Jump to content


Photo

Hijackthis log file help


  • This topic is locked This topic is locked
22 replies to this topic

#1 jta03

jta03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 11 January 2008 - 03:04 PM

Below is a hijackthis log file. Please let me know if something should be removed. I was having problems with being re-routed when using search engines - I would be re-routed when clicking on a search result. I ran avg, and avast - which found some trojans and viruses. This seemed to solve the above problem. Now, occasionally, when I log on to Yahoo the page looks different from what it should look like. The most apparent difference is the "yahoo" logo is on top of the page, above the search bar. I'm worried that there may be some virus or malware. Also, I would like to know if it is safe to log onto bank accounts or credit card accounts - or if I'm running the risk of having a password stolen due to malware.

Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:06 PM, on 1/11/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Taskbar Service] taskbar.svc
O4 - HKLM\..\Run: [Backup Service] backup.svc
O4 - HKLM\..\Run: [sect boob] C:\PROGRA~1\INSIDE~1\store mpeg.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [lBJ8.exe] C:\documents and settings\enduser\local settings\temp\lBJ8.exe
O4 - HKLM\..\Run: [j3ISPzpnz.exe] C:\documents and settings\enduser\local settings\temp\j3ISPzpnz.exe
O4 - HKLM\..\Run: [x8Z6bL0ub.exe] C:\documents and settings\enduser\local settings\temp\x8Z6bL0ub.exe
O4 - HKLM\..\Run: [iHP.exe] C:\documents and settings\enduser\local settings\temp\iHP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dmvnh.exe] C:\WINDOWS\System32\dmvnh.exe
O4 - HKLM\..\Run: [dmyjx.exe] C:\WINDOWS\System32\dmyjx.exe
O4 - HKLM\..\Run: [dmksg.exe] C:\WINDOWS\System32\dmksg.exe
O4 - HKLM\..\Run: [dmbpm.exe] C:\WINDOWS\System32\dmbpm.exe
O4 - HKCU\..\Run: [Fczrfaap] C:\WINDOWS\System32\?hkntfs.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BF7E233-A55A-487F-A4A3-6C7AC5D8912E}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{18D6B080-999B-49EE-B710-1EACE285BCC7}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.106 85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BF7E233-A55A-487F-A4A3-6C7AC5D8912E}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.106 85.255.112.73
O17 - HKLM\System\CS2\Services\Tcpip\..\{0BF7E233-A55A-487F-A4A3-6C7AC5D8912E}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.106 85.255.112.73
O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - (no file)
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: c:\windows\system32\logbj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Winkacd - Unknown owner - C:\WINDOWS\System32\Winkacd.exe (file missing)
O23 - Service: Winkidv - Unknown owner - C:\WINDOWS\System32\Winkidv.exe (file missing)
O23 - Service: Winkxkr - Unknown owner - C:\WINDOWS\System32\Winkxkr.exe (file missing)

--
End of file - 6209 bytes

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 14 January 2008 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 18 January 2008 - 02:31 PM

Hi,

I would like to know if it is safe to log onto bank accounts or credit card accounts - or if I'm running the risk of having a password stolen due to malware.

Possibly not. Let's get you clean, then I suggest you change some passwords.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#4 jta03

jta03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 19 January 2008 - 11:03 AM

Thank you for your assistance. Please find the requested log files below.


