• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
jta03

Hijackthis log file help

23 posts in this topic

Below is a hijackthis log file. Please let me know if something should be removed. I was having problems with being re-routed when using search engines - I would be re-routed when clicking on a search result. I ran avg, and avast - which found some trojans and viruses. This seemed to solve the above problem. Now, occasionally, when I log on to Yahoo the page looks different from what it should look like. The most apparent difference is the "yahoo" logo is on top of the page, above the search bar. I'm worried that there may be some virus or malware. Also, I would like to know if it is safe to log onto bank accounts or credit card accounts - or if I'm running the risk of having a password stolen due to malware.

 

Thanks.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:23:06 PM, on 1/11/2008

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R3 - Default URLSearchHook is missing

F1 - win.ini: run=fntldr.exe C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [Taskbar Service] taskbar.svc

O4 - HKLM\..\Run: [backup Service] backup.svc

O4 - HKLM\..\Run: [sect boob] C:\PROGRA~1\INSIDE~1\store mpeg.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [lBJ8.exe] C:\documents and settings\enduser\local settings\temp\lBJ8.exe

O4 - HKLM\..\Run: [j3ISPzpnz.exe] C:\documents and settings\enduser\local settings\temp\j3ISPzpnz.exe

O4 - HKLM\..\Run: [x8Z6bL0ub.exe] C:\documents and settings\enduser\local settings\temp\x8Z6bL0ub.exe

O4 - HKLM\..\Run: [iHP.exe] C:\documents and settings\enduser\local settings\temp\iHP.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [dmvnh.exe] C:\WINDOWS\System32\dmvnh.exe

O4 - HKLM\..\Run: [dmyjx.exe] C:\WINDOWS\System32\dmyjx.exe

O4 - HKLM\..\Run: [dmksg.exe] C:\WINDOWS\System32\dmksg.exe

O4 - HKLM\..\Run: [dmbpm.exe] C:\WINDOWS\System32\dmbpm.exe

O4 - HKCU\..\Run: [Fczrfaap] C:\WINDOWS\System32\?hkntfs.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{0BF7E233-A55A-487F-A4A3-6C7AC5D8912E}: NameServer = 85.255.116.106,85.255.112.73

O17 - HKLM\System\CCS\Services\Tcpip\..\{18D6B080-999B-49EE-B710-1EACE285BCC7}: NameServer = 85.255.116.106,85.255.112.73

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.106 85.255.112.73

O17 - HKLM\System\CS1\Services\Tcpip\..\{0BF7E233-A55A-487F-A4A3-6C7AC5D8912E}: NameServer = 85.255.116.106,85.255.112.73

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.106 85.255.112.73

O17 - HKLM\System\CS2\Services\Tcpip\..\{0BF7E233-A55A-487F-A4A3-6C7AC5D8912E}: NameServer = 85.255.116.106,85.255.112.73

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.106 85.255.112.73

O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - (no file)

O19 - User stylesheet: (file missing)

O20 - AppInit_DLLs: c:\windows\system32\logbj.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Winkacd - Unknown owner - C:\WINDOWS\System32\Winkacd.exe (file missing)

O23 - Service: Winkidv - Unknown owner - C:\WINDOWS\System32\Winkidv.exe (file missing)

O23 - Service: Winkxkr - Unknown owner - C:\WINDOWS\System32\Winkxkr.exe (file missing)

 

--

End of file - 6209 bytes

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi,

I would like to know if it is safe to log onto bank accounts or credit card accounts - or if I'm running the risk of having a password stolen due to malware.

Possibly not. Let's get you clean, then I suggest you change some passwords.

 

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

 

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

 

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

 

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

 

jedi

Share this post


Link to post
Share on other sites

Thank you for your assistance. Please find the requested log files below.

 

 

Username "enduser" - 01/19/2008 9:56:09 [Fixwareout edited 9/01/2007]

 

~~~~~ Prerun check

HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmvnh"

HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmyjx"

HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmksg"

HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmbpm"

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

"nameserver"="85.255.116.106 85.255.112.73" <Value cleared.

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{0BF7E233-A55A-487F-A4A3-6C7AC5D8912E}

"nameserver"="85.255.116.106,85.255.112.73" <Value cleared.

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{18D6B080-999B-49EE-B710-1EACE285BCC7}

"nameserver"="85.255.116.106,85.255.112.73" <Value cleared.

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{0BF7E233-A55A-487F-A4A3-6C7AC5D8912E}

"DhcpNameServer"="85.255.116.106,85.255.112.73" <Value cleared.

 

Successfully flushed the DNS Resolver Cache.

 

 

System was rebooted successfully.

 

