Answers to your tech questions
Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

      
3 Pages V   1 2 3 >  
 Closed TopicStart new topic
> [Resolved] Explorer pages freezing after 5mins...please help
andreas
post Jul 17 2008, 09:44 AM
Post #1


Authentic Member
**

Group: Authentic Member
Posts: 42
Joined: 6-September 07
Member No.: 72,712
Operating System: windows xp pro
My internet pages are stopping/freezing after a few minutes....have to keep restarting my PC.
sorry not sure what the procedure is to ask for help or how its obained, but would deeply appreciate any volunteers.
Please advise
My hijackthis log file is below....
Many thanks
Andy.T



Logfile of HijackThis v1.99.1
Scan saved at 16:42:53, on 17/07/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Silvercrest OM1007 driver\StartAutorun.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Silvercrest OM1007 driver\KMConfig.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Silvercrest OM1007 driver\KMProcess.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Silvercrest OM1007 driver\KMWDSrv.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Andreas\Desktop\Hijack This\HijackThis2.exe

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\Silvercrest OM1007 driver\StartAutorun.exe KMConfig.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\SpeedItUpFree\SpeedItUp.exe -MINI
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.skitodayplease.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4BE07A3C-C870-4952-98E2-77ED80999B76}: NameServer = 83.146.21.6 212.158.249.5
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Silvercrest OM1007 driver\KMWDSrv.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
Go to the top of the page
 
+Quote Post
Tomk
post Jul 20 2008, 11:24 PM
Post #2


Extrication Intern
Group Icon

Group: Malware Team
Posts: 1,652
Joined: 27-December 07
From: Sisters, OR
Member No.: 75,503
Operating System: xp
Hi andreas, and Welcome to WhatTheTech

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.



You need to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection. Click here: http://www.microsoft.com/windowsxp/downloa...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.
(DO NOT INSTALL SP2 at this time)
Go to the top of the page
 
+Quote Post
andreas
post Jul 21 2008, 10:06 AM
Post #3


Authentic Member
**

Group: Authentic Member
Posts: 42
Joined: 6-September 07
Member No.: 72,712
Operating System: windows xp pro
Hi TomK
Thankyou for offering to help with my reported problem.
Ok, sp1a has been applied.... i think I have done it properly.
the new logfile is below
Regards
AndyT



Logfile of HijackThis v1.99.1
Scan saved at 17:01:18, on 21/07/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Silvercrest OM1007 driver\KMWDSrv.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Silvercrest OM1007 driver\StartAutorun.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Silvercrest OM1007 driver\KMConfig.exe
C:\Program Files\Silvercrest OM1007 driver\KMProcess.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Lexmark X1100 Series\bak\lxbkbmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\Documents and Settings\Andreas\Desktop\Hijack This\HijackThis2.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\Silvercrest OM1007 driver\StartAutorun.exe KMConfig.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\SpeedItUpFree\SpeedItUp.exe -MINI
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.skitodayplease.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4BE07A3C-C870-4952-98E2-77ED80999B76}: NameServer = 83.146.21.6 212.158.249.5
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Silvercrest OM1007 driver\KMWDSrv.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
Go to the top of the page
 
+Quote Post
Tomk
post Jul 21 2008, 10:58 AM
Post #4


Extrication Intern
Group Icon

Group: Malware Team
Posts: 1,652
Joined: 27-December 07
From: Sisters, OR
Member No.: 75,503
Operating System: xp
andreas,

FindAWF

Click here to download FindAWF.exe and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to Press any key to continue.
  • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
  • Copy and paste the contents of the AWF.txt file in your next reply.
Go to the top of the page
 
+Quote Post
andreas
post Jul 21 2008, 11:47 AM
Post #5


Authentic Member
**

Group: Authentic Member
Posts: 42
Joined: 6-September 07
Member No.: 72,712
Operating System: windows xp pro
Ok TomK......
I think this is what you asked for.
A


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: 21/07/2008
The current time is: 18:18:33.70


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\LEXMAR~1\BAK

28/03/2003 14:18 57,344 lxbkbmgr.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

23/08/2007 13:18 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\SUPERA~1\BAK

21/06/2007 14:06 1,318,912 SUPERAntiSpyware.exe
1 File(s) 1,318,912 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