Username "enduser" - 01/19/2008 9:56:09 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmvnh"
HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmyjx"
HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmksg"
HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmbpm"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.116.106 85.255.112.73" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{0BF7E233-A55A-487F-A4A3-6C7AC5D8912E}
"nameserver"="85.255.116.106,85.255.112.73" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{18D6B080-999B-49EE-B710-1EACE285BCC7}
"nameserver"="85.255.116.106,85.255.112.73" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{0BF7E233-A55A-487F-A4A3-6C7AC5D8912E}
"DhcpNameServer"="85.255.116.106,85.255.112.73" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}9AA7792FB718-D31A-3314-2197-31695D7B{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}C6CA1BA03E50-75A9-BA44-101F-FFCC456F{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "dyqmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FEF19241A6C1-29DB-16A4-28BD-9BBC945C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}BB455B60F067-CE9B-96C4-B508-4952D257{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}F4AB6F0D83D1-2279-C4E4-CA73-CA28D8F5{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}27E88CCD684A-5FFA-3EA4-BE44-39B37E8D{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}D93E070FE0BF-9CEB-B634-BF31-A594EF74{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "hnvmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "ajfmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "xjymd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "ylsmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "gskmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "tcgmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "mpbmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "bjemd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "xxzmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}14D4E08CD2BC-E549-DB84-0682-2B2AB1EC{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}96A56439988F-1898-8194-F4FC-8386C1F5{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}2631957B0AB8-3E68-68C4-4393-5C55DA69{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FE3A5E0E4362-D0FA-0F54-A280-CF30FED5{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}310F39BE0DDA-7DE8-6584-A876-E35EC403{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}D0F57AA0C9A9-0BCA-0CE4-BE79-5D648846{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}B99020261F5A-507A-7064-A761-F6E1391C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}54C094714090-024B-24C4-0889-3F4F70EC{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}B616A3F38B8E-BA89-5BE4-2256-474C4048{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}2490776615F8-6E2B-D344-FAB0-64FDD89B{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}D68B0BFE3327-9EEB-FD84-D2BA-D1F3B9A5{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4A938E5C07CC-A84B-5E74-41D6-AA564288{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}7A4CBC1A5428-D21B-CC64-A846-A97F4E33{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}CA513D921C35-64A8-72F4-8FC5-095A5406{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}7315F5573BCF-076B-C1E4-E47C-DCEB8982{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}65CB2B8F3A2C-1C3B-52F4-0E7B-B3337507{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4BEF0D0CD1C4-BF0B-07E4-3D04-A0D06B41{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}52DFA0DA571B-E448-82A4-0918-551409AC{" Deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmqyd.exe" Value deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmfja.exe" Value deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmsly.exe" Value deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmgct.exe" Value deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmejb.exe" Value deleted
....
~~~~~ Misc files.
C:\WINDOWS\System32\kernel32.exe Deleted
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Taskbar Service"="taskbar.svc"
"Backup Service"="backup.svc"
"sect boob"="C:\\PROGRA~1\\INSIDE~1\\store mpeg.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"lBJ8.exe"="C:\\documents and settings\\enduser\\local settings\\temp\\lBJ8.exe"
"j3ISPzpnz.exe"="C:\\documents and settings\\enduser\\local settings\\temp\\j3ISPzpnz.exe"
"x8Z6bL0ub.exe"="C:\\documents and settings\\enduser\\local settings\\temp\\x8Z6bL0ub.exe"
"iHP.exe"="C:\\documents and settings\\enduser\\local settings\\temp\\iHP.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.2\\Apps\\apdproxy.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WebCamRT.exe"=""
"Fczrfaap"="C:\\WINDOWS\\System32\\?hkntfs.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:28 AM, on 1/19/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Taskbar Service] taskbar.svc
