Forum Home
Press F1
Thread ID: 95051	2008-11-22 12:04:00	Virus on Laptop? HJT log attached	Sick Puppy (6959)	Press F1

Post ID	Timestamp	Content	User
722088	2008-11-22 12:04:00	Hey Speedy, you services are again requested and appreciated! :rolleyes: I upgraded Avast to the latest version, and upon running a scan it almost immediately told me I had a virus/suspicious file. It prompts me to either ignore the files or delete them- either option results in the suggestion that I restart the laptop and have it run a boot scan. It performs the scan and then the laptop goes to the start page- files are still there. I did an online Kapersky scan which confirmed laptop is infected, somewhere in Outlook's archive? I assumed it'd be a deleted spam e-mail with dodgy attachment- I deleted the whole lot, but the scan still comes up with the same warning. I'm a bit at a loss as to what to do here- Spybot/ Malwarebytes/ Ad-aware came up blank, as did the old version of Avast! when I did one a few days ago. Speedy, can you please have a look for me? And yes, I know I have far too many security programs and programs in general- I will be doing a cull of the programs on my laptop shortly, but that I think will be for another thread! :D Here's the HJT report- do you need any of the Kapersky/ ComboFix logs too? Thanks in advance Speedy! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 00:44:30, on 23/11/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\UStorSrv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\ATK0100\HControl.exe C:\Program Files\ASUS\Wireless Console\wcourier.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nz.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O2 - BHO: (no name) - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - (no file) O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM\..\Run: [Wireless Console] C:\Program Files\ASUS\Wireless Console\wcourier.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [ avast! ] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com O15 - Trusted Zone: www.wises.co.nz O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - support.asus.com O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - download.bitdefender.com O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - cdn.scan.safety.live.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - download.zonelabs.com O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - messenger.msn.com O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) - O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) - O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) - O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - fpdownload2.macromedia.com O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe -- End of file - 9284 bytes Edit: [sigh], I've just checked above log, and checked these entries: O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) - O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) - O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -	Sick Puppy (6959)
722089	2008-11-22 17:18:00	Looks ok to me, but you can tick these then tick fix checked Close browsers Uninstall all versions of java, then update it. Link below O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" I would uninstall Adaware and use Malwarebytes instead Disable system restore, then use ccleaner and delete temp files etc What virus are we talking about? And what did it say was suspicious, what file/s?	Speedy Gonzales (78)
722090	2008-11-23 06:52:00	Hey Speedy, ran through your list: 1. Close browsers -Check 2. Uninstall all versions of java, then update it. -Check 3. O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" -Ticked and removed 4. Uninstall Adaware and use Malwarebytes instead -Uninstalled 5. Disable system restore, then use ccleaner and delete temp files etc -Disabled/ turned off system restore, used ccleaner to clean out computer- I use it pretty regularly,so only 'cleaned' 21MB... But when you say ticked, you mean the 04 Adobe stuff only? Or did I miss something? As for the virus and what the report said, here is the Kapersky report: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Saturday, November 22, 2008 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Saturday, November 22, 2008 02:23:47 Records in database: 1401036 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ G:\ Scan statistics: Files scanned: 62123 Threat name: 2 Infected objects: 1 Suspicious objects: 1 Duration of the scan: 01:05:02 File name / Threat name / Threats count C:\Documents and Settings\Andrew Comrie\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1 C:\Documents and Settings\Andrew Comrie\My Documents\My Received Files\New Executable Files\Media\freeripmp3.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.br 1 The selected area was scanned. That was the report. I uninstalled Freeripmp3- I can't say I've used it recently, and I figured I'd be culling it very soon anyhow. I then went into the deleted items in my archives in Outlook and cleared it out- Avast's virus check still came up with the virus alert...	Sick Puppy (6959)
722091	2008-11-23 07:01:00	Yup just the Adobe entry and the Java entries you posted in the 1st post Scan the whole hdd with Avast, that should remove it Make sure its updated first	Speedy Gonzales (78)
722092	2008-11-24 07:55:00	Hi Speedy, I updated Avast!, removed Adobe speed launcher and removed and updated Java . . . and the files in question still come up- the program appears to be listing my multi-function scanner-printer drivers as a 'rootkit' . . . Some of the files are C:\\WINDOWS\system32\spoolsv . exe\drivers\w32x86\E_ FMAIACP . DLL C:\\WINDOWS\system32\spoolsv . exe\drivers\w32x86\E_ FUICACP . DLL C:\\WINDOWS\system32\spoolsv . exe\drivers\w32x86\E_ FDSPACP . DLL C:\\WINDOWS\system32\spoolsv . exe\drivers\w32x86\E_ FJBCACP . DLL C:\\WINDOWS\system32\spoolsv . exe\drivers\w32x86\E_ FCONACP . DLL C:\\WINDOWS\system32\spoolsv . exe\drivers\w32x86\E_ FBSRACP . EXE C:\\WINDOWS\system32\spoolsv . exe\drivers\w32x86\E_ FUIRACP . DLL C:\\WINDOWS\system32\spoolsv . exe\drivers\w32x86\E_ FGRCACP . DLL These were the first few- there were heaps! So I installed the latest Epson drivers for my one (RX530), and yup, still comes up . . . could malware have infected my laptop and be hiding in the drivers, or do you think Avast is bieng a bit paranoid Speedy?	Sick Puppy (6959)
722093	2008-11-24 08:24:00	Those files may belong to the printer drivers It looks like FBSRACP.EXE is malware, however it is also printer related	Speedy Gonzales (78)
722094	2008-11-24 08:45:00	Okay, thanks Speedy- I'll uninstall the drivers, check the registry and then run another scan. If nothing comes up, I'll reinstall the drivers from Epson and then run a final scan to set it to ignore the files (or at least keep an eye on them!). Thanks heaps Speedy, much appreciated!	Sick Puppy (6959)
722095	2008-11-24 09:15:00	No probs :)	Speedy Gonzales (78)
722096	2008-11-24 10:05:00	Hi Sick Puppy Kick out the following lines: O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)File Missing O2 - BHO: (no name) - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - (no file)File Missing O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe Stay away from Cool Web Search, they deal in crapware!! Hope this helps. BURNZEE	Burnzee (6950)
722097	2008-11-25 10:47:00	Thanks Burnzee, I'll remove them... erm, BTW, what is Cool Web Search?! I haven't DL'd anything like that... (Yahoo & Google FTW), oh and Speedy, I removed the Epson drivers and did another scan- went from 222 suspicious files to 5 (well 4 actually, one was mentioned twice). Does these do anything? I'm figuring the "fault.dll' means the file has been changed in some way... C:\\WINDOWS\I386\DRWATSON.EX_\FAULTH.DLL C:\\WINDOWS\I386\DRWTSN32.CH_\FAULTH.DLL C:\\WINDOWS\I386\DRWTSN32.EX_\FAULTH.DLL C:\\WINDOWS\I386\DRWTSN32.HL_\FAULTH.DLL C:\\WINDOWS\I386\DRWATSON.EX_\FAULTH.DLL	Sick Puppy (6959)
1 2