29/08/2002 04:41 13,312 ctfmon.exe
09/07/2001 12:50 155,648 NeroCheck.exe
2 File(s) 168,960 bytes

Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK

06/09/2007 11:06 79,224 ashDisp.exe
1 File(s) 79,224 bytes

Directory of C:\PROGRA~1\COMODO\FIREWALL\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\THOMSON\SPEEDT~1\BAK

26/01/2004 11:38 866,816 Dragdiag.exe
1 File(s) 866,816 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 20:51 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

21/06/2007 11:10 185,896 realsched.exe
1 File(s) 185,896 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

26636 4 Dec 2007 "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
57344 28 Mar 2003 "C:\Program Files\Lexmark X1100 Series\bak\lxbkbmgr.exe"
57344 28 Mar 2003 "C:\Documents and Settings\Andreas\Desktop\All Andreas docs\SavedData\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
26636 4 Dec 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 23 Aug 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
1506544 5 Jun 2008 "C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE"
1318912 21 Jun 2007 "C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
13312 29 Aug 2002 "C:\WINDOWS\system32\ctfmon.exe"
13312 29 Aug 2002 "C:\WINDOWS\system32\bak\ctfmon.exe"
13312 29 Aug 2002 "C:\Documents and Settings\Andreas\Desktop\All Andreas docs\SavedData\WINDOWS\system32\ctfmon.exe"
26636 4 Dec 2007 "C:\WINDOWS\system32\NeroCheck.exe"
155648 9 Jul 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
155648 9 Jul 2001 "C:\Documents and Settings\Andreas\Desktop\All Andreas docs\SavedData\WINDOWS\system32\NeroCheck.exe"
78008 19 Jul 2008 "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
79224 6 Sep 2007 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
26636 4 Dec 2007 "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe"
866816 26 Jan 2004 "C:\Program Files\Thomson\SpeedTouch USB\bak\Dragdiag.exe"
866816 26 Jan 2004 "C:\Documents and Settings\Andreas\Desktop\All Andreas docs\SavedData\Program Files\Thomson\SpeedTouch USB\dragdiag.exe"
39792 11 Jan 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
39792 10 Oct 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
40048 23 Oct 2006 "C:\Documents and Settings\Andreas\Desktop\All Andreas docs\SavedData\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
185896 29 May 2008 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185896 21 Jun 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
180269 6 Feb 2007 "C:\Documents and Settings\Andreas\Desktop\All Andreas docs\SavedData\Program Files\Common Files\Real\Update_OB\realsched.exe"


end of report
Go to the top of the page
 
+Quote Post
Tomk
post Jul 21 2008, 11:58 AM
Post #6


Extrication Intern
Group Icon

Group: Malware Team
Posts: 1,652
Joined: 27-December 07
From: Sisters, OR
Member No.: 75,503
Operating System: xp
andreas,

Fix AWF Infection Step 2
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
QUOTE
"C:\Program Files\Lexmark X1100 Series\bak\lxbkbmgr.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
"C:\Program Files\Thomson\SpeedTouch USB\bak\Dragdiag.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press 2 then Enter
  • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for bak folders.
  • It may take a few minutes to complete, so please be patient.
  • When it is complete, it will open a text file in Notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.
Go to the top of the page
 
+Quote Post
andreas
post Jul 21 2008, 01:04 PM
Post #7


Authentic Member
**

Group: Authentic Member
Posts: 42
Joined: 6-September 07
Member No.: 72,712
Operating System: windows xp pro
TomK
new file below
A

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: 21/07/2008
The current time is: 19:16:42.21


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\LEXMAR~1\BAK

28/03/2003 14:18 57,344 lxbkbmgr.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

23/08/2007 13:18 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\SUPERA~1\BAK

21/06/2007 14:06 1,318,912 SUPERAntiSpyware.exe
1 File(s) 1,318,912 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

29/08/2002 04:41 13,312 ctfmon.exe
09/07/2001 12:50 155,648 NeroCheck.exe
2 File(s) 168,960 bytes

Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK

06/09/2007 11:06 79,224 ashDisp.exe
1 File(s) 79,224 bytes

Directory of C:\PROGRA~1\COMODO\FIREWALL\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\THOMSON\SPEEDT~1\BAK

26/01/2004 11:38 866,816 Dragdiag.exe
1 File(s) 866,816 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 20:51 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

