Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Problem, But Don't Know What It Is


  • This topic is locked This topic is locked
12 replies to this topic

#1 BrokenShadow

BrokenShadow

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 27 June 2007 - 12:29 PM

Hello!

I was hoping to get help with this. I normally try to fix things for myself, but i have tried for a long time and i don't know what to do anymore, so hopefully you could help me.

Here is my Log: (I added the pages in the trusted zone myself)

Logfile of HijackThis v1.99.1
Scan saved at 20:28:51, on 27-06-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Java\jre1.5.0_01\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: HP-visning - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Programmer\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Programmer\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FLLESF~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmer\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O15 - Trusted Zone: http://www.mangadownload.net
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://www.narutomania.com
O15 - Trusted Zone: http://www.tegnebordet.dk
O15 - Trusted Zone: http://www.thewhiteferret.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe


Thanks for your time!

    Advertisements

Register to Remove


#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 27 June 2007 - 02:35 PM

Hello BrokenShadow and welcome to the TomCoyote Forums

My name is Trevuren and I will be helping you with your problem.


A. There is a file in your log of which I am unsure. For that reason, I need you to submit it to Jotti's for analysis.

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

c:\windows\system32\cjh.dll

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.


B. You don't appear to be running any anti-virus software

Anti-virus software are programs that detect, clean, and/or erase harmful virus files on a computer. Unchecked, virus files can unintentionally be forwarded to others, and thereby spread infection. Keeping your anti-virus updated is essential.

Please download a free anti-virus software from one these excellent vendors NOW: It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.


You don't appear to have a software firewall running

It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and instal one of these excellent (and free) products: It is important to note that you should only have one firewall installed at a time.


Regards,

Trevuren

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 BrokenShadow

BrokenShadow

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 27 June 2007 - 03:24 PM

Hi Trevuren and thanks for taking your time and helping me :D First i went to the link(jotti) you gave me and made it scan. Apperently it's some sort of malware. Second i tried installing the antivirus as you said, but after i installed it and tried installing the Firewall, it shut down. I forgot to save the information i got. And now my connection on my computer is gone. (I'm on my laptop at the moment, on the same connection) I did some research, and if i close down the antivirus, then the computer doesn't shut down. EDIT: My internet came back on for some reason. This is the result of the link you gave me: File: cjh.dll Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5: 96d273d795688816a89f41178c6485ff Packers detected: - Bit9 reports: Not analyzed yet (more info) Scanner results Scan taken on 27 Jun 2007 21:39:05 (GMT) A-Squared Found Trojan.Win32.Agent.afg AntiVir Found TR/Agent.AOJ.17 ArcaVir Found Trojan.Agent.Afg Avast Found Win32:Agent-HKH AVG Antivirus Found Generic5.ANU BitDefender Found Trojan.Agent.AAEZ ClamAV Found Trojan.Agent-4509 Dr.Web Found Trojan.Netqv F-Prot Antivirus Found W32/Trojan.AKFB F-Secure Anti-Virus Found Trojan.Win32.Agent.afg Fortinet Found W32/NetVQ.QTZ!tr Kaspersky Anti-Virus Found Trojan.Win32.Agent.afg NOD32 Found Win32/Agent.NJJ Norman Virus Control Found nothing Panda Antivirus Found Trj/Spamer.BP Rising Antivirus Found nothing VirusBuster Found nothing VBA32 Found Trojan.Win32.Agent.afg

Edited by BrokenShadow, 27 June 2007 - 03:45 PM.


#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 27 June 2007 - 03:52 PM

To see what is going on, run HijackThis, produce a scan, copy the scan to some removable media, transfer it to your laptop and please post it.

Good work


Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 BrokenShadow

BrokenShadow

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 27 June 2007 - 04:04 PM

Here it is. I don't know if you noticed, but i editted my last post.

