We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide

Malware: Spyware Guard 2008

123457

Comments

  • TheAlex
    TheAlex Posts: 37 Forumite
    I had no luck with S&D BUT I've been plugging away into these early hours and found that if in Safe Mode, I ran the HijackThis installer directly instead of saving it to my PC first, it installed!

    Here is the resulting logfile:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 02:21:23, on 28/12/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\DeltTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Spyware Guard 2008\spywareguard.exe
    C:\Program Files\ThreatFire\TFTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    F:\Program Files\Internet Download Manager\IDMan.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\winscenter.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Kontiki\KService.exe
    c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\ThreatFire\TFService.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    F:\Program Files\Internet Download Manager\IEMonitor.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\wuauclt.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
    O2 - BHO: IDMIEHlprObj Class - !!0055C089-8582-441B-A0BF-17B458C2A3A8} - F:\Program Files\Internet Download Manager\IDMIECC.dll
    O2 - BHO: Adobe PDF Reader Link Helper - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - !!53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - !!761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: (no name) - !!7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
    O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
    O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [IDMan] F:\Program Files\Internet Download Manager\IDMan.exe /onboot
    O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Download All Links with IDM - F:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download with IDM - F:\Program Files\Internet Download Manager\IEExt.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: !!17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: !!67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
    O21 - SSODL: ieModule - {F3C19FFE-22A4-48B5-9CFD-00E3F4165860} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
    O21 - SSODL: InternetConnection - !!925653E2-2CF6-498E-AE9C-90C989B6E19C} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\dgclndlpvp.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HMVDownloadService - HMV Group plc - C:\Program Files\HMV\DigitalDownloads\HMVDownloadService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
    --
    End of file - 8963 bytes

    I've tried to update to XP SP3 recently but I think this bug is stopping me from doing so. Until now I did think the automatic updates would automatically do the business for SP3?

    Perhaps I should also add that I was able to install MalwareBytes using the same method as above, the difference being MalwareBytes won't actually run after it's been installed.
    The Cakes - new release now on Spotify!
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    run hijack again and FIX the following ~
    C:\Program Files\Spyware Guard 2008\spywareguard.exe
    C:\WINDOWS\system32\winscenter.exe
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\twext.exe,
    O2 - BHO: (no name) - !!7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
    O21 - SSODL: ieModule - {F3C19FFE-22A4-48B5-9CFD-00E3F4165860} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
    O21 - SSODL: InternetConnection - !!925653E2-2CF6-498E-AE9C-90C989B6E19C} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\dgclndlpvp.dll
    :idea:
  • Browntoa
    Browntoa Posts: 49,620 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    you need to navigate to the malwarebytes directory and rename the exe file to something else , same with hijackthis

    if that does not work then try this:-

    Download

    Jumpstart__C.zip

    Save and extract its contents to your desktop where it will create a new folder....then ignore it while we do the following

    Go to the Control Panel.
    Select System -> Hardware -> Device Manager.
    Select View from the Menu, then "Show hidden Devices".
    Expand "Non Plug and Play Drivers". , Right click on the TDSSserv.sys driver and select Properties, Stop and Disable it.

    You will be asked to restart ,Select No at this time

    Now open the Jumpstart_C folder and double click on the Runme.bat. Disregard any error messages that may flash up

    The Computer will Restart

    it may be the tdssserv rootkit , once you have done the above it may be possible to run mbam
    Ex forum ambassador

    Long term forum member
  • TheAlex
    TheAlex Posts: 37 Forumite
    aliEnRIK wrote: »
    run hijack again and FIX the following ~
    C:\Program Files\Spyware Guard 2008\spywareguard.exe
    C:\WINDOWS\system32\winscenter.exe
    I couldn't see these in the list of things to fix but the other occurrences in your list were there and I was able to stop them in Task Manager (though they still keep reappearing). I've just re-read part of this thread and perhaps I should have restarted my PC straightaway (?) as I then did a scan with MalwareBytes which I was able to open after changing it's filename. I wasn't able to access their website to update the definitions but this is the log:
    Malwarebytes' Anti-Malware 1.31
    Database version: 1456
    Windows 5.1.2600 Service Pack 2

    28/12/2008 17:07:13
    mbam-log-2008-12-28 (17-07-08).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 288779
    Time elapsed: 4 hour(s), 26 minute(s), 50 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 1
    Registry Data Items Infected: 5
    Folders Infected: 4
    Files Infected: 30

    Memory Processes Infected:
    C:\Program Files\Spyware Guard 2008\spywareguard.exe (Rogue.SpywareGuard) -> No action taken.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\spyware guard 2008 (Rogue.SpywareGuard) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\twext.exe -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\twext.exe,) Good: (userinit.exe) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twext.exe -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> No action taken.

    Folders Infected:
    C:\Documents and Settings\TheAlex\Start Menu\Programs\Spyware Guard 2008 (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\Spyware Guard 2008 (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\Spyware Guard 2008\quarantine (Rogue.SpywareGuard) -> No action taken.
    C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> No action taken.