~~~~~ Postrun check

HKLM\SOFTWARE\~\Winlogon\ "System"=""

....

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}9AA7792FB718-D31A-3314-2197-31695D7B{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}C6CA1BA03E50-75A9-BA44-101F-FFCC456F{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "dyqmd" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FEF19241A6C1-29DB-16A4-28BD-9BBC945C{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}BB455B60F067-CE9B-96C4-B508-4952D257{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}F4AB6F0D83D1-2279-C4E4-CA73-CA28D8F5{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}27E88CCD684A-5FFA-3EA4-BE44-39B37E8D{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}D93E070FE0BF-9CEB-B634-BF31-A594EF74{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "hnvmd" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "ajfmd" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "xjymd" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "ylsmd" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "gskmd" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "tcgmd" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "mpbmd" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "bjemd" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "xxzmd" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}14D4E08CD2BC-E549-DB84-0682-2B2AB1EC{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}96A56439988F-1898-8194-F4FC-8386C1F5{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}2631957B0AB8-3E68-68C4-4393-5C55DA69{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FE3A5E0E4362-D0FA-0F54-A280-CF30FED5{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}310F39BE0DDA-7DE8-6584-A876-E35EC403{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}D0F57AA0C9A9-0BCA-0CE4-BE79-5D648846{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}B99020261F5A-507A-7064-A761-F6E1391C{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}54C094714090-024B-24C4-0889-3F4F70EC{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}B616A3F38B8E-BA89-5BE4-2256-474C4048{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}2490776615F8-6E2B-D344-FAB0-64FDD89B{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}D68B0BFE3327-9EEB-FD84-D2BA-D1F3B9A5{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4A938E5C07CC-A84B-5E74-41D6-AA564288{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}7A4CBC1A5428-D21B-CC64-A846-A97F4E33{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}CA513D921C35-64A8-72F4-8FC5-095A5406{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}7315F5573BCF-076B-C1E4-E47C-DCEB8982{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}65CB2B8F3A2C-1C3B-52F4-0E7B-B3337507{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4BEF0D0CD1C4-BF0B-07E4-3D04-A0D06B41{" Deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}52DFA0DA571B-E448-82A4-0918-551409AC{" Deleted

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmqyd.exe" Value deleted

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmfja.exe" Value deleted

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmsly.exe" Value deleted

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmgct.exe" Value deleted

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmejb.exe" Value deleted

....

~~~~~ Misc files.

C:\WINDOWS\System32\kernel32.exe Deleted

....

~~~~~ Checking for older varients.

....

 

~~~~~ Current runs (hklm hkcu "run" Keys Only)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Taskbar Service"="taskbar.svc"

"Backup Service"="backup.svc"

"sect boob"="C:\\PROGRA~1\\INSIDE~1\\store mpeg.exe"

"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""

"lBJ8.exe"="C:\\documents and settings\\enduser\\local settings\\temp\\lBJ8.exe"

"j3ISPzpnz.exe"="C:\\documents and settings\\enduser\\local settings\\temp\\j3ISPzpnz.exe"

"x8Z6bL0ub.exe"="C:\\documents and settings\\enduser\\local settings\\temp\\x8Z6bL0ub.exe"

"iHP.exe"="C:\\documents and settings\\enduser\\local settings\\temp\\iHP.exe"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"

"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.2\\Apps\\apdproxy.exe\""

"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WebCamRT.exe"=""

"Fczrfaap"="C:\\WINDOWS\\System32\\?hkntfs.exe"

....

Hosts file was reset, If you use a custom hosts file please replace it...

~~~~~ End report ~~~~~

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:36:28 AM, on 1/19/2008

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R3 - Default URLSearchHook is missing

F1 - win.ini: run=fntldr.exe C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [Taskbar Service] taskbar.svc

O4 - HKLM\..\Run: [backup Service] backup.svc

O4 - HKLM\..\Run: [sect boob] C:\PROGRA~1\INSIDE~1\store mpeg.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [lBJ8.exe] C:\documents and settings\enduser\local settings\temp\lBJ8.exe

O4 - HKLM\..\Run: [j3ISPzpnz.exe] C:\documents and settings\enduser\local settings\temp\j3ISPzpnz.exe

O4 - HKLM\..\Run: [x8Z6bL0ub.exe] C:\documents and settings\enduser\local settings\temp\x8Z6bL0ub.exe

