Topic: Ran a Spy Sweep and found viruses. Please help get rid of!

[abby4567]

Hey everyone! This site looks really helpful, hopefully someone can help me. I ran a Spysweeper search on my computer and found these:
Viruses
Exp/QTP-A
JS/Dload-H
Troj/JSXOr-Gen

Behavorials
Mal/ObfJS-H
Mal/ObfJS-V

The only signs of these so far are internet explorer randomely needing to close (especially when I'm on eBay whcih is bad because I run an eBay business) and I've been getting a lot of popups. Also my front USB ports stopped being able to read things, but that could be a coincidence.

These are just the ones on my user account, there are more on the other two. I noticed most other people give a lot more info than this, but I wasn't sure what you'd need, so if anybody can help me I'm willing to tell you anything else you need, of course. Whatever you could tell me would be a great help and thanks in advance!

[Samker]

Hi Abby!

Welcome to SCF Community.

Don't worry we will fix this, now please follow next instruction se we can do that son as possible:

1. Provide us all possible details related to yours problems / infection.

2. Run Kaspersky Online AntiVirus Scan: http://scforum.info/index.php/topic,734.0.html

3. Download & run HijackThis: http://scforum.info/index.php/topic,785.0.html

4. Provide us logs from HijackThis & Kaspersky Online Scan


We will wait your reply (with logs).

Regards,

Samker

P.S.

If you have any additional question ... we are here just ask. 

[abby4567]

Thank you so much for your response and help. Right now, I am running/downloading Kaspersky and Hijack This. Here's some more detailed info on the problems:

My User Account has the viruses/behavorials listed in my above post, but there aren't really any immediate effects except for the USB port problems and internet explorer randomely giving me the "Internet Explorer has encountered a problem and need to close..." and then the error report popup. Also, I can't remember if it's mine or my mother's account, but I get a debug error popup and I always press "No" to the debug because it tends to freeze the computer.

My Mom's User Account has these viruses:
EXP/QTP-A
Troj/Decdec-A

Behavorial
Mal/ObfJS-H

My Dad's also has two, but his account is password protected and he's not home at the moment, so I can't view his spysweeper, but if it's important I can post them later. I know that on his account, he can't get on eBay without getting the error and internet explorer closing.

That's about all that I know at the moment. After the scans are done, I'll post the reports or logs. Thank you so much for your help and tell me if there's anything else you need to know!

[abby4567]

I just ran a Kaspersky scan on the 'Critical Areas' and go this:

KASPERSKY ONLINE SCANNER REPORT 
Saturday, December 22, 2007 11:10:13 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/12/2007
Kaspersky Anti-Virus database records: 491693
 
 
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
 
Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\Abigail\LOCALS~1\Temp\ 
 
Scan Statistics
Total number of scanned objects 14186
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:11:26

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG  Object is locked  skipped 
 
C:\WINDOWS\SchedLgU.Txt  Object is locked  skipped 
 
C:\WINDOWS\SoftwareDistribution\EventCache\{85BD5FA2-0641-4292-AF5B-03650B424F17}.bin  Object is locked  skipped 
 
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log  Object is locked  skipped 
 
C:\WINDOWS\Sti_Trace.log  Object is locked  skipped 
 
C:\WINDOWS\system32\CatRoot2\edb.log  Object is locked  skipped 
 
C:\WINDOWS\system32\CatRoot2\tmp.edb  Object is locked  skipped 
 
C:\WINDOWS\system32\config\AppEvent.Evt  Object is locked  skipped 
 
C:\WINDOWS\system32\config\DEFAULT  Object is locked  skipped 
 
C:\WINDOWS\system32\config\default.LOG  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SAM  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SAM.LOG  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SecEvent.Evt  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SECURITY  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SECURITY.LOG  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SOFTWARE  Object is locked  skipped 
 
C:\WINDOWS\system32\config\software.LOG  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SysEvent.Evt  Object is locked  skipped 
 
C:\WINDOWS\system32\config\SYSTEM  Object is locked  skipped 
 
C:\WINDOWS\system32\config\system.LOG  Object is locked  skipped 
 
C:\WINDOWS\system32\h323log.txt  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA  Object is locked  skipped 
 
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP  Object is locked  skipped 
 
C:\WINDOWS\Temp\Perflib_Perfdata_75c.dat  Object is locked  skipped 
 
C:\WINDOWS\wiadebug.log  Object is locked  skipped 
 
C:\WINDOWS\wiaservc.log  Object is locked  skipped 
 
C:\WINDOWS\WindowsUpdate.log  Object is locked  skipped 
 
Scan process completed.

So just about everything was locked, I don't know if that's normal or not. I also just ran a scan on the memory and it was the it was free of all malware, so there was no report to give. I'm running one on 'My Computer' now.

[Samker]

Hi again Abby,

it's look like we will have a lot of job here. 

During this cleaning process we will try to clean your complete PC (all three accounts) and will do that in few steps. 

Now please provide us also your HijackThis log (this is most important) and please repeat Kaspersky scan, we need complete scan log since this partial doesn't show any infection (it's normal to some files are locked).

cya later,

Samker

[abby4567]

Here's My HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:22 PM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\DOCUME~1\Abigail\LOCALS~1\Temp\Temporary Directory 2 for HiJackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2060909
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2060909
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Joe\LOCALS~1\Temp\2007423171132_mcinfo.exe /insfin
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-21-723105609-1427293594-2646072640-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Kim')
O4 - HKUS\S-1-5-21-723105609-1427293594-2646072640-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Kim')
O4 - HKUS\S-1-5-21-723105609-1427293594-2646072640-1008\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'Kim')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{11BF03A9-936C-470A-B5D7-1EB2F0CB913F}: NameServer = 166.102.165.13,166.102.165.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{11BF03A9-936C-470A-B5D7-1EB2F0CB913F}: NameServer = 166.102.165.13,166.102.165.11
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8595 bytes

[abby4567]

Hi Samker!

I ran Kaspersky scans for Email and all folders on the C Drive, too, but found no Malware on any of them. I saved them, so if they'll be helpful, I can post them but they just show the blocked items. Which Kaspersky scan should I repeat? All of them or just the Critical? Thanks again!

[Samker]

Ok Abby,

it's look like you don't have any AntiVirus installed at your PC, that is extremely dangerous! 

Please follow next instructions:

1. Turn of System Restore

Steps to turn off System Restore
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.

2. Download & Install AVG Anti-Virus (FREE version): http://scforum.info/index.php/topic,108.0.html

3. Download & Install Spybot Search & Destroy AntiSpyWare: http://scforum.info/index.php/topic,1138.0.html

3. Update the virus definitions (for both)
 
4. Run a full system scan and delete all the files detected (for both).

5. After that, please run another Online AV Scan, this time we choose McAfee ( http://scforum.info/index.php/topic,734.0.html ) and provide us information did he after all find some infections?

6. Provide us new HJT log

Regards,

Samker

[abby4567]

it's look like you don't have any AntiVirus installed at your PC, that is extremely dangerous! 

Before I do the things you posted, I was just wondering- I have Webroot AntiVirus with AntiSpyware. Isn't that an anti-virus? Or no? If not I'll be more than happy to follow your instructions. I just wanted to clarify. Thanks again for your continued help!

[Samker]

Webroot is one solid AntiSpyware provider but in my experience they don't provide god quality AntiVirus tools.

So please uninstall them complete and continue with my earlier instructions.

S.