Mourning the loss of our friend, WhitPhil.
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
access audio black screen blue screen boot bsod connection crash dell desktop driver drivers dvd email error excel firefox hard drive hardware hijackthis internet keyboard laptop malware monitor motherboard network networking outlook problem ram recovery router safe mode screen slow sound spyware trojan upgrade vba video virus vista vundo windows windows 7 windows vista windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Solved: trojan "scar.aakg"

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Page 1 of 2 1 2
 
Thread Tools
StoneAgeMan's Avatar
Junior Member with 27 posts.
  
Join Date: Jun 2008
Experience: Intermediate
05-Oct-2009, 08:30 PM #1
trojan "scar.aakg"
Please could you help me with a malware problem.

Symptoms: New Shortcut Icon has appeared on my desktop for "AntiVirus Pro 2010", messages from Security Centre show that Anti-virus is not enabled and is prompting me to install "Anti-virus Pro 2010" (I actually have "Virgin PCGuard" provided free by my ISP). Pop-up alerts keep warning me of active trojan and infected files - most of the alerts are prompting me to register "Anti-Virus Pro 2010" to sort out all my problems.

Actions taken so far:
I Ran PCGuard Anti-virus scan, which quarantined two files; "trojan.win32.scar.aakg".
I ran Malwarebytes Scan which identified 7 instances of registry values that were infected.

Current status:
PC now starts up with error messages about certain files being "not an image file". As I created this thread the symptoms include interfering with my internet browsing by preventing me from going to pages or sites that I request - displaying a screen that warns of the dangers of unsecure browsing. I'm now using a second PC to add details and update this thread.

HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:13:45, on 06/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Virgin Broadband\PCguard\rps.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\OEM\OSD_1.4\OsdService.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OEM\OSD_1.4\osd.exe
C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mangahelpers.com/downloads/download/513
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.thetechguys.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [Antivirus Pro 2010] "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mserv] C:\Documents and Settings\Yoriko Noble\Application Data\svcst.exe
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\YORIKO~1\ntuser.dll,_IWMPEvents@0
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: scandisk.lnk = ?
O4 - Global Startup: OSD.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.thetechguys.com
O20 - AppInit_DLLs: cru629.dat
O23 - Service: OSD Service (OsdService) - TODO: <????> - C:\Program Files\OEM\OSD_1.4\OsdService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Virgin Broadband PCguard (Radialpoint Security Services) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe
O23 - Service: Virgin Broadband PCguard SafeConnectAgent (RadialpointSafeConnectAgent) - Sana Security - C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
--
End of file - 5378 bytes
Last edited by StoneAgeMan : 05-Oct-2009 08:47 PM. Reason: Added the introduction
Register for free to hide this ad!
Cookiegal's Avatar
Administrator with 63,632 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
26-Oct-2009, 07:31 PM #2
Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.
__________________
Microsoft MVP - Consumer Security
StoneAgeMan's Avatar
Junior Member with 27 posts.
  
Join Date: Jun 2008
Experience: Intermediate
27-Oct-2009, 07:33 PM #3
Hi CookieGal, thanks for responding... I downloaded Combofix as Puppy.exe but the download screwed up, so I did it again as Puppy1.exe. The logs are shown below.