21/06/2007 11:10 185,896 realsched.exe
1 File(s) 185,896 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

57344 28 Mar 2003 "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
57344 28 Mar 2003 "C:\Program Files\Lexmark X1100 Series\bak\lxbkbmgr.exe"
57344 28 Mar 2003 "C:\Documents and Settings\Andreas\Desktop\All Andreas docs\SavedData\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
286720 23 Aug 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 23 Aug 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
1506544 5 Jun 2008 "C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE"
1318912 21 Jun 2007 "C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
13312 29 Aug 2002 "C:\WINDOWS\system32\ctfmon.exe"
13312 29 Aug 2002 "C:\WINDOWS\system32\bak\ctfmon.exe"
13312 29 Aug 2002 "C:\Documents and Settings\Andreas\Desktop\All Andreas docs\SavedData\WINDOWS\system32\ctfmon.exe"
155648 9 Jul 2001 "C:\WINDOWS\system32\NeroCheck.exe"
155648 9 Jul 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
155648 9 Jul 2001 "C:\Documents and Settings\Andreas\Desktop\All Andreas docs\SavedData\WINDOWS\system32\NeroCheck.exe"
78008 19 Jul 2008 "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
79224 6 Sep 2007 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
866816 26 Jan 2004 "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe"
866816 26 Jan 2004 "C:\Program Files\Thomson\SpeedTouch USB\bak\Dragdiag.exe"
866816 26 Jan 2004 "C:\Documents and Settings\Andreas\Desktop\All Andreas docs\SavedData\Program Files\Thomson\SpeedTouch USB\dragdiag.exe"
39792 10 Oct 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
39792 10 Oct 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
40048 23 Oct 2006 "C:\Documents and Settings\Andreas\Desktop\All Andreas docs\SavedData\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
185896 21 Jun 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185896 21 Jun 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
180269 6 Feb 2007 "C:\Documents and Settings\Andreas\Desktop\All Andreas docs\SavedData\Program Files\Common Files\Real\Update_OB\realsched.exe"


end of report
Go to the top of the page
 
+Quote Post
Tomk
post Jul 21 2008, 01:21 PM
Post #8


Extrication Intern
Group Icon

Group: Malware Team
Posts: 1,652
Joined: 27-December 07
From: Sisters, OR
Member No.: 75,503
Operating System: xp
andreas,

Fix AWF Infection Step 3

Copy the paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
QUOTE
C:\Program Files\Lexmark X1100 Series\bak
C:\Program Files\QuickTime\bak
C:\Program Files\SUPERAntiSpyware\bak
C:\WINDOWS\system32\bak
C:\Program Files\Alwil Software\Avast4\bak
C:\Program Files\Thomson\SpeedTouch USB\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\Real\Update_OB\bak

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Select Option 3 from the menu and press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the folders and will perform another scan for bak folders.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in Notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

Before you close FindAWF, Select Option 4 from the menu and press Enter.
When it's finished the tool will return to the main menu.
Press E to close FindAWF.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Then

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).

Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.
Go to the top of the page
 
+Quote Post
andreas
post Jul 21 2008, 01:37 PM
Post #9


Authentic Member
**

Group: Authentic Member
Posts: 42
Joined: 6-September 07
Member No.: 72,712
Operating System: windows xp pro
Tomk
Just doing the other downloads now
A

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: 21/07/2008
The current time is: 20:24:50.01


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMODO\FIREWALL\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report
Go to the top of the page
 
+Quote Post
andreas
post Jul 21 2008, 02:10 PM
Post #10


Authentic Member
**

Group: Authentic Member
Posts: 42
Joined: 6-September 07
Member No.: 72,712
Operating System: windows xp pro
Ok TomK
All done
the hijack file is at the bottom
PC at present still sluggish with memory, but will reboot it and see.
will report back in approx an hour
A

Malwarebytes' Anti-Malware 1.22
Database version: 976
Windows 5.1.2600 Service Pack 1

21:05:22 21/07/2008
mbam-log-7-21-2008 (21-05-22).txt

Scan type: Quick Scan
Objects scanned: 50042
Time elapsed: 7 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/unicows.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\unicows.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\unicows.dll (Trojan.Agent) -> Quarantined and deleted successfully.