O4 - HKLM\..\Run: [iHP.exe] C:\documents and settings\enduser\local settings\temp\iHP.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [Fczrfaap] C:\WINDOWS\System32\?hkntfs.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - (no file)

O19 - User stylesheet: (file missing)

O20 - AppInit_DLLs: c:\windows\system32\logbj.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Winkacd - Unknown owner - C:\WINDOWS\System32\Winkacd.exe (file missing)

O23 - Service: Winkidv - Unknown owner - C:\WINDOWS\System32\Winkidv.exe (file missing)

O23 - Service: Winkxkr - Unknown owner - C:\WINDOWS\System32\Winkxkr.exe (file missing)

 

--

End of file - 5284 bytes

Share this post


Link to post
Share on other sites

Hi again,

 

Good, that worked well. OK, next step:

 

Please visit this webpage for instructions for downloading and running ComboFix:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

 

jedi

Share this post


Link to post
Share on other sites

ComboFix Log - when I ran this, I received the following errors:

1. NirCmd.exe - Application Error. Application failed to initialize properly (0XC0000005)

2. Runtime Error - program c:\CombFix\nircmd.exe R6025. Pure virtual function call.

 

ComboFix 08-01-18.5 - enduser 2008-01-19 14:24:41.1 - NTFSx86

Running from: C:\Documents and Settings\enduser\Desktop\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

C:\WINDOWS\system32\LDR8.tmp

C:\WINDOWS\system32\LDRA.tmp

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

.

-------\LEGACY_WINDOWS_MANAGEMENT_SERVICE

 

 

((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))

.

 

2008-01-19 14:22 . 2001-08-17 13:49 237,728 --a------ C:\cmldr

2008-01-19 14:22 . 2004-08-13 00:48 194 --a------ C:\Boot.bak

2008-01-19 14:18 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-11 14:21 . 2008-01-11 14:21 <DIR> d-------- C:\Program Files\Trend Micro

2008-01-10 13:14 . 2008-01-12 12:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-01-10 13:14 . 2008-01-10 13:14 1,409 --a------ C:\WINDOWS\QTFont.for

2007-12-27 22:15 . 2007-12-27 22:16 <DIR> d-------- C:\Program Files\QuickTime

2007-12-27 22:12 . 2007-12-27 22:12 <DIR> d-------- C:\Program Files\Apple Software Update

2007-12-27 22:12 . 2007-12-27 22:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-03 18:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7

2007-12-28 03:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer

2007-12-19 17:38 --------- d-----w C:\Documents and Settings\enduser\Application Data\AVG7

2007-10-31 18:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll

2007-10-24 02:33 7,168 ----a-w C:\WINDOWS\cpu.exe

2007-10-24 02:31 7,168 ----a-w C:\Documents and Settings\enduser\1.exe

2004-06-09 21:34 2,103 -c--a-w C:\Documents and Settings\enduser\winupdate.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WebCamRT.exe"="" []

"Fczrfaap"="C:\WINDOWS\System32\?hkntfs.exe" [2001-08-23 07:00 11264]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Taskbar Service"="taskbar.svc" []

"Backup Service"="backup.svc" []

"sect boob"="C:\PROGRA~1\INSIDE~1\store mpeg.exe" [ ]

"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2005-01-20 19:47 79448]

"lBJ8.exe"="C:\documents and settings\enduser\local settings\temp\lBJ8.exe" [ ]

"j3ISPzpnz.exe"="C:\documents and settings\enduser\local settings\temp\j3ISPzpnz.exe" [ ]

"x8Z6bL0ub.exe"="C:\documents and settings\enduser\local settings\temp\x8Z6bL0ub.exe" [ ]

"iHP.exe"="C:\documents and settings\enduser\local settings\temp\iHP.exe" [ ]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-04 16:21 278528]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-17 20:39 579072]

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]

"combofix"="C:\WINDOWS\system32\cmd.exe" [2001-08-23 07:00 375808]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-17 20:39 219136]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-20 19:15:54]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\logbj.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Shell Library Loader]

 

 

R0 DigiFilter;DigiFilter;C:\WINDOWS\System32\drivers\DigiFi~1.sys [2002-06-10 15:17]

 

.

