Solved

PC with many viruses/spyware after several removal attempts

Posted on 2008-06-21
22
921 Views
Last Modified: 2013-12-06
I have a client with a Win XP Media Center Edition machine.  It is very infected.  I ran Avira Antivir and Spysweeper which found a couple of things.  Uninstalled those and then ran the trial version of AVG 8.0 Internet Security which found many more things.  However, the computer is still infected.

These are the primary symptoms:

1) The Time down on the taskbar is in military time and has the words" "Virus Alert!" After it.  All files that show a date/time also have these words in the time.

2) A popup keeps coming up that says "Windows Security Alert:  Windows has detected an Internet attack attempt.  Somebody's trying to infect your PC with spyware or harmful viruses.  Run full system scan now to protect your PC from Internet Attacks, highjacking attamps, and spyware.  Click here to download sypware remover for total protection.

3) A balloon message shows up on the taskbar saying "System Alert:  System detected virus activities..  These may impact the performance of your computer. Please, use recommend antisypware software to protect your system from parasite programs."

4) Another popup saying "Spyware Alert:  Security Warning!  Worm.Win32.Netbooster detected on your machine . . . blah, blah, blah."

5) The client also uses AOL 9.  It keeps opening itself, over and over, even when you close it"

6) The Task Manager has been disabled message comes up when you press Ctrl-Alt-Del.

My questions:

A) I have attached a highjackthis log to show what's running on the computer.  How do I interpret this? and remove the problems?

B) Is there another piece of software that will do a better job of getting rid of most of the malware?  I have always had very good luck with Avira, AVG, and Spysweeper.    

Also, this client does not seem to have the Win XP Media Center Edition CD.  I told him it might be easier to wipe and start over, but he doesn't have the CD.

Thanks so much!

Log:

ogfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:25: VIRUS ALERT!, on 6/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\AVG\AVG8\avgwdsvc.exe
E:\AVG\AVG8\avgfws8.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
E:\Google\Common\Google Updater\GoogleUpdaterService.exe
E:\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
E:\AVG\AVG8\avgam.exe
E:\AVG\AVG8\avgrsx.exe
E:\AVG\AVG8\avgnsx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
E:\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
E:\Dell Photo AIO Printer 964\dlcjmon.exe
E:\Dell Photo AIO Printer 964\memcard.exe
C:\Program Files\Common Files\AOL\1170810117\ee\AOLSoftware.exe
E:\Java\jre1.6.0_03\bin\jusched.exe
E:\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\AVG\AVG8\avgtray.exe
E:\slide\slide.exe
E:\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\AOL\1170810117\ee\aolsoftware.exe
C:\WINDOWS\system32\dlcjcoms.exe
E:\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
I:\Computer Repair Utility Kit\Virus and Malware Removal Tools\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - E:\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\AVG\AVG8\avgssie.dll
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - E:\alot\bin\alot.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - E:\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: QXK Olive - {E4DCBEAD-D329-4EAB-9C5D-09DACE8CA679} - C:\WINDOWS\ksendlbtvnl.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - E:\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - E:\alot\bin\alot.dll
O3 - Toolbar: vrmdtneg - {860E2925-FAD4-4BE9-848C-E96B52A41351} - C:\WINDOWS\vrmdtneg.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcjmon.exe] "E:\Dell Photo AIO Printer 964\dlcjmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "E:\Dell Photo AIO Printer 964\memcard.exe"
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1170810117\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%
O4 - HKLM\..\Run: [AntiMalwareGuard] E:\AntiMalwareGuard\amg.exe
O4 - HKLM\..\Run: [AVG8_TRAY] E:\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Slide.exe] e:\slide\slide.exe
O4 - HKCU\..\Run: [swg] E:\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: KybtecWcCaller.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - e:\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - E:\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167340143359
O16 - DPF: {7B62F6EE-D046-11D3-9C5E-0060082627F7} (TWDownloader Class) - https://securemail.hctx.net/download/TWDownload.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E596DF5F-4239-4D40-8367-EBADF0165917} - http://privacyprotector.com/.freeware/cab/installprivacyprotector.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: E:\\Google\GOOGLE~2\GOEC62~1.DLL,E:\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll
O21 - SSODL: wpvmqosg - {86A580E7-2727-4727-B588-8B177FA621FA} - C:\WINDOWS\wpvmqosg.dll
O21 - SSODL: xvorfwbd - {EE379605-1337-4640-9E3A-D9924D05018A} - C:\WINDOWS\xvorfwbd.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - E:\AVG\AVG8\avgfws8.exe
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: DSBrokerService - Unknown owner - E:\DellSupport\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - E:\\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - E:\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - E:\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10261 bytes
 
0
Comment
  • 8
  • 6
  • 4
  • +3
22 Comments
 
LVL 87

Expert Comment

by:rindi
Comment Utility
What's "military time"?

