.768 2009.06.19 Trojan-Downloader.Win32.FraudLoad.vdtp
Kaspersky 7.0.0.125 2009.06.27 Trojan-Downloader.Win32.FraudLoad.vdtp
McAfee 5658 2009.06.26 Generic Dropper.bw
McAfee+Artemis 5658 2009.06.26 Generic Dropper.bw
McAfee-GW-Edition 6.7.6 2009.06.26 Trojan.Crypt.CFI.Gen
Microsoft 1.4803 2009.06.26 Trojan:Win32/FakeXPA
NOD32 4193 2009.06.26 Win32/Adware.Antivirus2008
Norman 6.01.09 2009.06.26 W32/DLoader.LIII
nProtect 2009.1.8.0 2009.06.26 Trojan-Downloader/W32.FraudLoad.163840.I
Panda 10.0.0.16 2009.06.26 Adware/Antivirus2009
PCTools 4.4.2.0 2009.06.26 Trojan-Downloader.FraudLoad!sd6
Prevx 3.0 2009.06.27 High Risk Cloaked Malware
Rising 21.35.44.00 2009.06.26 -
Sophos 4.43.0 2009.06.27 Mal/FakeVirPk-A
Sunbelt 3.2.1858.2 2009.06.27 Downloader.Win32.Antivirus2009 (v)
Symantec 1.4.4.12 2009.06.27 Packed.Generic.187
TheHacker 6.3.4.3.356 2009.06.27 Trojan/Downloader.FraudLoad.vdtp
TrendMicro 8.950.0.1094 2009.06.26 Mal_FakeAV-9
VBA32 3.12.10.7 2009.06.26 Trojan-Downloader.Win32.FraudLoad.vdtp
ViRobot 2009.6.26.1806 2009.06.26 Spyware.FraudLoad.Do.163840.D
VirusBuster 4.6.5.0 2009.06.26 Trojan.DL.FraudLoad.BME

Additional information
File size: 163840 bytes
MD5...: 9816bfcfa17e9c865f6412672638f826
SHA1..: 02200d3d3531a9a4fc286af9cd511371be8f0235
SHA256: 98e857811fc5e0850e9e29229f43039859a97bcb36a65e3a3daecb3e82245195
ssdeep: 1536:anrEOQwLJGo8rnLEGbnhVlwCwNkJXmIqzN2PoJG3q7VoagH9:yr3QwUo8rL<br>XbnTlwCokJb+cPo4a7Voa<br>
PEiD..: -
TrID..: File type identification<br>Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>VXD Driver (0.1%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x1158<br>timedatestamp.....: 0x45b6704c (Tue Jan 23 20:30:04 2007)<br>machinetype.......: 0x14c (I386)<br><br>( 8 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x5073 0x6000 0.72 e45fdb3e67fdd01f92361214ee2df644<br>.rdata 0x7000 0xcee 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110<br>.data 0x8000 0x4a1285 0x17000 5.83 d8e0f696c6128f037364bd91c6152416<br>.tls 0x4aa000 0xec 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110<br>.rdata 0x4ab000 0x618 0x1000 0.04 5261b24bc62f014db687c91c0c828ed4<br>.idata 0x4ac000 0x94f 0x1000 3.47 52d33fe0dc780197ae84dd6b947dc601<br>.reloc 0x4ad000 0x4b 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110<br>.rsrc 0x4ae000 0x4ffc 0x5000 4.62 8d0fa7b9327d806ca3801754e24b1a8b<br><br>( 5 imports ) <br>> USER32.DLL: DrawIconEx, CreateIcon, GetWindowTextLengthA, DrawIcon, IsMenu, AppendMenuW, CopyImage, CloseWindow, DrawTextW, AppendMenuA, CopyRect, CopyIcon, GetWindowTextA, DialogBoxParamW, DrawTextA, LoadCursorA, IsWindow<br>> GDI32.DLL: AddFontResourceW, ExtTextOutA, ClearBrushAttributes, CancelDC, AddFontResourceA, GetClipBox, AddFontResourceExW, ExcludeClipRect, CloseFigure, GetCurrentPositionEx, GetBrushOrgEx, DeleteObject, AddFontMemResourceEx, ClearBitmapAttributes, RestoreDC, AbortPath, CloseMetaFile, GetPixel, GetDCOrgEx<br>> ADVAPI32.DLL: RegLoadKeyW, RegLoadKeyA, RegQueryValueExA, RegCreateKeyExW, RegReplaceKeyA, RegEnumValueW, RegDeleteValueW, RegEnumValueA, RegOpenKeyW, RegEnumKeyA, RegOpenKeyA, RegEnumKeyExW, RegQueryValueW, RegOpenKeyExA, RegQueryInfoKeyA, RegGetKeySecurity<br>> KERNEL32.DLL: FindFirstFileA, GetConsoleMode, CreateProcessA, GetFileTime, DeleteFileA, SetLastError, GlobalFree, GetCPInfo, ExitThread, CopyFileA, GetLastError, ReadFile, CopyFileExW, GetFileSize, CopyFileExA, DeleteFileW, GetCommandLineA<br>> GDI32.DLL: ClearBitmapAttributes, RestoreDC, GetBrushOrgEx, ExtTextOutA, DeleteDC, AddFontMemResourceEx, ClearBrushAttributes, SetTextColor, AbortPath, GetBitmapBits, AddFontResourceExA, BitBlt, CreateSolidBrush, GetDCOrgEx, DeleteObject, AddFontResourceW, BeginPath, AddFontResourceA, CloseMetaFile, CloseFigure, CopyMetaFileA, GetPixel, GetCurrentPositionEx<br><br>( 0 exports ) <br>
PDFiD.: -
RDS...: NSRL Reference Data Set<br>-
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=9816bfcfa17e9c865f6412672638f826' target='_blank'>http://www.threatexpert.com/report.aspx?md5=9816bfcfa17e9c865f6412672638f826</a>
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=7AD6013A00E7D936801A02B5998AB700E3302516' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=7AD6013A00E7D936801A02B5998AB700E3302516</a>
 
That is just adware.

Please delete it.

Empty these folders:

C:\Program Files\Trend Micro\Internet Security 12\Quarantine
C:\Qoobox\Quarantine

Empty Recycle Bin.

Still problems?
 
No problems as of yet, I was finally able to access http://www.safer-networking.org and run SpyBot. Looks like everything's clean.

Thank you so much Shaba. My friend, whose computer it is, did most of the running of programs and scanning herself. She's not very computer-savvy but the instructions were clear and you help was invaluable.

Thanks again for your great work and your time,

Motorhobo
 
Good :)

Then we continue with this:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

Post back a fresh HijackThis log afterwards, please.
 
Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

Everyone else please begin a New Topic.
 
You must log in or register to reply here.
Back
Top