Contents of the 'Scheduled Tasks' folder

"2007-12-28 03:12:24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2008-01-17 08:00:02 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"

- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-19 14:37:35

Windows 5.1.2600 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-01-19 14:40:24 - machine was rebooted

ComboFix-quarantined-files.txt 2008-01-19 19:40:09

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:38:25 PM, on 1/19/2008

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

F1 - win.ini: run=fntldr.exe C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [Taskbar Service] taskbar.svc

O4 - HKLM\..\Run: [backup Service] backup.svc

O4 - HKLM\..\Run: [sect boob] C:\PROGRA~1\INSIDE~1\store mpeg.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [lBJ8.exe] C:\documents and settings\enduser\local settings\temp\lBJ8.exe

O4 - HKLM\..\Run: [j3ISPzpnz.exe] C:\documents and settings\enduser\local settings\temp\j3ISPzpnz.exe

O4 - HKLM\..\Run: [x8Z6bL0ub.exe] C:\documents and settings\enduser\local settings\temp\x8Z6bL0ub.exe

O4 - HKLM\..\Run: [iHP.exe] C:\documents and settings\enduser\local settings\temp\iHP.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [Fczrfaap] C:\WINDOWS\System32\?hkntfs.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - (no file)

O19 - User stylesheet: (file missing)

O20 - AppInit_DLLs: c:\windows\system32\logbj.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Winkacd - Unknown owner - C:\WINDOWS\System32\Winkacd.exe (file missing)

O23 - Service: Winkidv - Unknown owner - C:\WINDOWS\System32\Winkidv.exe (file missing)

O23 - Service: Winkxkr - Unknown owner - C:\WINDOWS\System32\Winkxkr.exe (file missing)

 

--

End of file - 5104 bytes

Share this post


Link to post
Share on other sites

Hi,

 

Open notepad and copy/paste the text in the quotebox below into it (do not include the word ‘Quote’)

 

File::

C:\WINDOWS\cpu.exe

C:\Documents and Settings\enduser\1.exe

c:\windows\system32\logbj.dll

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Fczrfaap"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Taskbar Service"=-

"Backup Service"=-

"sect boob"=-

"lBJ8.exe"=-

"j3ISPzpnz.exe"=-

"x8Z6bL0ub.exe"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=-

 

Save this as CFScript

 

CFScript.gif

 

Refering to the picture above, drag CFScript into ComboFix.exe

 

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

 

jedi

Share this post


Link to post
Share on other sites

Apparently I do not have notepad. I checked the the properties of notepad icon found under accessories and it listed the target as: C:\WINDOWS\system32\actmovie.exe. Not sure what this is all about. Can I use word instead of notepad?

 

Thanks.

Share this post


Link to post
Share on other sites

Hi again,

 

Go back to Accessories, find the Notepad shortcut and right-click on it. Select Properties. Under the Shortcut tab delete the contents of the Target box, then type in %SystemRoot%\system32\notepad.exe. Click Apply > OK and close the Properties box. You should now be able to open Notepad. If you can, follow the ComboFix-Do instructions, if not, let me know.

 

jedi

Share this post


Link to post
Share on other sites

Unfortunately this did not work. I received the following message: "the name '%SystemRoot%\system32\notepad.exe' specified in the Target box is not valid. Make sure the path and file name are correct." Please advise.

 

jta03

Share this post


Link to post
Share on other sites

Hi again,

 

Go here:

http://www.merijn.org/winfiles.php#notepad.exe

 

and download Notepad for Windows XP. Unzip it, then copy and paste it into C:\Windows folder, and C:\Windows\System32 folder. You should now have a working notepad again. Let me know if you have any problems.

 

jedi

Share this post


Link to post
Share on other sites

ComboFix Log - I received the following error when running the program: niremd.cfexe - Application Error "The application failed to initialize properly (0xc0000005). Click OK to terminate the application."

 

The program then froze after it automatically rebooted my machine. When closing the program I received the following error: cmd.exe - Application error "The application failed to initialize properly . . ."

 

The program resumed after I manually restarted my computer. After the program finished running I receved the niremd.cfexe error again.

 

The following are the requested logs:

 

ComboFix 08-01-18.5 - enduser 2008-01-22 15:58:34.2 - NTFSx86

Running from: C:\Documents and Settings\enduser\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\enduser\Desktop\CFScript.txt

* Created a new restore point

 

FILE

C:\Documents and Settings\enduser\1.exe

C:\WINDOWS\cpu.exe

c:\windows\system32\logbj.dll

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\enduser\1.exe

C:\WINDOWS\cpu.exe

 

.

((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))

.