Download and run smitfraudfix in safemode.

http://www.bleepingcomputer.com/files/smitfraudfix.php
0
 
LVL 23

Expert Comment

by:Admin3k
Comment Utility

If I were you , in order to clean up this, I would run a series of scans using these free  tools

CWSShredder : http://us.trendmicro.com/us/products/personal/CWShredder/

Rogue remover : http://www.malwarebytes.org/rogueremover.php

Combofix : http://www.bleepingcomputer.com/combofix/how-to-use-combofix

be careful with Combofix, the instructions are important

once the Combofix scan is complete, please post the log , as well as a Fresh HJT log

it is also a good idea to run an online scan as a second opinion.

 http://www.kaspersky.com/virusscanner

hope this helped



0
 

Author Comment

by:computerdoctortexarkana
Comment Utility
Thanks for your suggestions.  I will try them and post logs as requested.  

As for the question about military time, it is "24 hour" time instead of "12 hour" time with AM & PM.  For example, instead of showing 3:13 PM right now, the clock shows 15:13.  That time format is used in the military, hence its name, and also often by hospitals, such as when doctors say, "time of death 01:00 hours, or 1 AM"
0
 
LVL 87

Expert Comment

by:rindi
Comment Utility
What's "military" about 24 hours time? and what do you have against that? 24 hour time is the standard way time should always be shown in my point of view.
0
 

Author Comment

by:computerdoctortexarkana
Comment Utility
That last comment was totally unnecessary.  I said nothing derogatory about 24 hour time.  And in the U.S. the military is the main institution that uses it. Whether they should or not, civilians generally don't.

Google the phrase "military time" and you will see that is a common expression.'

And as far as having anything against it, I don't, except that unless you tell Windows specifically to display that time, it usually displays AM/PM.  So, that is a symptom of malware.  Not an indictment of 24 hour time since my client did not change the time to that format.
0
 
LVL 87

Expert Comment

by:rindi
Comment Utility
It depends where you are. In my location 24hrs is the way time is displayed by default.
0
 
LVL 17

Expert Comment

by:Jared Luker
Comment Utility
Dude... rindi... chill man.  It's just a way of expressing time and it's VERY common.  

If anything, we should be mocking you for not having heard of that.  That's not what EE is about though, so let's keep it civil.
0
 
LVL 87

Expert Comment

by:rindi
Comment Utility
I'm more looking at it as something funny. Why should that be called "military" time.
0
 

Author Comment

by:computerdoctortexarkana
Comment Utility
Rindi:

You do need to chill.  This is the last thing I am going to say about "military time".  It does depend on where you are.  If you look up military time in wikipedia, you will see that although the 24-hour clock is "the most common" way of telling time in the world, it IS NOT in the US or Canada.  For us in the US, it is not common.  I asked you to Google the phrase and if you had, you would have known that for those of us in the United States, it is most commonly called military time.  

From wikipedia:  "The 24-hour clock is a convention of time keeping in which the day runs from midnight to midnight and is divided into 24 hours, numbered from 0 to 23. This system is the most commonly used time notation in the world today.[1] The 12-hour clock is dominant instead in a handful of countries,[1] particularly the United States and Canada (except Quebec). 24-hour notation is also popularly referred to as military time or astronomical time in the US and Canada,[2] and in Australia (though rarely) as army time. In some parts of the world, it is called railway time. It is also the international standard notation of time (ISO 8601).[3]"

Here in the US, we do a lot of things differently and not always for the best, like our country's refusal to accept the metric system.  But as the last person said, this IS NOT the place to debate all of this.  You are wasting my time and I really do not want to hear anything else about this.  If you have something constructive to say that will help me, please add it.  And from now on, when you don't know what something means, just look it up, or at least when someone explains it, don't deride them for it.