Combofix Log:-

ComboFix 09-10-26.06 - Yoriko Noble 27/10/2009 22:39.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.685 [GMT 0:00]
Running from: c:\documents and settings\Yoriko Noble\Desktop\puppy1.exe
AV: PCguard Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\eromeme.vbs
c:\documents and settings\All Users\Application Data\ohypu.vbs
c:\documents and settings\All Users\Application Data\qawyb._sy
c:\documents and settings\All Users\Documents\dexorydi._sy
c:\documents and settings\All Users\Documents\rujuzo.pif
c:\documents and settings\All Users\Documents\sywywepa.bat
c:\documents and settings\Yoriko Noble\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Yoriko Noble\Cookies\jusuhymyne.inf
c:\documents and settings\Yoriko Noble\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Yoriko Noble\Local Settings\Application Data\atiduwosyn.pif
c:\documents and settings\Yoriko Noble\Local Settings\Application Data\exeha.pif
c:\documents and settings\Yoriko Noble\Local Settings\Application Data\nyro.scr
c:\documents and settings\Yoriko Noble\Local Settings\Application Data\pocoba.bat
c:\documents and settings\Yoriko Noble\Local Settings\Temporary Internet Files\cahebimo.reg
c:\documents and settings\Yoriko Noble\Local Settings\Temporary Internet Files\noragituv.sys
c:\documents and settings\Yoriko Noble\Local Settings\Temporary Internet Files\ybuliz.lib
c:\documents and settings\Yoriko Noble\ntuser.dll
c:\documents and settings\Yoriko Noble\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Yoriko Noble\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Yoriko Noble\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\Yoriko Noble\Start Menu\Programs\Startup\scandisk.lnk
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\Common Files\ebevyt._sy
c:\program files\Common Files\xekexa.com
c:\recycler\S-1-5-21-1830626958-3212327886-535871226-1003
c:\recycler\S-1-5-21-2533861339-4209849621-1895232279-1003
c:\recycler\S-1-5-21-3716959607-3062579629-759798360-1003
c:\recycler\S-1-5-21-4132992690-310283030-798565870-1003
c:\windows\ejotiqiwix.bin
c:\windows\gyfipom.pif
c:\windows\iciv.bat
c:\windows\sarywizy.dll
c:\windows\system32\_scui.cpl
c:\windows\system32\avynocyqot.sys
c:\windows\system32\etawaf.inf
c:\windows\system32\suju.bin
c:\windows\system32\uviwyv.exe
.
((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))
.
2009-10-06 00:13 . 2009-10-06 00:13 -------- d-----w- c:\program files\Trend Micro
2009-10-05 21:29 . 2009-10-05 21:29 12741 ----a-w- c:\windows\qeru.com
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 23:01 . 2009-09-21 19:22 6718240 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-27 23:00 . 2009-09-21 19:22 66336 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-10-27 22:28 . 2009-09-21 19:22 90044 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-27 22:28 . 2009-09-21 19:22 6764 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-10-05 22:28 . 2009-08-09 06:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-21 19:19 . 2009-09-21 19:19 -------- d-----w- c:\program files\Raxco
2009-09-21 19:19 . 2009-09-21 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco
2009-09-21 19:19 . 2009-02-07 19:15 -------- d-----w- c:\program files\Virgin Broadband
2009-09-21 19:19 . 2009-02-07 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Virgin Broadband
2009-09-21 19:19 . 2009-02-07 19:15 -------- d-----w- c:\documents and settings\Yoriko Noble\Application Data\Virgin Broadband
2009-09-21 19:18 . 2008-08-05 18:29 -------- d-----w- c:\program files\InstallShield Installation Information
2009-08-06 18:24 . 2008-07-28 22:24 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 18:24 . 2008-07-28 22:24 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 18:24 . 2008-10-16 14:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 18:24 . 2008-07-28 22:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 18:24 . 2008-07-28 22:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 18:24 . 2008-07-28 22:11 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 18:23 . 2008-07-28 22:24 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 18:23 . 2008-07-28 22:24 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2008-07-28 22:11 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 12:36 . 2009-08-09 21:48 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 12:36 . 2009-08-09 21:48 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-10-26 671744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-06-27 16875008]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
OSD.lnk - c:\windows\Installer\{73289228-1853-4623-982A-EB17FF0270CA}\_C66DA773F6FF9EF7B9BC44.exe [2008-8-5 21630]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
R2 OsdService;OSD Service;c:\program files\OEM\OSD_1.4\OsdService.exe [22/02/2008 16:24 94208]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [22/09/2008 15:58 693512]
R2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\Virgin Broadband\PCguard\SafeConnect\bin\SanaAgent.exe [14/11/2008 17:28 4937752]
R3 GpdDevDPort;GpdDevDPort;c:\windows\system32\directport.sys [18/06/2008 04:27 7168]
R3 GpdKbFilter;GpdKbFilter;c:\windows\system32\kbfiltr.sys [23/04/2008 02:06 8192]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [14/11/2008 17:28 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [14/11/2008 17:28 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [14/11/2008 17:28 27376]
R3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\drivers\rtl8187Se.sys [05/08/2008 18:24 306176]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [22/09/2008 15:58 910600]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe [27/05/2009 12:10 170736]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys --> c:\windows\system32\Drivers\RTS5121.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mangahelpers.com/downloads/download/513
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.thetechguys.com/
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-27 23:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-10-27 23:09
ComboFix-quarantined-files.txt 2009-10-27 23:09
Pre-Run: 147,520,630,784 bytes free
Post-Run: 147,553,476,608 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 3F2002BB36678FA9C5E704812D4FF75F


HJT Log:-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:25:57, on 27/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\OEM\OSD_1.4\OsdService.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mangahelpers.com/downloads/download/513
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.thetechguys.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: OSD.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.thetechguys.com
O23 - Service: OSD Service (OsdService) - TODO: <????> - C:\Program Files\OEM\OSD_1.4\OsdService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Virgin Broadband PCguard (Radialpoint Security Services) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe
O23 - Service: Virgin Broadband PCguard SafeConnectAgent (RadialpointSafeConnectAgent) - Sana Security - C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
--
End of file - 4721 bytes
Cookiegal's Avatar
Administrator with 63,632 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
27-Oct-2009, 07:52 PM #4
Do you recognize this file that was created on October 5th, 2009?

c:\windows\qeru.com
StoneAgeMan's Avatar
Junior Member with 27 posts.
  
Join Date: Jun 2008
Experience: Intermediate
27-Oct-2009, 08:07 PM #5
Not immediately. It was the day before I raised this thread...

The PC is used for online shopping, browsing Manga (Japanese Comic books) and little else.
StoneAgeMan's Avatar
Junior Member with 27 posts.
  
