WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Hi Jack this log file

Started by Jimb22 , Oct 12 2009 06:38 AM

This topic is locked

12 replies to this topic

#1 Jimb22

New Member

Authentic Member
6 posts

Posted 12 October 2009 - 06:38 AM

My browser, both IE and firefox are hijicked. Here is a copy of the hjt log file. ANy help on what needs to be done?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:10 AM, on 10/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon....p;bm=ho_central
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Recguard] "C:\WINDOWS\SMINST\RECGUARD.EXE"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [A Verizon App] "C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Verizon Custom Uninstall Tracking] C:\DOCUME~1\Owner\LOCALS~1\Temp\InstallHelper.exe /uninstalltrackingvendor=Verizon
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: McAfee Security Scan.lnk = ?
O4 - Global Startup: Wireless Configuration Utility HW.14.lnk = C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...99/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter hijack: text/html - {8b2f73a2-6d66-4b75-a091-9f6932f867c8} - (no file)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Unknown owner - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 9235 bytes

Advertisements

Register to Remove

#2 mschroe919

basic

Visiting Fellow
2,825 posts

Posted 12 October 2009 - 10:39 AM

Hi Jimb22

Welcome to the What the tech Forums
My name is mschroe919 and I am going to read your log.
I would like to help you So if you would....
Please be patient and I will be back as soon as possible.

Please while I am gone do these steps:

Show hidden files, Here is how:

Windows XP

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

NEXT:

Please download ATF Cleaner by Atribune.

Download it

HERE:

This program is for XP, Windows 2000, Vista
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

NEXT:

Malwarebytes' Anti-Malware

HERE

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
post a new [HJT] log and the Malwarebytes' Anti-Malware log

Be sure not to delete anything intill said ok to. also don't run any other cleanup programs till we
get done it may goof ours up.
Also if you have any questions feel fre to ask first.

When you post another rhjt log and the Malwarebytes' Anti-Malware log , let me know how your PC is behavuing

I will be waiting to see new logs

Please stay with us till you pc is clean, cause what may soon look like your pc is doing fine,
a hidden virus shows up.
mschroe919

"The most important thing about goals is having one."

"It is never too soon to be kind, for we never know how soon it will be too late. "

No Man Ever Stands So Tall As When He Stoops To Help A Child

If you wish to show your appreciation, please consider a donation to help keep us online
[url="http://"%20%20<a%20href="http://www.whatthetech.com/donate/""%20target="_blank">http://www.whatthetech.com/donate/"</a>"]Donate Here Please[/url]
Thank You

#3 Jimb22

New Member

Authentic Member
6 posts

Posted 12 October 2009 - 01:42 PM

I followed you instructions. A quick check showed browser was still hijacked. Here is the malware log file, followed by the second hjt log. Thanks.

Malwarebytes' Anti-Malware 1.41
Database version: 2948
Windows 5.1.2600 Service Pack 2

10/12/2009 3:28:49 PM
mbam-log-2009-10-12 (15-28-49).txt

Scan type: Full Scan (C:\|D:\|F:\|H:\|)
Objects scanned: 202384
Time elapsed: 45 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 37
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\3ba493e399df23647b4968681e4173c8 (Rogue.AdwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\3ba493e399df23647b4968681e4173c8 (Rogue.AdwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2345a02e11712354bb8bc31fcc7c421f (Rogue.AdwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4a1a5f4828a205642ab7ecb2930ea1ff (Rogue.AdwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53b42324f16e1cf4fa090f4cf1c19c1c (Rogue.AdwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\cc10cef798af494409a2cd428dae583f (Rogue.AdwareBot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AdwareBot (Rogue.AdwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AdwareBot (Rogue.AdwareBot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\adwarebot\(default) (Rogue.AdwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\documents and settings\all users\start menu\programs\adwarebot\(default) (Rogue.AdwareBot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Administrator\Application Data\AdwareBot (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AdwareBot\Log (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AdwareBot\Settings (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Log (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16 (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16 (Rogue.AdwareBot) -> Files: 755 -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\103.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\121.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\137.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\150.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\161.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\163.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\164.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\165.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\167.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\169.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\170.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\171.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\172.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\200.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\201.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\202.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\208.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\211.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\212.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\341.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\343.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\345.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\347.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\349.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\350.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Quarantine\08-10-2009-20-37-16\351.qit (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Settings (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Program Files\AdwareBot (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AdwareBot (Rogue.AdwareBot) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Administrator\Application Data\AdwareBot\rs.dat (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AdwareBot\Log\2009 Oct 10 - 08_36_40 PM_109.log (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AdwareBot\Settings\ScanResults.pie (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\rs.dat (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Log\2009 Oct 08 - 08_35_47 PM_171.log (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Log\2009 Oct 08 - 08_56_30 PM_328.log (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Log\2009 Oct 08 - 09_03_20 PM_765.log (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Log\2009 Oct 08 - 09_16_02 PM_687.log (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\AdwareBot\Log\2009 Oct 08 - 09_28_43 PM_687.log (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Program Files\AdwareBot\AdwareBot.exe (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Program Files\AdwareBot\AdwareBot.url (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Program Files\AdwareBot\DataBase.ref (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Program Files\AdwareBot\vistaCPtasks.xml (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AdwareBot\AdwareBot on the Web.lnk (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\AdwareBot\AdwareBot.lnk (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\AdwareBot.lnk (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\AdwareBot Scheduled Scan.job (Rogue.AdwareBot) -> Quarantined and deleted successfully.