Thank you.
0
 

Author Comment

by:computerdoctortexarkana
Comment Utility
To Admin3K or anyone else who knows:

I have used the first two programs mentioned in your post.  CWShredder found nothing.  Rogueremover found several thing and I removed them.

I am attempting to use ComboFix and as you suggested am trying to follow the directions very closely.  However, it says before installing to setup the Win XP Recovery Console.  Since I do not have the XP disc, I went to the Microsoft article at

http://support.microsoft.com/kb/310994

to install from there.  However, I don't know which one to choose since this is Win XP Media Center Edition Svc Pack 2.  Is this equivalent to either Home or Pro or is there another download specifically for Media Center?

Thanks for your help!
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Please follow rindi's advice of running Smitfraudfix.exe, that will fix it.
The VIRUS ALERT in the taskbar and the military time is all caused by the virus.

After running smitfraudfix.exe, please run Hijackthis again and show us a fresh hijackthis log.

0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
The military time can be fixed manually(just as the VIRUS ALERT can also be fixed manuall) but it will not remove the virus, you still need smitfraudfix.exe. Smitlfraudfix.exe should take care of everything.

Manually fixing the time:
Start > Run > and type in:

intl.cpl

and in the window that opens, Regional Options > Customize > Time
and change back the time format to normal --> h:mm:ss tt
h = 12 hour
H = 24 hour
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Combofix can remove multiple infections, so it might also remove this virus, but Combofix is a high risk tool which should only be used for hard to remove infections, and smitfraudfix.exe can handle this infection.
0
 

Author Comment

by:computerdoctortexarkana
Comment Utility
I ran smitfraudfix and it said it cleaned some stuff but the military time was still there.  Don't know if the virus was taken out and I just now need to do it manually or if that fix did not work.

Also, there are those other viruses showing up, so can someone please tell me how to use the ComboFix program?


I appreciate your help.

By the way, what do you guys think of Avira Antivir for preventing infections?  I had always had the idea that it was a very sensitive engine but this client already had it installed on his machine.  He did not have it scanning though regularly and, in fact, it had never run a full scan.  

As far as "free" antivirus programs go, which do you'll consider the best:  Avast or Avira Antivir?  AVG used to be free but it looks to me like now that they've gone to v. 8.0 that it is no longer free.  Or can you still get updated definitions for the older versions?

Thanks a bunch.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Is Smitfraudfix.exe this version? --> Version 2.328

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


This link tells you How to use Combofix as well as installing RC.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 

Author Comment

by:computerdoctortexarkana
Comment Utility
After running Smitfraudfix the second time, it did remove the virus and then I followed the instructions above for resetting the time to AM/PM format.  

I never did get an answer to how to install the recovery console without the Windows CD for Media Center Edition, so I wasn't able to run the ComboFix.

So, while I was waiting, I installed Avast, updated the virus definitions, and ran a boot-time scan.  It found multiple infections.

The computer seems to be behaving properly now.  No more popups, no balloons, and AOL is not starting itself.  

I think it is fixed.  However, just to be sure, I will paste the new hijackthis log below.  Please let me know if there is anything else I need to take off.
0
 