O4 - HKLM\..\Run: [Backup Service] backup.svc
O4 - HKLM\..\Run: [sect boob] C:\PROGRA~1\INSIDE~1\store mpeg.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [lBJ8.exe] C:\documents and settings\enduser\local settings\temp\lBJ8.exe
O4 - HKLM\..\Run: [j3ISPzpnz.exe] C:\documents and settings\enduser\local settings\temp\j3ISPzpnz.exe
O4 - HKLM\..\Run: [x8Z6bL0ub.exe] C:\documents and settings\enduser\local settings\temp\x8Z6bL0ub.exe
O4 - HKLM\..\Run: [iHP.exe] C:\documents and settings\enduser\local settings\temp\iHP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Fczrfaap] C:\WINDOWS\System32\?hkntfs.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - (no file)
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: c:\windows\system32\logbj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Winkacd - Unknown owner - C:\WINDOWS\System32\Winkacd.exe (file missing)
O23 - Service: Winkidv - Unknown owner - C:\WINDOWS\System32\Winkidv.exe (file missing)
O23 - Service: Winkxkr - Unknown owner - C:\WINDOWS\System32\Winkxkr.exe (file missing)

--
End of file - 5284 bytes

#5 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 19 January 2008 - 11:26 AM

Hi again,

Good, that worked well. OK, next step:

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#6 jta03

jta03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 19 January 2008 - 05:02 PM

ComboFix Log - when I ran this, I received the following errors:
1. NirCmd.exe - Application Error. Application failed to initialize properly (0XC0000005)
2. Runtime Error - program c:\CombFix\nircmd.exe R6025. Pure virtual function call.

ComboFix 08-01-18.5 - enduser 2008-01-19 14:24:41.1 - NTFSx86
Running from: C:\Documents and Settings\enduser\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\LDR8.tmp
C:\WINDOWS\system32\LDRA.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_WINDOWS_MANAGEMENT_SERVICE


((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-19 14:22 . 2001-08-17 13:49 237,728 --a------ C:\cmldr
2008-01-19 14:22 . 2004-08-13 00:48 194 --a------ C:\Boot.bak
2008-01-19 14:18 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-11 14:21 . 2008-01-11 14:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-10 13:14 . 2008-01-12 12:56 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-10 13:14 . 2008-01-10 13:14 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-27 22:15 . 2007-12-27 22:16 <DIR> d-------- C:\Program Files\QuickTime
2007-12-27 22:12 . 2007-12-27 22:12 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-27 22:12 . 2007-12-27 22:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 18:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-28 03:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-19 17:38 --------- d-----w C:\Documents and Settings\enduser\Application Data\AVG7
2007-10-31 18:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-10-24 02:33 7,168 ----a-w C:\WINDOWS\cpu.exe
2007-10-24 02:31 7,168 ----a-w C:\Documents and Settings\enduser\1.exe
2004-06-09 21:34 2,103 -c--a-w C:\Documents and Settings\enduser\winupdate.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WebCamRT.exe"="" []
"Fczrfaap"="C:\WINDOWS\System32\?hkntfs.exe" [2001-08-23 07:00 11264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Taskbar Service"="taskbar.svc" []
"Backup Service"="backup.svc" []
"sect boob"="C:\PROGRA~1\INSIDE~1\store mpeg.exe" [ ]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2005-01-20 19:47 79448]
"lBJ8.exe"="C:\documents and settings\enduser\local settings\temp\lBJ8.exe" [ ]
"j3ISPzpnz.exe"="C:\documents and settings\enduser\local settings\temp\j3ISPzpnz.exe" [ ]
"x8Z6bL0ub.exe"="C:\documents and settings\enduser\local settings\temp\x8Z6bL0ub.exe" [ ]
"iHP.exe"="C:\documents and settings\enduser\local settings\temp\iHP.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-04 16:21 278528]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-17 20:39 579072]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2001-08-23 07:00 375808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-17 20:39 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-20 19:15:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\logbj.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Shell Library Loader]


R0 DigiFilter;DigiFilter;C:\WINDOWS\System32\drivers\DigiFi~1.sys [2002-06-10 15:17]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 03:12:24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-17 08:00:02 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 14:37:35
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 14:40:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 19:40:09


