Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Can Someone Please Help Me With My Log


  • This topic is locked This topic is locked
8 replies to this topic

#1 JOLYNE

JOLYNE

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 04 May 2007 - 09:20 AM

Im having quite a few issues with my computer, its very slow, takes forever to boot up and crashes all the time and now im getting these pop ups from CiD on a regular basis and its driving me nuts. If anyone could help it would be greatly appreciated!

Here is my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 11:08:16 AM, on 04/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Smtray.exe
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Documents and Settings\Owner\Desktop\napster\ITUNES\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://WWW.Yahoo.com/"); (C:\Program Files\Netscape\Users\suestlouis\prefs.js)
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Jolyne\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Jolyne\COMPUT~1\SPYBOT\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Jolyne\ROBOFORM\roboform.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0000.1082\en-ca\msntb.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Jolyne\ROBOFORM\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0000.1082\en-ca\msntb.dll
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\Jolyne\downloads\SPYBLOCK\SpyBlocs.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKLM\..\Run: [PCBG] C:\Jolyne\PCSCAN~1\INTRIG~1\pcbodyguard.exe /start
O4 - HKLM\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKLM\..\Run: [cmonitor] C:\Program Files\SystemDoctor 2006 Free\startupmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NetPumper] "C:\Jolyne\AZUREUS\NETPUMPER\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [Ante readme bold hole] C:\Documents and Settings\All Users\Application Data\Optionsiteantereadme\global 2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\Owner\Desktop\napster\ITUNES\iTunesHelper.exe"
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKCU\..\Run: [FastInternet] "C:\Jolyne\TOOLS\FAST INTERNET\Fast Internet\FastInternet.exe /Q"
O4 - HKCU\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKCU\..\Run: [FSCBoss] C:\Program Files\FSCBoss\FSCBoss.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PlayLog] C:\DOCUME~1\Owner\APPLIC~1\HOLDSI~1\ForkAtom.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Webshots.lnk = C:\WEBSHOTS\Webshots\Launcher.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-ca\bin\WindowsSearch.exe
O8 - Extra context menu item: &Clean Traces - C:\DAP8\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\DAP8\DAP\dapextie.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQ\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0000.1082\en-ca\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZCxdm312
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Customize Menu - file://C:\Jolyne\ROBOFORM\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &all with DAP - C:\DAP8\DAP\dapextie2.htm
O8 - Extra context menu item: Download with GetRight - C:\Jolyne\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with NetPumper - C:\Jolyne\AZUREUS\NETPUMPER\NetPumper\AddUrl.htm
O8 - Extra context menu item: Fill Forms - file://C:\Jolyne\ROBOFORM\RoboFormComFillForms.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Jolyne\GetRight\GRbrowse.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Jolyne\ROBOFORM\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Jolyne\ROBOFORM\RoboFormComSavePass.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Jolyne\ROBOFORM\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Jolyne\ROBOFORM\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Jolyne\ROBOFORM\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Jolyne\ROBOFORM\RoboFormComSavePass.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Jolyne\ROBOFORM\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Jolyne\ROBOFORM\RoboFormComShowToolbar.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Jolyne\POKER\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Jolyne\POKER\PartyPoker.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\PROGRA~1\SYMPAT~1\COMMUN~1\Program\PLUGINS\nppdf32.dll
O16 - DPF: TruePass EPF 7,0,100,730 - https://blrscr3.egs-...sapplet-epf.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.liv...es/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...es/abasetup.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnime...tupv2.0.0.9.cab?
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

    Advertisements

Register to Remove


#2 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 04 May 2007 - 10:03 AM

Hi, JOLYNEand welcome to Tom Coyote forums

I am currently looking over your log. As I am an Undergraduate, everything that I post to you must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long. I will post back shortly with a potential fix.

Thanks for your patience!
dan

#3 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 04 May 2007 - 11:42 PM

Hi, JOLYNE

Your machine is heavily Infected and I believe even if I was able to clean up your system from malware it may not be enough to salvage it.

It appears you have a backdoor trojan on your computer, which could allow any number of Infections into your system, If that is the case your computer is and always will be at risk. I cannot guarantee that we can clean everything and reset all changes that has been done to the computer.
Root kits can be extremely hard to detect, and just as hard to clean out.
You have to think that from this point forward, you can't completely trust your computer. The root kit could be hiding a backdoor trojan.
It could be that it is possible for someone to secretly steal your financial an other sensitive information and do ANYTHING they want with the computer.
The only way to be SURE that the infections and the changes they have done are removed is to reformat and reinstall.
If that is acceptable to you, not only would it be safer, but it would probably be less time consuming to do a reformat than to clean up the computer.
Please read this article that was published by Robin at Castle Cops and you will understand better why this warning and what to do.
Here

Further to the article you are strongly advised to do the following immediately:

1. Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Also do whatever else that seems appropriate.


Before you decide to reformat you should check that you have all the necessary information and software.

If you decide to continue with a cleanup you should not use this computer for financial or other sensitive transaction.

Let me know what you want to do.

sorry It couldn't be better news

Regards dan

#4 JOLYNE

JOLYNE

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 06 May 2007 - 07:44 PM

Hi dan, Thanks for the help. Reformating is not an option for me right now as there is something wrong with my disk drive and I cant seem to make a boot disk? I dont really do any banking online so I would still really love to have some help with cleaning out my system. I would appreciate any help you could give me. Thanks.

#5 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 07 May 2007 - 11:19 AM

Hi, JOLYNE,
I'm happy to try and help you clean this machine to the best of my ability but I must warn you the Infections that this machine has been exposed to, may well of corrupted many files that even when I have you clean it may not be enough to salvage it.
As long as you have taken that onboard I'm happy to begin with the clean up.

Thanks dan

#6 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 07 May 2007 - 04:47 PM

Hi JOLYNE

You have multiple Infections and you have no protection on this machine. we will put protection in when we have cleared the Infections up.
This may take several posts.

I see that you are using"Download Accelerator Plus". This program has a dubious reputation as you can read Here

A free, and spyware free, alternative is Star Downloader, or one of the other alternatives from Here.

Should you choose to remove it, uninstall it through Control Panel=>Add/Remove Programs.

Download Accelerator Plus from Speedbit. Download manager for resuming downloads, amongst other features. Available via Start -> Programs. Note that the free version is "adware" based


___________

I see from your log your using p2p namely "LimeWire" and "napster"

These programs are very likely the reason your system is infested with malware. Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I strongly recommend that you remove this program from your system.


____________________

Make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Posted Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
___________________

Download NoLop.exe to your Desktop.
  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it.
  • Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish.
  • Please post the contents of C:\NoLop.log later.
NOTE :
  • If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to C:\WINDOWS\system32\ folder then rerun the program.
Download "FindAWF"

Save to desktop and run. Output is to awf.txt

If a DOS window does not stay open throughout the search (approx a minute) you need to change how the program runs. Heres how:

1. Locate the file
2. Right-click and select Properties
3. Select Compatibility and select Run this program in compatibility mode for: Windows 98/Windows ME and click OK.
4. The tool should now work.

Please include
New HJT log
SDFix report
NoLop.log
awf.txt
uninstall list

in your next post
Thanks dan

#7 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 09 May 2007 - 11:15 AM

How we doing?

#8 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 12 May 2007 - 09:28 AM

Are you still needing help?

#9 NonSuch

NonSuch

    MRU Administrator

  • MRU Teachers
  • 298 posts
  • MVP

Posted 16 May 2007 - 04:45 PM

Due to inactivity, this topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.

If this is not your thread please start a New Topic.

The Importance of Updating Your System

Microsoft MVP - Consumer Security 2006 - 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users