Author Comment

by:computerdoctortexarkana
Comment Utility
OOPS!  Forgot the log.  Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:35:30 PM, on 6/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Alwil Software\Avast4\aswUpdSv.exe
E:\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
E:\Google\Common\Google Updater\GoogleUpdaterService.exe
E:\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
E:\Dell Photo AIO Printer 964\dlcjmon.exe
E:\Dell Photo AIO Printer 964\memcard.exe
C:\Program Files\Common Files\AOL\1170810117\ee\AOLSoftware.exe
E:\Java\jre1.6.0_03\bin\jusched.exe
E:\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\ALWILS~1\Avast4\ashDisp.exe
E:\slide\slide.exe
E:\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1170810117\ee\aolsoftware.exe
C:\Program Files\Digital Line Detect\DLG.exe
E:\Alwil Software\Avast4\ashMaiSv.exe
E:\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dlcjcoms.exe
C:\WINDOWS\eHome\ehmsas.exe
E:\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
E:\Java\jre1.6.0_03\bin\jucheck.exe
e:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - E:\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - E:\alot\bin\alot.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - E:\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: QXK Olive - {E4DCBEAD-D329-4EAB-9C5D-09DACE8CA679} - C:\WINDOWS\ksendlbtvnl.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - E:\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - E:\alot\bin\alot.dll
O3 - Toolbar: vrmdtneg - {860E2925-FAD4-4BE9-848C-E96B52A41351} - C:\WINDOWS\vrmdtneg.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DLCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcjmon.exe] "E:\Dell Photo AIO Printer 964\dlcjmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "E:\Dell Photo AIO Printer 964\memcard.exe"
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1170810117\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%
O4 - HKLM\..\Run: [AntiMalwareGuard] E:\AntiMalwareGuard\amg.exe
O4 - HKLM\..\Run: [avast!] E:\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Slide.exe] e:\slide\slide.exe
O4 - HKCU\..\Run: [swg] E:\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: KybtecWcCaller.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: &AOL Toolbar Search - e:\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - E:\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167340143359
O16 - DPF: {7B62F6EE-D046-11D3-9C5E-0060082627F7} (TWDownloader Class) - https://securemail.hctx.net/download/TWDownload.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E596DF5F-4239-4D40-8367-EBADF0165917} - http://privacyprotector.com/.freeware/cab/installprivacyprotector.cab
O20 - AppInit_DLLs: E:\\Google\GOOGLE~2\GOEC62~1.DLL,E:\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: dlcj_device - Unknown owner - C:\WINDOWS\system32\dlcjcoms.exe
O23 - Service: DSBrokerService - Unknown owner - E:\DellSupport\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - E:\\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - E:\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - E:\Dell Support Center\bin\sprtsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8941 bytes
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
You can fix these entries in Hijackthis:
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - E:\alot\bin\alot.dll
O2 - BHO: QXK Olive - {E4DCBEAD-D329-4EAB-9C5D-09DACE8CA679} - C:\WINDOWS\ksendlbtvnl.dll (file missing)
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - E:\alot\bin\alot.dll
O3 - Toolbar: vrmdtneg - {860E2925-FAD4-4BE9-848C-E96B52A41351} - C:\WINDOWS\vrmdtneg.dll (file missing)
O4 - HKLM\..\Run: [AntiMalwareGuard] E:\AntiMalwareGuard\amg.exe

Alot Toolbar and AntimalwateGuard are not recommended programs to have in the pc, you can uninstall them via ad/remove programs if listed there.

Do you know this startup below? if you didn't install it, you can fix that too.
O4 - Startup: KybtecWcCaller.exe



To install the Windows Recovery Console when you do not have the Windows XP CD, the step by step instructions are in the link that I posted before. You would need to download a file from microsoft and once that's downloaded you would drag that file into combofix.exe, and ComboFix will automatically install the Windows Recovery Console onto your computer.

Combofix will run without the RC installed but there is a particular infection where combofix will not remove unless RC is installed, so that's one of the reason that it's recommended to have Recovery Console installed.
0
 

Author Comment

by:computerdoctortexarkana
Comment Utility
rpggamergirl:

Thanks for your help.  I corrected all those entires in Hijackthis that you said to correct.

As for ComboFix, I know that you did give a link showing where to download the Recovery Console file from Microsoft.  It was a support.microsoft.com article and it had the links for XP Home & XP Professional and links for each service pack.

However I DID NOT see a link for XP Media Center Edition 2005.  Can I use only of the other files or is there another way to download this?
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
Comment Utility
Oh yeah, sorry about that. Well, it only says XP Home and XP Pro so better not use that. I don't know where to get for your XP version.

You can run Combofix without installing the Recovery Console, If you have that particular infection where RC is needed it will show up in the CF log(I don't think you have it otherwise the pc will still be misbehaving).
If the pc seems to be running okay don't worry about combofix.
You can instead do an online scan with Kaspersky and see if it finds any bad files, just save the report because kaspersky doesn't delete what it finds.

Does the "VIRUS ALERT" sign also appears in the "My Computer > System properties? if so we can also manually fixed that.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
Virus alert affects the registry... U should have the manual fix for the registry in order to get rid of it.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now