    Files Infected:
    C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost.exe (Trojan.FakeAlert) -> No action taken.
    C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> No action taken.
    C:\Documents and Settings\TheAlex\Desktop\Spyware Guard 2008.lnk (Rogue.SpywareGuard) -> No action taken.
    C:\Documents and Settings\TheAlex\Local Settings\Temp\TDSS7ba6.tmp (Trojan.FakeAlert) -> No action taken.
    C:\Documents and Settings\TheAlex\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk (Rogue.SpywareGuard) -> No action taken.
    C:\Documents and Settings\TheAlex\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\Spyware Guard 2008\conf.cfg (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\Spyware Guard 2008\mbase.vdb (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\Spyware Guard 2008\quarantine.vdb (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\Spyware Guard 2008\queue.vdb (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\Spyware Guard 2008\spywareguard.exe (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\Spyware Guard 2008\uninstall.exe (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\Spyware Guard 2008\vbase.vdb (Rogue.SpywareGuard) -> No action taken.
    C:\WINDOWS\reged.exe (Rogue.SpywareGuard) -> No action taken.
    C:\WINDOWS\spoolsystem.exe (Rogue.SpywareGuard) -> No action taken.
    C:\WINDOWS\sys.com (Rogue.SpywareGuard) -> No action taken.
    C:\WINDOWS\syscert.exe (Rogue.SpywareGuard) -> No action taken.
    C:\WINDOWS\sysexplorer.exe (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\system32\ (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system32\TDSShrxm.dll (Trojan.TDSS) -> No action taken.
    C:\WINDOWS\system32\TDSSkkai.log (Trojan.TDSS) -> No action taken.
    C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) -> No action taken.
    C:\WINDOWS\system32\TDSSoiqt.dll (Trojan.TDSS) -> No action taken.
    C:\WINDOWS\system32\TDSSvkql.dll (Trojan.TDSS) -> No action taken.
    C:\WINDOWS\system32\TDSSxfum.dll (Trojan.TDSS) -> No action taken.
    C:\WINDOWS\system32\drivers\TDSSpqlt.sys (Trojan.TDSS) -> No action taken.
    C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> No action taken.
    C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> No action taken.
    C:\WINDOWS\system32\twext.exe (Backdoor.Bot) -> No action taken.
    C:\WINDOWS\vmreg.dll (Rogue.SpywareGuard) -> No action taken.

    I was also wondering if this should go (from HijackThis scan):
    O16 - DPF: !!17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    ...as I have the go.google.. redirect again. Some sites do suggest removing it.
    The Cakes - new release now on Spotify!
  • Browntoa
    Browntoa Posts: 49,620 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    you have not fixed anything with malwarebytes

    run quick scan (will take about 20 minutes) in normal windows mode (not safe mode) and Make sure that everything is checked, and click Remove Selected

    Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

    you can do a manual download of the latest definitions from

    http://malwarebytes.gt500.org/database.jsp

    and run the file to update the main Mbam program
    Ex forum ambassador

    Long term forum member
  • TheAlex
    TheAlex Posts: 37 Forumite
    I was just waiting to check it was okay to delete everything so left it open. After removing everything I was able to update MalwareBytes online and access the anti-virus websites again. I then did a Quick Scan which came up with a load more stuff that I've now deleted.

    Things seem to be running smoothly again, so I guess it's just a case of uninstalling unwanted software?

    Do you know if there's any way I can get the drive space back that disappeared?

    Thank you both for your help. :)
    The Cakes - new release now on Spotify!
  • Browntoa
    Browntoa Posts: 49,620 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    do another hijackthis scan to be sure it's gone , post the log here

    www.ccleaner.com

    will remove all the junk thats built up

    once I've reviewed the hijackthis log you need to go to

    www.windowsupdate.com

    chose "express" and update to Xp service pack 3

    you may need to go back and update a 2nd time to get all the updates

    then go back a final time , choose "custom" and download all the hardware updates
    Ex forum ambassador

    Long term forum member
  • TheAlex
    TheAlex Posts: 37 Forumite
    Here it is:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:21:15, on 28/12/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Kontiki\KService.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\DeltTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ThreatFire\TFTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\nvsvc32.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    F:\Program Files\Internet Download Manager\IDMan.exe
    C:\Program Files\ThreatFire\TFService.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    F:\Program Files\Internet Download Manager\IEMonitor.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Program Files\Last.fm\LastFM.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
    O2 - BHO: IDMIEHlprObj Class - !!0055C089-8582-441B-A0BF-17B458C2A3A8} - F:\Program Files\Internet Download Manager\IDMIECC.dll
    O2 - BHO: Adobe PDF Reader Link Helper - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - !!53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - !!761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
    O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [IDMan] F:\Program Files\Internet Download Manager\IDMan.exe /onboot
    O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Download All Links with IDM - F:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download with IDM - F:\Program Files\Internet Download Manager\IEExt.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: !!67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HMVDownloadService - HMV Group plc - C:\Program Files\HMV\DigitalDownloads\HMVDownloadService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
    --
    End of file - 8172 bytes
    The Cakes - new release now on Spotify!
  • Browntoa
    Browntoa Posts: 49,620 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    thats looking clean

    just do the windows updates as I suggested

    also update Java as it's well out of date

    http://www.filehippo.com/download_java_runtime/
    Ex forum ambassador

    Long term forum member
  • TheAlex
    TheAlex Posts: 37 Forumite
    All sorted, just CCleaner to go. Something good has come out of this as I thought all Windows updates were automatic before this happened. :)

    I think I may have figured out why my hard-drive space was disappearing; my Dr Watson log was 7.3Gb so I've deleted it and unchecked "Append to Existing Logfile" in it so I hopefully won't get a file so large again.

    I still feel pretty convinced that some data on my slave drive disappeared (I have no evidence apart from that I think there suddenly became a lot more space than there was, do you know if any of the malware could have deleted anything?
    The Cakes - new release now on Spotify!
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 353.6K Banking & Borrowing
  • 254.2K Reduce Debt & Boost Income
  • 455.1K Spending & Discounts
  • 246.6K Work, Benefits & Business
  • 603K Mortgages, Homes & Bills
  • 178.1K Life & Family
  • 260.6K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 37.7K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture