So, a computer I have here seems to be infected with malware. Neither AVG or malwarebytes picks it up though.

Just as I go to shutdown the computer or restart the comptuer it says "windows is trying to close application" and stuff and the application name up the top is always a random 3 digit hexi-decimal name.

Some examples are 270, B4E and 7B4.

The applications don't show up in task manager and I can't find anything in the startup folder or pretty much anywhere else.

I don't know enough about what I'm doing to do anything else and I'm hoping someone here could give me some advice?

Using XP home 32 bit.

Thanks in advanced :)

Post a HijackThis log file.

Logfile of HijackThis v1.99.1
Scan saved at 22:33:03, on 21/08/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Ahead\InCD\InCDsrv.exe
F:\Program Files\AVG\AVG9\avgchsvx.exe
F:\Program Files\AVG\AVG9\avgrsx.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\AVG\AVG9\avgcsrvx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Ahead\InCD\InCD.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\VM_STI.EXE
F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
F:\PROGRA~1\AVG\AVG9\avgtray.exe
F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
F:\Program Files\Common Files\Java\Java Update\jusched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Skype\Phone\Skype.exe
F:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
F:\Program Files\AVG\AVG9\avgwdsvc.exe
F:\WINDOWS\system32\bgsvcgen.exe
F:\Documents and Settings\Family_Windham\Start Menu\Programs\Startup\taskmgr.exe
F:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
F:\Program Files\Microsoft Office\Office\1033\msoffice.exe
F:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\AVG\AVG9\avgnsx.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Google\Chrome\Application\chrome.exe
F:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
F:\Program Files\Google\Chrome\Application\chrome.exe
F:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Google\Chrome\Application\chrome.exe
F:\Program Files\Google\Chrome\Application\chrome.exe
F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
F:\Program Files\Trusteer\Rapport\bin\RapportService.exe
F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
F:\Program Files\Google\Chrome\Application\chrome.exe
F:\Program Files\Google\Chrome\Application\chrome.exe
F:\Program Files\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/?ref=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - F:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - F:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - F:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - F:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - F:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [InCD] F:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "F:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [BigDogPath] F:\WINDOWS\VM_STI.EXE %;USB\VID_0AC8&PID_0302.DeviceDesc%
O4 - HKLM\..\Run: [HP Software Update] "F:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TomcatStartup 2.5] F:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [AVG9_TRAY] F:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [RoxWatchTray] "F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NokiaMServer] F:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
O4 - HKLM\..\Run: [NokiaMusic FastStart] "F:\Program Files\Nokia\Ovi Player\NokiaOviPlayer.exe" /command:faststart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "F:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] F:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "F:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [ISUSPM] "F:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: BBC iPlayer Desktop.lnk = F:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O4 - Startup: taskmgr.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238101168176
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} (VM_1.VM_Control) - http://downloads.virginmedia.com/CST/ver1/xp_mail.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - F:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - F:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - F:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - F:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - F:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Google Update Service (gupdate1c9b2ecb7cff9fa) (gupdate1c9b2ecb7cff9fa) - Unknown owner - F:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - F:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - F:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - F:\Program Files\Java\jre6\bin\jqs.exe" -service -config "F:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - F:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - F:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - F:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - F:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ServiceLayer - Nokia - F:\Program Files\PC Connectivity Solution\ServiceLayer.exe


How's that? First time I've used that :p I don't have to censor anything do I? There's nothing useful there or anything?

Put a check mark next to all of the entries that say either (no file) or (file is missing) at the end...

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O23 - Service: Google Update Service (gupdate1c9b2ecb7cff9fa) (gupdate1c9b2ecb7cff9fa) - Unknown owner - F:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - F:\Program Files\Java\jre6\bin\jqs.exe" -service -config "F:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - F:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)

... then click the "Fix checked" button. This entry also looks suspicious...

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll

... and this one, which is a CoolWebSearch Ctfmon32 parasite variant:

O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe

OK done the fix thingy.
Should I check the other 2 there? AVG and Malwarebytes seemed to ignore them both, not sure what to do.

Leave ctfmon.exe and WPDShServiceObj.dll for the time being, but just be aware of them.

I vote for replacing AVG. Recent versions are big leaking sieves.

replace it with?
This machine is an old AMD single core thing with a gig of RAM. I'm not sure of anything better than AVG in terms of efficiency :p

I'm about to restart, will post back if I get the hexi popup!

Nothing would be better than AVG. Just uninstall it, because it is a useless waste of resources :p Then, tell the system user to stay away from less-than-useful sites (my brother goes to "teen chat" emo-crap sites and gets hit with all kinds of drive-by crap). Firefox, AdBlock Plus, and NoScript (or Chrome, AdThwart, and Chrome's built-in Javascript filtering) will go a long way towards preventing future drive-by attacks.

94E and also this one.

85317


I don't think this person has visted anything other than facebook, a motorbike forum, BBC and hotmail though. Not sure how it got infected and I don't really care about future stuff :p Just want it off without re-installing windows...

Hmm, dissables ctfmon thing in msconfig... Seems to be working fine now!

Not deleting the file just incase it wasn't the problem and I need to enable it again.

The pc now seems to be loading a lot quicker though, seems good!
Thanks for the help from all of you :)