Tech Support Forum banner
Status
Not open for further replies.
1 - 3 of 3 Posts

·
Registered
Joined
·
36 Posts
Discussion Starter · #1 ·
Machine is a HP Compaq dc5100
Intel(R)
Pentium(R) 4 CPU 2.80GHz
2.79 GHz, 1.99 GB of RAM

Windows XP Pro Service Pack 3.

Boots into windows fine..

But get pop ups in IE explorer telling me that the pc is infected.. these are not from the current anti virus program which is AVG..
It appears in the screen that it is scanning the files to serach for the virus..
Also when i click on a link most of the time it doent bring me to the desired location but to another site..

I ran Spy Bot Search and destroy which said it has removed various trojans but it seems to keep coming back..

Utorrent was installed on the machine but has been uninstalled and if any content was downloaded it has been deleted.

In msconfig there are a few entries i dont recognise these are listed below:

pularewi - rundll32.exe"C:\WINDOWS\system32\pularewi.dll",b

janufini - Rundll32.exe"c:\windows\system32\janufini.dll",a

wokufime - rundll32.exe"C:\WINDOWS\system32\wokufime.dll",s

-----------------------------------------------------------------------
So all in all..
-Lots of pop ups
-Misleading links (directed to another site)
-AVG errors cant seem to deal with the trojan .. just finds it over and over again
-& entries in start up i dont recognise.

-----------------------------------------------------------------------
Currently installed protection is AVG Free 8.5 and spybot serach and destroy

below is the log request and the further 2 logs are attached in zip form.. zipped by win rar

Hope you can help





DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 16:58:18.48 on 24/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1527 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Administrator\Desktop\tools and logs\dds\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {456163c0-d581-4c4e-8704-64854649e932} - c:\windows\system32\rukotame.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {02FEA403-7378-4E5F-8624-339880E5D03A} = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\mojokase.dll c:\windows\system32\janufini.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\janufini.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\janufini.dll
LSA: Notification Packages = scecli c:\windows\system32\mojokase.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-28 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-28 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-28 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-28 298776]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmvmdm.sys [2008-7-25 88960]
S4 MSSQL$MSDE_ARXCIS;MSSQL$MSDE_ARXCIS;c:\program files\microsoft sql server\mssql$msde_arxcis\binn\sqlservr.exe -smsde_arxcis --> c:\program files\microsoft sql server\mssql$msde_arxcis\binn\sqlservr.exe -sMSDE_ARXCIS [?]
S4 SQLAgent$MSDE_ARXCIS;SQLAgent$MSDE_ARXCIS;c:\program files\microsoft sql server\mssql$msde_arxcis\binn\sqlagent.exe -i msde_arxcis --> c:\program files\microsoft sql server\mssql$msde_arxcis\binn\sqlagent.EXE -i MSDE_ARXCIS [?]

=============== Created Last 30 ================

2009-05-23 17:19 153 a------- c:\windows\wininit.ini
2009-05-23 16:52 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-23 16:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-29 12:02 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-28 10:54 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-28 10:54 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-28 10:54 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-28 10:54 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-28 10:54 <DIR> --d----- c:\program files\AVG
2009-04-28 10:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

==================== Find3M ====================

2009-03-21 15:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-10 22:18 934,792 -------- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -------- c:\windows\system32\dllcache\wgaLogon.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 15:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-03 01:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 05:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2002-04-16 12:27 5 a--sh--- c:\windows\system32\CdI5T.drv
2008-08-29 10:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 16:59:05.06 ===============
 

Attachments

·
Premium Member
Joined
·
29,790 Posts
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

While Spybot's TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • If TeaTimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
------------------------------------------------------

Download ResetTeaTimer
  • and Save it to your Desktop.
  • Double-click ResetTeaTimer.zip
  • Double-click ResetTeaTimer.bat and click Run to remove all entries set by TeaTimer.
  • A DOS window will open and close again, this is normal.
------------------------------------------------------

If for some reason during these fixes you receive prompts from Spybot about whether to Allow or Deny any changes, please Allow them all.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------
 

·
Premium Member
Joined
·
29,790 Posts
Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------
 
1 - 3 of 3 Posts
Status
Not open for further replies.
Top