________________________________________________________________________________
____________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:04 PM, on 10/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon....p;bm=ho_central
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Recguard] "C:\WINDOWS\SMINST\RECGUARD.EXE"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [A Verizon App] "C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Verizon Custom Uninstall Tracking] C:\DOCUME~1\Owner\LOCALS~1\Temp\InstallHelper.exe /uninstalltrackingvendor=Verizon
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: McAfee Security Scan.lnk = ?
O4 - Global Startup: Wireless Configuration Utility HW.14.lnk = C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...99/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter hijack: text/html - {8b2f73a2-6d66-4b75-a091-9f6932f867c8} - (no file)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Unknown owner - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 9238 bytes

#4 mschroe919

basic

Visiting Fellow
2,825 posts

Posted 12 October 2009 - 02:20 PM

A quick check showed browser was still hijacked.

How are you quick checking and is both ie and fire fox both hijacked?
mschroe919

#5 Jimb22

New Member

Authentic Member
6 posts

Posted 12 October 2009 - 05:32 PM

I searched for a website I normally got to and when I click the link in firefox I end up at some generic search site. I uninstalled IE8 out of frustration.

#6 mschroe919

basic

Visiting Fellow
2,825 posts

Posted 12 October 2009 - 06:58 PM

Hi
please read all before doing

Download Combofix from either of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Link 1
Link 2

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

--------------------------------------------------------------------

It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.

-----------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\Combo-Fix.txt" for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

-----------------------------------------------------------

#7 Jimb22

New Member

Authentic Member
6 posts

Posted 12 October 2009 - 07:49 PM

COMBOFIX IS THE BEES-KNEES!!!

So far so good. I did my quick check (and then some) and no issues yet after running combofix. It was pretty obvious before. Combofix recomended an antivirus scan in safe mode. Do you recommend?

I have a xp laptop that is also slow but isn't hijacked (yet). Can I follow the same preocedure starting with the antimalware check and then follow up with combo fix?

Both machines have up to date avg antivirus installed

I attached the combofix log but here is the cut/paste version.

THANKS SO MUCH!

ComboFix 09-10-12.02 - Owner 10/12/2009 21:26.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2031.1617 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\inst.exe
C:\LOG121.tmp
C:\LOG162.tmp
C:\LOG2.tmp
C:\LOG2A.tmp
C:\LOG3.tmp
C:\LOG4.tmp
C:\LOG5.tmp
C:\LOG5C.tmp
C:\LOG7.tmp
C:\LOG8.tmp
C:\LOG9.tmp
C:\LOG9D.tmp
C:\LOGB3.tmp
c:\recycler\S-1-5-21-2524767196-3132606928-2548482166-1003
c:\windows\system32\_004289_.tmp.dll
c:\windows\system32\_004290_.tmp.dll
c:\windows\system32\_004291_.tmp.dll
c:\windows\system32\_004292_.tmp.dll
c:\windows\system32\_004296_.tmp.dll
c:\windows\system32\_004297_.tmp.dll
c:\windows\system32\_004298_.tmp.dll
c:\windows\system32\_004299_.tmp.dll
c:\windows\system32\_004300_.tmp.dll
c:\windows\system32\_004301_.tmp.dll
c:\windows\system32\_004302_.tmp.dll
c:\windows\system32\_004303_.tmp.dll
c:\windows\system32\_004304_.tmp.dll
c:\windows\system32\_004305_.tmp.dll
c:\windows\system32\_004308_.tmp.dll
c:\windows\system32\_004309_.tmp.dll
c:\windows\system32\_004311_.tmp.dll
c:\windows\system32\_004312_.tmp.dll
c:\windows\system32\_004313_.tmp.dll
c:\windows\system32\_004315_.tmp.dll
c:\windows\system32\_004318_.tmp.dll
c:\windows\system32\_004319_.tmp.dll
c:\windows\system32\_004320_.tmp.dll
c:\windows\system32\_004321_.tmp.dll
c:\windows\system32\_004322_.tmp.dll
c:\windows\system32\_004323_.tmp.dll
c:\windows\system32\_004324_.tmp.dll
c:\windows\system32\_004326_.tmp.dll
c:\windows\system32\_004327_.tmp.dll
c:\windows\system32\_004328_.tmp.dll
c:\windows\system32\_004329_.tmp.dll
c:\windows\system32\_004331_.tmp.dll
c:\windows\system32\_004332_.tmp.dll
c:\windows\system32\_004333_.tmp.dll
c:\windows\system32\_004334_.tmp.dll
c:\windows\system32\_004335_.tmp.dll
c:\windows\system32\_004337_.tmp.dll
c:\windows\system32\_004338_.tmp.dll
c:\windows\system32\_004339_.tmp.dll
c:\windows\system32\_004340_.tmp.dll
c:\windows\system32\_004341_.tmp.dll
c:\windows\system32\_004342_.tmp.dll
c:\windows\system32\_004343_.tmp.dll
c:\windows\system32\_004345_.tmp.dll
c:\windows\system32\_004346_.tmp.dll
c:\windows\system32\_004347_.tmp.dll
c:\windows\system32\_004348_.tmp.dll
c:\windows\system32\_004349_.tmp.dll
c:\windows\system32\_004350_.tmp.dll
c:\windows\system32\_004352_.tmp.dll
c:\windows\system32\_004355_.tmp.dll
c:\windows\system32\_004356_.tmp.dll
c:\windows\system32\_004360_.tmp.dll
c:\windows\system32\_004361_.tmp.dll
c:\windows\system32\_004363_.tmp.dll
c:\windows\system32\_004366_.tmp.dll
c:\windows\system32\_004368_.tmp.dll
c:\windows\system32\_004369_.tmp.dll
c:\windows\system32\_004370_.tmp.dll
c:\windows\system32\_004371_.tmp.dll
c:\windows\system32\_004374_.tmp.dll
c:\windows\system32\_004375_.tmp.dll
c:\windows\system32\_004376_.tmp.dll
c:\windows\system32\_004377_.tmp.dll
c:\windows\system32\_004378_.tmp.dll
c:\windows\system32\_004383_.tmp.dll
c:\windows\system32\_004385_.tmp.dll
c:\windows\system32\_004386_.tmp.dll
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
H:\Autorun.inf

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :^)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))
.

2009-10-13 01:03 . 2009-10-13 01:03 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-12 12:30 . 2009-10-12 12:30 -------- d-----w- c:\program files\Trend Micro
2009-10-11 21:56 . 2009-10-11 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-10-11 19:16 . 2009-10-11 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-11 00:45 . 2009-10-11 00:45 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AVG Security Toolbar
2009-10-11 00:37 . 2009-10-11 00:37 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-10-11 00:37 . 2009-10-11 00:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-10-11 00:34 . 2009-10-11 00:34 40088 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-09 23:38 . 2009-10-09 23:38 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-09 01:11 . 2009-10-09 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-09 01:10 . 2009-10-12 02:44 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-10-09 01:10 . 2009-10-09 01:10 -------- d-----w- c:\program files\Common Files\iS3
2009-10-09 00:40 . 2009-10-09 00:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-08 23:56 . 2009-10-08 23:56 128 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2009-10-08 23:56 . 2009-10-08 23:56 -------- d-----w- c:\program files\MSSOAP
2009-10-08 23:56 . 2009-10-08 23:56 -------- d-----w- c:\program files\Webroot
2009-10-08 23:53 . 2009-10-08 23:53 164 ----a-w- c:\windows\install.dat
2009-10-08 21:28 . 2009-10-08 21:28 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-10-08 21:27 . 2009-10-08 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-07 00:04 . 2009-10-07 00:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-29 18:31 . 2009-09-29 18:32 -------- d-----w- c:\program files\DVDFab 6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 22:12 . 2009-10-11 22:12 1832 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-09-29 19:22 . 2009-01-31 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-09-29 18:32 . 2009-01-31 01:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Vso
2009-08-05 09:11 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-28 12:56 . 2008-08-29 02:27 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-28 12:56 . 2008-08-29 02:27 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-28 12:56 . 2008-08-29 02:27 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-17 18:55 . 2004-08-26 16:11 58880 ----a-w- c:\windows\system32\atl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 15:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 188416]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-29 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-29 2023704]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.14.lnk - c:\program files\TRENDnet\TEW-424UB\WlanCU.exe [2006-12-22 598016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-28 12:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [8/28/2008 10:27 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/28/2008 10:27 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/28/2008 10:27 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/28/2008 10:27 PM 297752]
R3 RTL8187B;TRENDnet TEW-424UB Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [6/29/2007 9:05 PM 189312]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [10/2/2002 9:57 AM 13532]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/26/2004 12:12 PM 14336]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe [8/26/2004 12:11 PM 5120]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SJYPKT

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-10-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2005-05-16 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\0cgy8wfp.default\
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\0cgy8wfp.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
Notify-dimsntfy - (no file)
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-12 21:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2188)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
.
**************************************************************************
.
Completion time: 2009-10-13 21:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-13 01:36

Pre-Run: 143,385,161,728 bytes free
Post-Run: 143,230,738,432 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

278 --- E O F --- 2009-10-11 21:58

Attached Files

combofixlog.txt 15.54KB 165 downloads

#8 mschroe919

basic

Visiting Fellow
2,825 posts

Posted 13 October 2009 - 05:12 AM

Hi

yes it is
I would like for you to do one more thing to bne sure it is clean:

Using Internet Explorer, please do a Kaspersky online scan] This scan takes about 60 minutes to complete.

Answer Yes, when prompted to install an ActiveX component.
The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will provide a report if your system is infected. It does not provide an option to clean/disinfect. We only require a report from it.

Posted Image

Click the Save as Text button to save the file to your desktop and post it in your next reply along with a fresh HijackThis log

* Turn off the real time scanner of any existing antivirus program while performing the online scan

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

As far as running it in safe mode I only sugest that when it won't run in regular mode.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++=======

NOW:
as far as you laptop xp it will be okay to do everyrthing EXCEPT THE COMBOFIX

This couild harm your pc without the proper supervision. As you see I didn't sugest it till I read all of your logs. please don't use it alone you cn do the other stuff and open a new log here and we will look at it to be sure.

I will be waiting for these logs and there will be some more things to do
mschroe919

#9 Jimb22

New Member

Authentic Member
6 posts

Posted 13 October 2009 - 11:04 AM

Ran the kapersky scan per your instructions with no faults found. Here is the log. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Tuesday, October 13, 2009 Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Tuesday, October 13, 2009 15:09:40 Records in database: 2967358 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ H:\ J:\ Scan statistics: Objects scanned: 91192 Threats found: 0 Infected objects found: 0 Suspicious objects found: 0 Scan duration: 02:02:17 No threats found. Scanned area is clean. Selected area has been scanned.

Attached Files

kapersky.txt 858bytes 144 downloads

#10 mschroe919

basic

Visiting Fellow
2,825 posts

Posted 13 October 2009 - 05:30 PM

Hi
as I said there would be more and its all good:

FIRST:

do this first

Posted Image

now that your log is clean. You did great cleaning it up,
pat yourself on the back.

this is my canned all clean speech.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Note you may have some of theses programs allready, if so just a reminder to keep updated.

FIRST:
You need to create a new Clean restore point.

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.
===================================================================
NEXT:
Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.

1. Change the Download signed ActiveX controls to Prompt
2. Change theDownload unsigned ActiveX controls to Disable
3. Change the Initialise and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.
====================================================================

Use an Anti Virus Software
It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See these links for a listing of some on line & their stand-alone anti virus programs:
If you don't have one here are some of the better AV products.

Symantec/Norton Antivirus: http://www.symantec.com/nav/nav_9xnt/
Kapersky AV: http://www.kaspersky...ne.html?info=25
Nod32 : http://www.nod32.com/home/home.htm
Panda AV: http://www.pandasoftware.com/
McAfee Virusscan: http://us.mcafee.com...e.asp?pkgid=100
AVG Anti-Virus (Free version available) http://www.grisoft.com/

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
============================================================
NEXT:

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
If you don't have one see link below for a free firewall:

ZoneAlarm:
http://www.zonelabs.....jsp?lid=nav_za

Sunbelt Kerio:
http://www.sunbelt-s...e.com/Kerio.cfm

OutPost:
http://www.agnitum.c...ee/download.php
================================================================================

Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software

Get the download and tutorial for Spybot S&D here:
http://www.bleepingc...tutorial43.html
=========================================================================

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:

http://www.javacools...areblaster.html
========================================================================

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Happy surfing the net

I only ask one thing....please
Please post back and let us know what you think about our forum, we are all volunteers and would like a little smile.

Good luck and happy net surfing
Mschroe919

#11 Jimb22

New Member

Authentic Member
6 posts

Posted 14 October 2009 - 04:21 PM

This forum is GREAT!!! I'm extremely impressed with how fast replies showed up and ultimatley how fast my problem got fixed. I plan on recommending this site to all my friends. If I have any more problems in the future Whatthetech will be this first place that I go to for help. Thanks Again!!

#12 mschroe919

basic

Visiting Fellow
2,825 posts

Posted 14 October 2009 - 05:59 PM

If your happy I am happy

#13 mschroe919

basic

Visiting Fellow
2,825 posts

Posted 14 October 2009 - 06:09 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Body Background

skin color theme