 

2008-01-22 15:54 . 2001-08-23 12:00 66,048 --a------ C:\WINDOWS\system32\Notepad.exe

2008-01-19 14:22 . 2001-08-17 13:49 237,728 --a------ C:\cmldr

2008-01-19 14:22 . 2004-08-13 00:48 194 --a------ C:\Boot.bak

2008-01-19 14:18 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-11 14:21 . 2008-01-11 14:21 <DIR> d-------- C:\Program Files\Trend Micro

2007-12-27 22:15 . 2007-12-27 22:16 <DIR> d-------- C:\Program Files\QuickTime

2007-12-27 22:12 . 2007-12-27 22:12 <DIR> d-------- C:\Program Files\Apple Software Update

2007-12-27 22:12 . 2007-12-27 22:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-23 00:04 --------- d-----w C:\Documents and Settings\enduser\Application Data\AVG7

2008-01-03 18:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7

2007-12-28 03:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer

2007-10-31 18:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll

2004-06-09 21:34 2,103 -c--a-w C:\Documents and Settings\enduser\winupdate.dat

.

 

((((((((((((((((((((((((((((( snapshot@2008-01-19_14.39.24.95 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-01-19 19:20:00 253,952 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT

+ 2008-01-22 20:57:54 253,952 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT

- 2008-01-19 19:20:00 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat

+ 2008-01-22 20:57:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat

- 2008-01-19 19:20:01 249,856 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT

+ 2008-01-22 20:57:55 249,856 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT

- 2008-01-19 19:20:01 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

+ 2008-01-22 20:57:55 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

- 2008-01-19 19:20:02 3,530,752 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT

+ 2008-01-22 20:57:55 3,538,944 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT

- 2008-01-19 19:20:02 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat

+ 2008-01-22 20:57:55 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat

- 2001-08-23 12:00:00 66,048 ----a-w C:\WINDOWS\notepad.exe

+ 2001-08-23 17:00:00 66,048 ----a-w C:\WINDOWS\Notepad.exe

- 2008-01-19 19:20:28 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.dat

+ 2008-01-22 20:58:19 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.dat

- 2001-08-23 12:00:00 66,048 -c--a-w C:\WINDOWS\system32\dllcache\notepad.exe

+ 2001-08-23 17:00:00 66,048 -c--a-w C:\WINDOWS\system32\dllcache\notepad.exe

- 2007-10-28 20:21:58 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat

+ 2008-01-19 21:54:43 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat

- 2007-10-28 20:21:58 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2008-01-19 21:54:43 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WebCamRT.exe"="" []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2005-01-20 19:47 79448]

"iHP.exe"="C:\documents and settings\enduser\local settings\temp\iHP.exe" [ ]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-04 16:21 278528]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-17 20:39 579072]

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]

"combofix"="C:\WINDOWS\system32\cmd.exe" [2001-08-23 07:00 375808]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-17 20:39 219136]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-20 19:15:54]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Shell Library Loader]

 

 

R0 DigiFilter;DigiFilter;C:\WINDOWS\System32\drivers\DigiFi~1.sys [2002-06-10 15:17]

S2 Winkacd;Winkacd;C:\WINDOWS\System32\Winkacd.exe []

S2 Winkidv;Winkidv;C:\WINDOWS\System32\Winkidv.exe []

S2 Winkxkr;Winkxkr;C:\WINDOWS\System32\Winkxkr.exe []

 

.

Contents of the 'Scheduled Tasks' folder

"2007-12-28 03:12:24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2008-01-17 08:00:02 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"

- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-22 19:05:15

Windows 5.1.2600 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-01-22 19:11:16 - machine was rebooted

ComboFix-quarantined-files.txt 2008-01-23 00:07:35

ComboFix2.txt 2008-01-19 19:40:25

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:15:09 PM, on 1/22/2008

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

F1 - win.ini: run=fntldr.exe C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [iHP.exe] C:\documents and settings\enduser\local settings\temp\iHP.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - (no file)

O19 - User stylesheet: (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Winkacd - Unknown owner - C:\WINDOWS\System32\Winkacd.exe (file missing)

O23 - Service: Winkidv - Unknown owner - C:\WINDOWS\System32\Winkidv.exe (file missing)

O23 - Service: Winkxkr - Unknown owner - C:\WINDOWS\System32\Winkxkr.exe (file missing)

 

--

End of file - 4505 bytes

Share this post


Link to post
Share on other sites

Hi again,

 

Scan with HiJackThis and put a check in the box next to the following items;

 

F1 - win.ini: run=fntldr.exe C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - (no file)

O19 - User stylesheet: (file missing)

O23 - Service: Winkacd - Unknown owner - C:\WINDOWS\System32\Winkacd.exe (file missing)

O23 - Service: Winkidv - Unknown owner - C:\WINDOWS\System32\Winkidv.exe (file missing)

O23 - Service: Winkxkr - Unknown owner - C:\WINDOWS\System32\Winkxkr.exe (file missing)

 

Close all browsers and windows, click on ‘fix selected’ and allow HJT to fix these entries.

