Hi all.
I have had a few malware programs on my computer as a result of downloading some dodgey programs recently.

I run MB, and F-secure online scanner, and that got rid of a about 8 things all together. Can someone just checkout that I am okay now please?

Many thanks in advance.

-----------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:14:22, on 18/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Net Control 2\ncserver.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Net Control 2\ncscc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Paltalk Messenger\paltalk.exe
C:\Program Files\ArtecUSB\ScanPanel\ScnPanel.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\vghd\vghd.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\vghd\VirtuaGirl_downloader.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Net Control 2\NetCtl.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://heavens-end.co.uk/intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = \\serv-1:8090
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NTUserDispatcher] "C:\Program Files\Net Control 2\ncscc.exe" /NTUSER
O4 - HKLM\..\Run: [ImgTask] E:\Imgtask.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1275210071-1123561945-725345543-1136\..\Run: [CTFMON.EXE] C:\WINXP\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1275210071-1123561945-725345543-500\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: VirtuaGirl HD.LNK = C:\Program Files\vghd\vghd.exe
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O4 - Global Startup: ScanPanel.lnk = C:\Program Files\ArtecUSB\ScanPanel\ScnPanel.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = heavens-end.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = heavens-end.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF3D7A1C-2404-4023-988C-72B3E412A495}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = heavens-end.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = heavens-end.co.uk
O23 - Service: 3proxy tiny proxy server (3proxy) - Unknown owner - C:\Documents and Settings\matt.HEAVENS-END\Desktop\3proxy-0.5.3i\bin\3proxy.exe (file missing)
O23 - Service: ACLBDevMon - Unknown owner - C:\Documents and Settings\Administrator\Desktop\aclbdevmon.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Net Control 2 Server (NetControl2Server) - V.A.P. Software - C:\Program Files\Net Control 2\ncserver.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: WinTab Service (WinTabService) - Unknown owner - C:\WINDOWS\system32\DRIVERS\WtSrv.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: WPS Scanner Service (WPSScannerSvc) - Skyhook Wireless - C:\Program Files\Skyhook Wireless\Wi-Fi Service\WPSScannerSvc.exe

--
End of file - 8965 bytes
---------------------

P.s, Usually, people ask about 'Net Control 2.' This is okay!, I know what this is, and it is meant to be on the system :)

Hi

Did you keep the logs from F-Secure and MBAM?

it's advisable to remove Virtual Girl, which can be done thru Add/Remove programs.
Then delete this folder
C:\Program Files\vghd

Post the logs if you have them.

There are so many start up items i would use msconfig to disable unused software and also uninstall any p2p applications.

All in good time. best to ensure there is no malware first.

...and also uninstall any p2p applications.

Why? :eek:

How many legal software can you downlaod there and do you know haw many malware is spread through p2p applications.

@MJTech
How many legal software can you downlaod there

Quite a bit actually

and do you know haw many malware is spread through p2p applications.

Yes

It's not my job to tell someone how to use there computer, only to advise, and if I see a p2p program I will ask them to not use it during the course of fixing.
Most will continue, that's up to them, and those who become frequent flyers will
find themselves not recieving any assistance anywhere, as all the decent forums are linked and we watch out for those who appearing too regularly.

Yes, Castlecops has adopted a policy of insisting p2p programs are removed before help begins, but it was idscussed at other forums and the decision taken not to be so stringent.

And please refrain from replying in these topics. It's difficult enough for the user to follow one set of instructions, without being confused by others being thrown in.
Too many forums are bad for that and just make matters worse.

sorry for helping.

Hi Scotty, and MJ (thanks for advise anyway MJ)

Scotty, Thanks a lot for your response.

Sorry for so long since I was first here, I have been away from the computer all afternoon :(


Lol, yeah, Errmm....Yeah *pulls collar* about VGirl...lol....was only there, I wanted to see exactly what it was....but odly enough, hadn't got around to getting rid of it just yet!!
I'll go Zap it now. :)

Ermm, Unfortunately, I seam to have misplaced the F-secure Scan log (which co-incidentally, just as it was removing the last of the 8 malware instances it found, explorer crashed, and killed IE too) With MB, the log screen is empty. There is just absolutely nothing actually logged in it.

Do you want me to run either of them again?


However, I do have a HJT log before running MB, and after, and then after running F-secure too. Would any of those help?

Many thanks for your help.

No. You are looking fine. Run MBAM and post the new log.

Hi Folks....
The Board has approved Scotty as Security Moderator and I just rushed this designation because I can see that we might need to avoid some difficulties in this thread... that is why he asked several of you to "back down" as multiple responses can send the user all over the place trying to solve issues and prevent progress. There is no other forum where such behavior can ever occur, but we would ask everyone to watch for potential conflicts and if you see Scotty in a thread, let him work the thread alone. We have several others involved with malware U who also may get involved here as well, but they will normally respect each other and only join in if one seems to be away and time would be lost...
Welcome Scotty we appreciate your efforts here at KH!!!!

OKay, will do and post it asap, thanks a lot. :)

Hi again, MB run, but the log did not work again. This time it gave an error about not being able to find it, so i searched my system high and low, and I couldn't find it too.

Shal i try, uninstalling the program, and reinstalling it on another user acount and see if that helps?

As Scottys not about im sure he wont mind if i help you

Matt take a look in settings please and see if you have

Automatically save and display log file after removal please ticked

If not tick it

http://i96.photobucket.com/albums/l183/blackmirror111/untitled-5.jpg

kay, thanks a lot BM.
I'll do that and let it run again!....and post back! :)

Thanks again everyone.

Okay, just an update (BM already knows) it was ticked, so Im going to run it again now anyway, and see what happens.

If not I have a theory, which I'll try, and post back then!
Thanks again.

Please forgive me, but I have no internet at home for the forseeable and Im struggling with my mums ancient pc on dial-up. (How did you old timers cope?)

Im not expecting to see anything major. When you do post back, let me know of any problems you are having too.

Okay, no worries!
I sympathize with you! :)

Okay, will do. Im still trying to get the whole log issue sorted. - and think I know the problem now. I'll try overnight (need to do some more work now), and post back in the morning. Thanks again.

Okay!..I have finally got a log from MB!
Hope its what you wanted to see!

-------------------

Malwarebytes' Anti-Malware 1.12
Database version: 774

Scan type: Quick Scan
Objects scanned: 75299
Time elapsed: 16 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------

OK. Just post a new HijackThis log for a final check.

And again, I apologise for my lack of attendance.:(