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:25 PM, on 1/19/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F1 - win.ini: run=fntldr.exe C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Taskbar Service] taskbar.svc
O4 - HKLM\..\Run: [Backup Service] backup.svc
O4 - HKLM\..\Run: [sect boob] C:\PROGRA~1\INSIDE~1\store mpeg.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [lBJ8.exe] C:\documents and settings\enduser\local settings\temp\lBJ8.exe
O4 - HKLM\..\Run: [j3ISPzpnz.exe] C:\documents and settings\enduser\local settings\temp\j3ISPzpnz.exe
O4 - HKLM\..\Run: [x8Z6bL0ub.exe] C:\documents and settings\enduser\local settings\temp\x8Z6bL0ub.exe
O4 - HKLM\..\Run: [iHP.exe] C:\documents and settings\enduser\local settings\temp\iHP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Fczrfaap] C:\WINDOWS\System32\?hkntfs.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - (no file)
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: c:\windows\system32\logbj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Winkacd - Unknown owner - C:\WINDOWS\System32\Winkacd.exe (file missing)
O23 - Service: Winkidv - Unknown owner - C:\WINDOWS\System32\Winkidv.exe (file missing)
O23 - Service: Winkxkr - Unknown owner - C:\WINDOWS\System32\Winkxkr.exe (file missing)

--
End of file - 5104 bytes

#7 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 20 January 2008 - 01:34 PM

Hi,

Open notepad and copy/paste the text in the quotebox below into it (do not include the word ‘Quote’)

File::
C:\WINDOWS\cpu.exe
C:\Documents and Settings\enduser\1.exe
c:\windows\system32\logbj.dll
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fczrfaap"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Taskbar Service"=-
"Backup Service"=-
"sect boob"=-
"lBJ8.exe"=-
"j3ISPzpnz.exe"=-
"x8Z6bL0ub.exe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-


Save this as CFScript

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#8 jta03

jta03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 20 January 2008 - 09:04 PM

Apparently I do not have notepad. I checked the the properties of notepad icon found under accessories and it listed the target as: C:\WINDOWS\system32\actmovie.exe. Not sure what this is all about. Can I use word instead of notepad?

Thanks.

#9 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 21 January 2008 - 05:10 AM

Hi again,

Go back to Accessories, find the Notepad shortcut and right-click on it. Select Properties. Under the Shortcut tab delete the contents of the Target box, then type in %SystemRoot%\system32\notepad.exe. Click Apply > OK and close the Properties box. You should now be able to open Notepad. If you can, follow the ComboFix-Do instructions, if not, let me know.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#10 jta03

jta03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 21 January 2008 - 09:38 PM

Unfortunately this did not work. I received the following message: "the name '%SystemRoot%\system32\notepad.exe' specified in the Target box is not valid. Make sure the path and file name are correct." Please advise.

jta03

#11 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 22 January 2008 - 10:45 AM

Hi again,

Go here:
http://www.merijn.or...php#notepad.exe

and download Notepad for Windows XP. Unzip it, then copy and paste it into C:\Windows folder, and C:\Windows\System32 folder. You should now have a working notepad again. Let me know if you have any problems.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#12 jta03

jta03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 22 January 2008 - 09:34 PM

ComboFix Log - I received the following error when running the program: niremd.cfexe - Application Error "The application failed to initialize properly (0xc0000005). Click OK to terminate the application."

The program then froze after it automatically rebooted my machine. When closing the program I received the following error: cmd.exe - Application error "The application failed to initialize properly . . ."

The program resumed after I manually restarted my computer. After the program finished running I receved the niremd.cfexe error again.

The following are the requested logs:

ComboFix 08-01-18.5 - enduser 2008-01-22 15:58:34.2 - NTFSx86
Running from: C:\Documents and Settings\enduser\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\enduser\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\enduser\1.exe
C:\WINDOWS\cpu.exe
c:\windows\system32\logbj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\enduser\1.exe
C:\WINDOWS\cpu.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-22 15:54 . 2001-08-23 12:00 66,048 --a------ C:\WINDOWS\system32\Notepad.exe
2008-01-19 14:22 . 2001-08-17 13:49 237,728 --a------ C:\cmldr
2008-01-19 14:22 . 2004-08-13 00:48 194 --a------ C:\Boot.bak
2008-01-19 14:18 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-11 14:21 . 2008-01-11 14:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 22:15 . 2007-12-27 22:16 <DIR> d-------- C:\Program Files\QuickTime
2007-12-27 22:12 . 2007-12-27 22:12 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-27 22:12 . 2007-12-27 22:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 00:04 --------- d-----w C:\Documents and Settings\enduser\Application Data\AVG7
2008-01-03 18:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-28 03:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-31 18:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2004-06-09 21:34 2,103 -c--a-w C:\Documents and Settings\enduser\winupdate.dat
.

((((((((((((((((((((((((((((( snapshot@2008-01-19_14.39.24.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 19:20:00 253,952 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-22 20:57:54 253,952 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-19 19:20:00 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-22 20:57:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-19 19:20:01 249,856 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-22 20:57:55 249,856 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-19 19:20:01 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-22 20:57:55 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-19 19:20:02 3,530,752 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-22 20:57:55 3,538,944 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-19 19:20:02 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-22 20:57:55 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2001-08-23 12:00:00 66,048 ----a-w C:\WINDOWS\notepad.exe
+ 2001-08-23 17:00:00 66,048 ----a-w C:\WINDOWS\Notepad.exe
- 2008-01-19 19:20:28 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.dat
+ 2008-01-22 20:58:19 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.dat
- 2001-08-23 12:00:00 66,048 -c--a-w C:\WINDOWS\system32\dllcache\notepad.exe
+ 2001-08-23 17:00:00 66,048 -c--a-w C:\WINDOWS\system32\dllcache\notepad.exe
- 2007-10-28 20:21:58 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-19 21:54:43 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-28 20:21:58 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-19 21:54:43 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WebCamRT.exe"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2005-01-20 19:47 79448]
"iHP.exe"="C:\documents and settings\enduser\local settings\temp\iHP.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-05-04 16:21 278528]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-17 20:39 579072]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2001-08-23 07:00 375808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-17 20:39 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-20 19:15:54]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Shell Library Loader]


R0 DigiFilter;DigiFilter;C:\WINDOWS\System32\drivers\DigiFi~1.sys [2002-06-10 15:17]
S2 Winkacd;Winkacd;C:\WINDOWS\System32\Winkacd.exe []
S2 Winkidv;Winkidv;C:\WINDOWS\System32\Winkidv.exe []
S2 Winkxkr;Winkxkr;C:\WINDOWS\System32\Winkxkr.exe []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 03:12:24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-17 08:00:02 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 19:05:15
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-22 19:11:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-23 00:07:35
ComboFix2.txt 2008-01-19 19:40:25

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:09 PM, on 1/22/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F1 - win.ini: run=fntldr.exe C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [iHP.exe] C:\documents and settings\enduser\local settings\temp\iHP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - (no file)
O19 - User stylesheet: (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Winkacd - Unknown owner - C:\WINDOWS\System32\Winkacd.exe (file missing)
O23 - Service: Winkidv - Unknown owner - C:\WINDOWS\System32\Winkidv.exe (file missing)
O23 - Service: Winkxkr - Unknown owner - C:\WINDOWS\System32\Winkxkr.exe (file missing)

--
End of file - 4505 bytes

#13 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 23 January 2008 - 02:19 PM

Hi again,

Scan with HiJackThis and put a check in the box next to the following items;

F1 - win.ini: run=fntldr.exe C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - (no file)
O19 - User stylesheet: (file missing)
O23 - Service: Winkacd - Unknown owner - C:\WINDOWS\System32\Winkacd.exe (file missing)
O23 - Service: Winkidv - Unknown owner - C:\WINDOWS\System32\Winkidv.exe (file missing)
O23 - Service: Winkxkr - Unknown owner - C:\WINDOWS\System32\Winkxkr.exe (file missing)


Close all browsers and windows, click on ‘fix selected’ and allow HJT to fix these entries.

Restart.