 

Restart.

 

Scan again with HJT, (with all browsers and windows closed) and post the new log in this thread.

 

jedi

Share this post


Link to post
Share on other sites

Ran HJT as requested. Thanks jta03

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:35:27 PM, on 1/23/2008

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [iHP.exe] C:\documents and settings\enduser\local settings\temp\iHP.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O19 - User stylesheet: (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

 

--

End of file - 3975 bytes

Share this post


Link to post
Share on other sites

Hi again,

 

The log looks clean, how is your PC running now?

 

jedi

Share this post


Link to post
Share on other sites

My PC seems to be running fine and my browser has not been acting up. Is there any software you would recommend to avoid this problem in the future?

 

Thank you for your help!

 

jta03

Share this post


Link to post
Share on other sites

Bad news. Just after I posted my "PC is fine" reply, I hit the home shortcut and found myself looking at Yahoo's page with the Yahoo logo centered over the search bar. Just in case this is a symptom of something malicious, below is a new logfile:

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:50:15 AM, on 1/26/2008

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [iHP.exe] C:\documents and settings\enduser\local settings\temp\iHP.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O19 - User stylesheet: (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

 

--

End of file - 3923 bytes

Share this post


Link to post
Share on other sites

Hi again,

 

I can't see anything running, but let's run an on-line scan to see if there are any leftovers:

 

Please do the following:

Run a BitDefender Online scan Here and post the results.

 

jedi

Share this post


Link to post
Share on other sites

BitDefender scan results:

 

 

BitDefender Online Scanner

Scan report generated at: Sun, Jan 27, 2008 - 10:24:44

 

Scan path: A:\;C:\;D:\;E:\;

 

Statistics

Time 00:59:18

Files 69898

Folders 2819

Boot Sectors 2

Archives 993

Packed Files 4664

 

Results

Identified Viruses 5

Infected Files 5

Suspect Files 0

Warnings 0

Disinfected 0

Deleted Files 5

 

Engines Info

Virus Definitions 977512

Engine build AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins 16

Archive plugins 41

Unpack plugins 7

E-mail plugins 6

System plugins 5

 

Scan Settings

First Action Disinfect

Second Action Delete

Heuristics Yes

Enable Warnings Yes

Scanned Extensions *;

Exclude Extensions

Scan Emails Yes

Scan Archives Yes

Scan Packed Yes

Scan Files Yes

Scan Boot Yes

 

Scanned File Status

C:\Documents and Settings\enduser\My Documents\Lavasoft\backup-20040610-181738-533.dll Detected with: Adware.Purityscan.2

C:\Documents and Settings\enduser\My Documents\Lavasoft\backup-20040610-181738-533.dll Disinfection failed

C:\Documents and Settings\enduser\My Documents\Lavasoft\backup-20040610-181738-533.dll Deleted

C:\Documents and Settings\enduser\My Documents\Lavasoft\backup-20040610-181738-533.inf Detected with: Application.Mediatickets.A

C:\Documents and Settings\enduser\My Documents\Lavasoft\backup-20040610-181738-533.inf Deleted

C:\SC2000\Andy\kazaalite_202_b1.zip=>first stage/kazaa_lite_202_english.exe=>(Instyler o)=>(Instyler Module 13) Detected with: Application.Topsearch.B

C:\SC2000\Andy\kazaalite_202_b1.zip=>first stage/kazaa_lite_202_english.exe=>(Instyler o)=>(Instyler Module 13) Deleted

C:\SC2000\Andy\kazaalite_202_b1.zip=>first stage/kazaa_lite_202_english.exe=>(Instyler o) Update failed

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rundlg32.inf Detected with: Adware.Sbsoft.C

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rundlg32.inf Deleted

C:\WINDOWS\Downloaded Program Files\ipreg32.inf Detected with: Adware.Inf.A

C:\WINDOWS\Downloaded Program Files\ipreg32.inf Deleted

Share this post


Link to post
Share on other sites

Hi again,

 

That's picked up a few leftovers, you should be OK now.

 

jedi

Share this post


Link to post
Share on other sites

You're very welcome. :)

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0