Join Date: Jun 2008
Experience: Intermediate
27-Oct-2009, 08:34 PM #6
I'm off to bed now (00:33 here in the UK). I will be back online in around 10 hours. Thanks for your patience.
StoneAgeMan's Avatar
Junior Member with 27 posts.
  
Join Date: Jun 2008
Experience: Intermediate
28-Oct-2009, 05:58 AM #7
I do not recognise that file. It is not on my other PC (which does a lot of similar work). I do not recall downloading any files of that name.

It may be that it came when I downloaded a file from a site that has scanned images of Manga (not a torrent, but similar file downloading site). I have read the security advice pages and recognise that this is a highly likely source...
Cookiegal's Avatar
Administrator with 63,632 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
28-Oct-2009, 06:05 PM #8
Please delete the file then if you don't feel it's something you need.

c:\windows\qeru.com

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
__________________
Microsoft MVP - Consumer Security
StoneAgeMan's Avatar
Junior Member with 27 posts.
  
Join Date: Jun 2008
Experience: Intermediate
28-Oct-2009, 09:10 PM #9
I had MBAM loaded, but did a fresh download and update as requested. The scan was very quick and reported no infections found (log below).

Malwarebytes' Anti-Malware 1.41
Database version: 3050
Windows 5.1.2600 Service Pack 3
29/10/2009 01:06:53
mbam-log-2009-10-29 (01-06-53).txt
Scan type: Quick Scan
Objects scanned: 90219
Time elapsed: 3 minute(s), 57 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Cookiegal's Avatar
Administrator with 63,632 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
30-Oct-2009, 07:12 PM #10
Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version:

JRE 6 Update 16

Instructions for Kaspersky scan:
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
__________________
Microsoft MVP - Consumer Security
StoneAgeMan's Avatar
Junior Member with 27 posts.
  
Join Date: Jun 2008
Experience: Intermediate
31-Oct-2009, 06:12 AM #11
The scan took 2 hours to run. Here is the report;

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, October 31, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, October 30, 2009 22:51:54
Records in database: 3106459
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Objects scanned: 38061
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 02:07:55

File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir Infected: Trojan.Win32.FraudPack.vhx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir Infected: Trojan.Win32.FraudPack.vij 1
Selected area has been scanned.
Cookiegal's Avatar
Administrator with 63,632 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
31-Oct-2009, 02:31 PM #12
Please post a new HijackThis log and let me know how things are now.
StoneAgeMan's Avatar
Junior Member with 27 posts.
  
Join Date: Jun 2008
Experience: Intermediate
31-Oct-2009, 05:44 PM #13
Here is the log. Should I turn on my firewall and anti-virus and go on a surfing spree? I have not been using this PC at all while this thread was "in progress".


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:40:06, on 31/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Virgin Broadband\PCguard\rps.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\OEM\OSD_1.4\OsdService.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\OEM\OSD_1.4\osd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mangahelpers.com/downloads/download/513
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.thetechguys.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: OSD.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.thetechguys.com
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: OSD Service (OsdService) - TODO: <????> - C:\Program Files\OEM\OSD_1.4\OsdService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Virgin Broadband PCguard (Radialpoint Security Services) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe
O23 - Service: Virgin Broadband PCguard SafeConnectAgent (RadialpointSafeConnectAgent) - Sana Security - C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
--
End of file - 5514 bytes
Cookiegal's Avatar
Administrator with 63,632 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
01-Nov-2009, 04:26 PM #14
Yes indeed you should always turn your security programs back on before going on-line.

You can surf but please don't download any new programs or files unless absolutely necessary (this doesn't include anti-virus program updates).

What can you tell me about this program? I can't find much information about it.

C:\Program Files\OEM\OSD_1.4\OsdService.exe
__________________
Microsoft MVP - Consumer Security
StoneAgeMan's Avatar
Junior Member with 27 posts.
  
Join Date: Jun 2008
Experience: Intermediate
02-Nov-2009, 08:20 PM #15
Hi CookieGal. Sorry for my slow replies, I work nights over the weekend.

That file shows the following details;

Created 22/02/2008
Last modified 22/02/08
File type "Application"
Company "TODO"
Description: "TODO"
Product Name: "TODO"
Version: 1.0.0.1

Where it says "Todo" this is followed by some Japanese characters. These translate as something like "definitions", or some normal but technical sounding stuff (according to my mrs, who is Japanese). The dates correspond to when we bought this PC. It is in a directory that includes files that seem to be defining the hotkeys, function keys and onscreen icons that show when the fan is working, when the Caps are on, etc,

I think it is Factory-installed software related to the Netbook. In which case, the OSD seems to stand for On-Screen Display, perhaps!

Netbook appears to be still happy.
Last edited by StoneAgeMan : 02-Nov-2009 08:21 PM. Reason: spolling mistek
Reply Bookmark and Share
Page 1 of 2 1 2

Smart Search

Find your solution!


« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 02:19 PM.
Copyright © 1996 - 2009 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2009, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.