Logfile of HijackThis v1.99.1

Scan saved at 21:06:50, on 21/07/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Silvercrest OM1007 driver\StartAutorun.exe
C:\Program Files\Silvercrest OM1007 driver\KMConfig.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Silvercrest OM1007 driver\KMProcess.exe
C:\Program Files\Silvercrest OM1007 driver\KMWDSrv.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Illustrator CS\Support Files\Contents\Windows\Illustrator.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Andreas\Desktop\Hijack This\HijackThis2.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\Silvercrest OM1007 driver\StartAutorun.exe KMConfig.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\SpeedItUpFree\SpeedItUp.exe -MINI
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.skitodayplease.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4BE07A3C-C870-4952-98E2-77ED80999B76}: NameServer = 83.146.21.6 212.158.249.5
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Silvercrest OM1007 driver\KMWDSrv.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
Go to the top of the page
 
+Quote Post
Tomk
post Jul 21 2008, 02:50 PM
Post #11


Extrication Intern
Group Icon

Group: Malware Team
Posts: 1,652
Joined: 27-December 07
From: Sisters, OR
Member No.: 75,503
Operating System: xp
andreas,

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Select Option 4 from the menu and press Enter.
  • When it's finished the tool will return to the main menu.
  • Press E to close FindAWF.


Please provide a new HijackThis log.
Go to the top of the page
 
+Quote Post
andreas
post Jul 21 2008, 03:18 PM
Post #12


Authentic Member
**

Group: Authentic Member
Posts: 42
Joined: 6-September 07
Member No.: 72,712
Operating System: windows xp pro
Tomk
Im sure i did the option4 command on your last request, but did it again anyway.
ok heres the new hijack,
thanks
A

Logfile of HijackThis v1.99.1
Scan saved at 22:16:21, on 21/07/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Silvercrest OM1007 driver\StartAutorun.exe
C:\Program Files\Silvercrest OM1007 driver\KMConfig.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Silvercrest OM1007 driver\KMProcess.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Silvercrest OM1007 driver\KMWDSrv.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andreas\Desktop\Hijack This\HijackThis2.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\Silvercrest OM1007 driver\StartAutorun.exe KMConfig.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\SpeedItUpFree\SpeedItUp.exe -MINI
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4BE07A3C-C870-4952-98E2-77ED80999B76}: NameServer = 83.146.21.6 212.158.249.5
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Silvercrest OM1007 driver\KMWDSrv.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
Go to the top of the page
 
+Quote Post
Tomk
post Jul 21 2008, 03:45 PM
Post #13


Extrication Intern
Group Icon

Group: Malware Team
Posts: 1,652
Joined: 27-December 07
From: Sisters, OR
Member No.: 75,503
Operating System: xp
andreas,

Maybe it was just being stubborn. It worked this time. thumbup.gif

We must disable certain protection programs that may interfere with our fix:
AVAST
Right click on the avast! icon in system tray (looks like this: ) and choose (Stop On-Access Protection)

  • Please open HijackThis and run Do a system scan only
  • Check the boxes next to ONLY the entries listed below(if present):
      R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

  • Close all programs except for HijackThis.
  • Click on Fix checked
  • A box will pop up asking you if you wish to fix the selected items. Please choose YES.
  • Once it has fixed them, please exit/close HijackThis.


That's all I'm seeing. Maybe you can give it a day and see how things are going. Post back tommorrow and let me know what is happening. If things are good we'll do a couple of houskeeping things and then give you some reccomendations. If you are still having problems. I'll see what more I can dig up to do. popcorn.gif

Please provide a new HijackThis log when you post back.
Go to the top of the page
 
+Quote Post
andreas
post Jul 21 2008, 03:59 PM
Post #14


Authentic Member
**

Group: Authentic Member
Posts: 42
Joined: 6-September 07
Member No.: 72,712
Operating System: windows xp pro
Ok tomk...
all done...but shouldnt avast be reactivated now?....as i have no protection with it turned off.
thanks
A


Logfile of HijackThis v1.99.1
Scan saved at 22:56:47, on 21/07/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Silvercrest OM1007 driver\StartAutorun.exe
C:\Program Files\Silvercrest OM1007 driver\KMConfig.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Silvercrest OM1007 driver\KMProcess.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Silvercrest OM1007 driver\KMWDSrv.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andreas\Desktop\Hijack This\HijackThis2.exe

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbr