HJT Log Browser redirects
#1
Posted 16 March 2007 - 08:48 AM
Register to Remove
#2
Posted 17 March 2007 - 05:30 AM
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
#3
Posted 17 March 2007 - 10:56 AM
#4
Posted 17 March 2007 - 11:19 AM
AVG
Avast
Please download FindAWF here:
http://noahdfear.gee...com/FindAWF.exe
Save to desktop and run
The output is awf.txt, save the text file to your desktop.
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). - Finally paste the contents of the Report.txt back on the forum with the contents of awf.txt and a new HijackThis log
#5
Posted 17 March 2007 - 01:47 PM
#6
Posted 17 March 2007 - 02:33 PM
Please download the Suspicious File Packer from here:
http://www.safer-net...g/files/sfp.zip
Unzip it to the desktop and run it.
Paste the following list of bad files into the Suspicious File Packer window:
F:\WINDOWS\system32\bak\lsasss.exe
Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please click here
You will be taken to a new post page (at a different forum)
In the subject box put Suspicious files for analysis
Please put your name and email in the relevant boxes. In the message portion, please paste this:
Infected Files for analysis Suspect: SDbot logfile: http://forums.tomcoyote.org/index.php?showtopic=77595
Then, by the attach bar at the bottom, hit 'browse' Find this file, and hit ok:
C:\Documents and Settings\User\Desktop\requested-files[date].cab
Then click submit to upload that file. That way our experts can analyse the file
Please post a link to the topic at the other forum as a response to this topic
Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.
attrib -s -h -r F:\WINDOWS\system32\NILaunch.exe
attrib -s -h -r F:\WINDOWS\system32\lsasss.exe
attrib -s -h -r F:\Program Files\QuickTime\qttask.exe
attrib -s -h -r F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
attrib -s -h -r F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
attrib -s -h -r F:\Program Files\Common Files\Real\Update_OB\realsched.exe
attrib -s -h -r F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
attrib -s -h -r F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
attrib -s -h -r F:\WINDOWS\system32\bak\lsasss.exe
del /q F:\WINDOWS\system32\NILaunch.exe
del /q F:\WINDOWS\system32\lsasss.exe
del /q F:\WINDOWS\system32\bak\lsasss.exe
del /q F:\Program Files\QuickTime\qttask.exe
del /q F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
del /q F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
del /q F:\Program Files\Common Files\Real\Update_OB\realsched.exe
del /q F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
del /q F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
copy F:\WINDOWS\system32\bak\NILaunch.exe F:\WINDOWS\system32\NILaunch.exe
copy F:\Program Files\QuickTime\bak\qttask.exe F:\Program Files\QuickTime\qttask.exe
copy F:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
copy F:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
copy F:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe F:\Program Files\Common Files\Real\Update_OB\realsched.exe
copy F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
copy F:\Program Files\Java\jre1.5.0_04\bin\bak\jusched.exe F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
Save it to your Desktop as cleanup.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: cleanup.bat
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)
O2 - BHO: (no name) - {a8b72ad4-349d-4918-a36d-651daa791653} - F:\WINDOWS\system32\pxinnit.dll
O4 - HKLM\..\Run: [Lexmark_X79-55] F:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "F:\WINDOWS\geeedd.dll",setvm
O20 - AppInit_DLLs:
O20 - Winlogon Notify: pxinnit - F:\WINDOWS\SYSTEM32\pxinnit.dll
Then close all windows except HijackThis and click Fix Checked
Use windows explorer to find and delete these files:
F:\WINDOWS\System32\lsasss.exe
F:\WINDOWS\geeedd.dll[/b]
F:\WINDOWS\SYSTEM32\pxinnit.dll
Restart in normal mode and post a new HijackThis log
#8
Posted 17 March 2007 - 04:44 PM
#9
Posted 17 March 2007 - 05:05 PM
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once the scan is complete, Right Click inside the listbox (white box) and click add more files
- Copy&Paste the entry below into the top box
- F:\WINDOWS\SYSTEM32\pxinnit.dll
- Click Add Files and Click Close Window
- Click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Post back with the vundofix log and a new HijackThis log
#10
Posted 17 March 2007 - 05:50 PM
Register to Remove
#11
Posted 18 March 2007 - 05:56 AM
Please follow these steps to remove older version Java components and update.
Updating Java:
- Download the latest version of Java Runtime Environment (JRE) 6 .
- Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
- Click the "Download" button to the right.
- Check the box that says: "Accept License Agreement".
- The page will refresh.
- Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java versions.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on the download to install the newest version.
Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)
O2 - BHO: (no name) - {a8b72ad4-349d-4918-a36d-651daa791653} - F:\WINDOWS\system32\pxinnit.dll (file missing)
Then close all windows except HijackThis and click Fix Checked
Go here to run an online scannner from Kaspersky.
- Click on "Kaspersky Online Scanner"
- A new smaller window will pop up. Press on "Accept". After reading the contents.
- Now Kaspersky will update the anti-virus database. Let it run.
- Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
- Then click on "My Computer", and the scan will start.
- Once finished, save the log as "KAV.txt" to the desktop.
Post back with the Kaspersky log, a new HijackThis log and let me know how its running now
#12
Posted 18 March 2007 - 12:20 PM
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 18, 2007 1:10:26 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 18/03/2007
Kaspersky Anti-Virus database records: 282839
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics:
Total number of scanned objects: 29243
Number of viruses found: 6
Number of infected objects: 10 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:24:25
Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1149\A0131795.exe Infected: Trojan-Downloader.Win32.Small.cxx skipped
C:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
D:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
E:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
F:\WINDOWS\system32\config\system.LOG Object is locked skipped
F:\WINDOWS\system32\config\software.LOG Object is locked skipped
F:\WINDOWS\system32\config\default.LOG Object is locked skipped
F:\WINDOWS\system32\config\SECURITY Object is locked skipped
F:\WINDOWS\system32\config\SAM Object is locked skipped
F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SYSTEM Object is locked skipped
F:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
F:\WINDOWS\system32\config\DEFAULT Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
F:\WINDOWS\system32\moaupd.exe/WISE0012.BIN Infected: not-a-virus:AdWare.Win32.WurldMedia.h skipped
F:\WINDOWS\system32\moaupd.exe/WISE0014.BIN Infected: not-a-virus:AdWare.Win32.WurldMedia.b skipped
F:\WINDOWS\system32\moaupd.exe WiseSFX: infected - 2 skipped
F:\WINDOWS\system32\h323log.txt Object is locked skipped
F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
F:\WINDOWS\Debug\oakley.log Object is locked skipped
F:\WINDOWS\Sti_Trace.log Object is locked skipped
F:\WINDOWS\wiaservc.log Object is locked skipped
F:\WINDOWS\wiadebug.log Object is locked skipped
F:\WINDOWS\SchedLgU.Txt Object is locked skipped
F:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
F:\WINDOWS\SoftwareDistribution\EventCache\{855C3863-E10B-4A59-8CE2-276342743C7A}.bin Object is locked skipped
F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\Kelly\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\Temp\tmp2.tmp.exe Infected: Trojan-Downloader.Win32.Agent.bjk skipped
F:\Documents and Settings\Kelly\Local Settings\Temp\tmp6.tmp.exe Infected: Trojan-Downloader.Win32.Agent.bjk skipped
F:\Documents and Settings\Kelly\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\History\History.IE5\MSHist012007031820070319\index.dat Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\Kelly\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\Kelly\ntuser.dat.LOG Object is locked skipped
F:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1149\A0129739.dll Infected: Trojan-PSW.Win32.Sinowal.af skipped
F:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1149\A0129745.dll Infected: Trojan-PSW.Win32.Sinowal.af skipped
F:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
I:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
J:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
J:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\A0131931.exe/data0001 Infected: Trojan-Downloader.Win32.Agent.oz skipped
J:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\A0131931.exe NSIS: infected - 1 skipped
Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 1:16:22 PM, on 3/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
I:\Program Files\AVG Anti-Spyware 7.5\guard.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\NILaunch.exe
F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
F:\QUICKENW\QWDLLS.EXE
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Microsoft Office\Office10\EXCEL.EXE
F:\Program Files\Microsoft Office\Office10\WINWORD.EXE
F:\WINDOWS\system32\NOTEPAD.EXE
I:\Program Files\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Net-It Launcher] F:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "I:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A480D802-76BA-4198-B221-77DEE53A4A27}: NameServer = 216.144.187.71,204.186.0.201
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - I:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
#13
Posted 18 March 2007 - 01:22 PM
F:\WINDOWS\system32\moaupd.exe
Download ATF Cleaner by Attribune
- Double-click ATF-Cleaner.exe to run the program.
- Click Main at the top and choose Select All from the list.
- Click the Empty Selected button.
- Click Firefox at the top and choose Select All from the list.
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click No at the prompt.
- Click Opera at the top and choose Select All from the list.
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Acrobat reader is outdated, uninstall the one you have installed and install the latest one from here:
http://www.adobe.com.../readstep2.html
Post back with a new HijackThis log and let me know how its running now
#14
Posted 18 March 2007 - 03:42 PM
No more re-directs but IE still initializes real slow and hyperlinks to secondary windows are slow as well. Once things initialize they run at normal speed it's just getting there that is taking time.
Logfile of HijackThis v1.99.1
Scan saved at 4:36:22 PM, on 3/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
I:\Program Files\AVG Anti-Spyware 7.5\guard.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\NILaunch.exe
F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
I:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\Java\jre1.6.0\bin\jusched.exe
F:\QUICKENW\QWDLLS.EXE
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\WINDOWS\System32\msiexec.exe
I:\Program Files\hijackthis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Net-It Launcher] F:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "I:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = F:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A480D802-76BA-4198-B221-77DEE53A4A27}: NameServer = 216.144.187.71,204.186.0.201
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - I:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
#15
Posted 18 March 2007 - 03:53 PM
- Download GMER by GMER from here
- Unzip it to a folder on your desktop
- Double click on gmer.exe to launch GMER
- If asked, allow the gmer.sys driver load
- If it warns you about rootkit activity and asks if you want to run scan, click OK
- If you don't get a warning then
- Click the rootkit tab
- Click Scan
- Once the scan has finished, click copy
- Paste the log into notepad using Ctrl+V
- Save it to your desktop as gmerrk.txt
- Click on the >>> tab
- This will open up the rest of the tabs for you
- Click on the Autostart tab
- Click on Scan
- Once the scan has finished, click copy
- Paste the log into notepad using Ctrl+V
- Save it to your desktop as gmerautos.txt
- Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic
- Download WinPFind by OldTimer here
- Double click on winpfind.exe to extract it
- Click extract
- Wait for the message "All files have been extracted" and then click OK
- This will create the folder winPFind on your desktop
- Inside that folder is a file called WinPFind.exe
- Double click on that file to launch WinPFind
- This will launch a configuration screen
- Under Driver Services change the selection to Non-Microsoft
- Under File Created Within change the selection to 60 days
- Leave the other settings as they are
- Click Run Scan
- During the scan WinPFind may appear to be not responding, this is normal
- Wait for the scan to finish, this may take several minutes
- A notepad window will open with WinPFind's log.
- Copy and paste the contents of that window here.
- Note: You may need several posts to post the entire log, or it might get cut off
You will probably need to several posts to fit all the logs in
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users