Scan again with HJT, (with all browsers and windows closed) and post the new log in this thread.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#14 jta03

jta03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 23 January 2008 - 08:40 PM

Ran HJT as requested. Thanks jta03

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:27 PM, on 1/23/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [iHP.exe] C:\documents and settings\enduser\local settings\temp\iHP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O19 - User stylesheet: (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3975 bytes

#15 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 24 January 2008 - 11:07 AM

Hi again,

The log looks clean, how is your PC running now?

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#16 jta03

jta03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 26 January 2008 - 10:38 AM

My PC seems to be running fine and my browser has not been acting up. Is there any software you would recommend to avoid this problem in the future?

Thank you for your help!

jta03

#17 jta03

jta03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 26 January 2008 - 10:50 AM

Bad news. Just after I posted my "PC is fine" reply, I hit the home shortcut and found myself looking at Yahoo's page with the Yahoo logo centered over the search bar. Just in case this is a symptom of something malicious, below is a new logfile:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:15 AM, on 1/26/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [iHP.exe] C:\documents and settings\enduser\local settings\temp\iHP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O19 - User stylesheet: (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3923 bytes

#18 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 26 January 2008 - 01:39 PM

Hi again,

I can't see anything running, but let's run an on-line scan to see if there are any leftovers:

Please do the following:
Run a BitDefender Online scan Here and post the results.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#19 jta03

jta03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 27 January 2008 - 10:37 AM

BitDefender scan results:


BitDefender Online Scanner
Scan report generated at: Sun, Jan 27, 2008 - 10:24:44

Scan path: A:\;C:\;D:\;E:\;

Statistics
Time 00:59:18
Files 69898
Folders 2819
Boot Sectors 2
Archives 993
Packed Files 4664

Results
Identified Viruses 5
Infected Files 5
Suspect Files 0
Warnings 0
Disinfected 0
Deleted Files 5

Engines Info
Virus Definitions 977512
Engine build AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)
Scan plugins 16
Archive plugins 41
Unpack plugins 7
E-mail plugins 6
System plugins 5

Scan Settings
First Action Disinfect
Second Action Delete
Heuristics Yes
Enable Warnings Yes
Scanned Extensions *;
Exclude Extensions
Scan Emails Yes
Scan Archives Yes
Scan Packed Yes
Scan Files Yes
Scan Boot Yes

Scanned File Status
C:\Documents and Settings\enduser\My Documents\Lavasoft\backup-20040610-181738-533.dll Detected with: Adware.Purityscan.2
C:\Documents and Settings\enduser\My Documents\Lavasoft\backup-20040610-181738-533.dll Disinfection failed
C:\Documents and Settings\enduser\My Documents\Lavasoft\backup-20040610-181738-533.dll Deleted
C:\Documents and Settings\enduser\My Documents\Lavasoft\backup-20040610-181738-533.inf Detected with: Application.Mediatickets.A
C:\Documents and Settings\enduser\My Documents\Lavasoft\backup-20040610-181738-533.inf Deleted
C:\SC2000\Andy\kazaalite_202_b1.zip=>first stage/kazaa_lite_202_english.exe=>(Instyler o)=>(Instyler Module 13) Detected with: Application.Topsearch.B
C:\SC2000\Andy\kazaalite_202_b1.zip=>first stage/kazaa_lite_202_english.exe=>(Instyler o)=>(Instyler Module 13) Deleted
C:\SC2000\Andy\kazaalite_202_b1.zip=>first stage/kazaa_lite_202_english.exe=>(Instyler o) Update failed
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rundlg32.inf Detected with: Adware.Sbsoft.C
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rundlg32.inf Deleted
C:\WINDOWS\Downloaded Program Files\ipreg32.inf Detected with: Adware.Inf.A
C:\WINDOWS\Downloaded Program Files\ipreg32.inf Deleted

#20 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 27 January 2008 - 01:09 PM

Hi again,

That's picked up a few leftovers, you should be OK now.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#21 jta03

jta03

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 28 January 2008 - 08:43 PM

Once again, thank you for all of your help!

jta03

#22 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 29 January 2008 - 03:30 AM

You're very welcome. :)
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#23 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 12 February 2008 - 11:04 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button