Logfile of HijackThis v1.99.1
Scan saved at 00:02:18, on 28-06-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: HP-visning - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Programmer\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Programmer\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FLLESF~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmer\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cjh.dll
O15 - Trusted Zone: http://www.mangadownload.net
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://www.narutomania.com
O15 - Trusted Zone: http://www.tegnebordet.dk
O15 - Trusted Zone: http://www.thewhiteferret.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe

Edited by BrokenShadow, 27 June 2007 - 04:05 PM.


#6 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 27 June 2007 - 04:36 PM

A. Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe


B. Download LSPFix and save to your desktop.
alternate download site
alternate download site
  • Disconnect from the Internet, go to the LSPfix file and extract (unzip) LSP-Fix into its own folder such as C:\lspfix.
  • Open the lspfix folder and double-click on LSPFix.exe to start the program.
  • Check the "I know what I am doing" checkbox.
  • Select (highlight) all instances of cjh.dll in the left column under "Keep".
  • Click the arrow >> so it goes over to the right column under "Remove".
  • Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
  • Restart your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
  • Delete the following file:
    c:\windows\system32\cjh.dll
  • Restart your computer normally and post a new HJT log.

C. Is the following still of any use?

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe


Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#7 BrokenShadow

BrokenShadow

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 27 June 2007 - 05:16 PM

I did what you wrote.... Here is the log

Logfile of HijackThis v1.99.1
Scan saved at 01:10:42, on 28-06-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: HP-visning - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Programmer\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Programmer\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FLLESF~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmer\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mangadownload.net
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://www.narutomania.com
O15 - Trusted Zone: http://www.tegnebordet.dk
O15 - Trusted Zone: http://www.thewhiteferret.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe

About C. I used to have an anti-virus program called symantec something, but it went completely haywire so i deleted it

#8 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 27 June 2007 - 06:34 PM

A. Can you get back online with the original computer?

B. 1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

sc SNDSrvc
sc delete SNDSrvc
del delete.bat

3. Save the file as "delete.bat". Make sure to save it with the quotes.

4. Double click delete.bat.

5. Using Windows Explorer (Windows Key + E), locate and delete the following folder and all its content:

c:\Programmer\Fælles filer\Symantec Shared

C. Restart your system

D. Now please try to install one Antivirus and one Firewall as per my previous instructions..

E. When Step D is done, please run HijackThis, produce a log and post it in your reply. Please tell me what your problem actually was/is?

Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#9 BrokenShadow

BrokenShadow

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 28 June 2007 - 09:34 AM

My problem is that i loose connection to the internet at random. When i look at the status, it shows that i send information, but that i don't recieve.
( I have other computers on the network, which works just fine) and my computer reboots if i try installing things such as firewalls.

I followed all your steps but the "Delete.bat" Didn't seem to work

Here is the message i got:
C:\Documents and Settings\HP_Ejer\Skrivebord>sc SNDSrvc
*** Unrecognized Command ***
DESCRIPTION:
SC is a command line program used for communicating with the
NT Service Controller and services.


installed Avast anti-virus, but i couldn't install a firewall. The second i doubleclicked on the installer, my computer rebooted. It did that all the 5 times i tried.

After rebooting it a couple of time, Avast Anti-virus has been starting to act crazy. There were at least a dozen viruses (trojans?)
What should i do with the viruses, that my anti-virus finds?

and i have been swamped by messages from Avast. About 10 windows opens up every time. It happens once every 2 minuts.

The message is: Suspicious Message, There are too many identical emails for the scheduled time. (or something like it... not the best translator in the world :P)

It looks alot like it's spammail.

Here is my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 17:28:31, on 28-06-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\sc.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: HP-visning - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Programmer\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Programmer\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FLLESF~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmer\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mangadownload.net
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://www.narutomania.com
O15 - Trusted Zone: http://www.tegnebordet.dk
O15 - Trusted Zone: http://www.thewhiteferret.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - c:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe (file missing)

#10 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 28 June 2007 - 10:23 AM

1. Sorry, I made a slight error in the batch file I gave you. Please delete the batch file on your desktop and replace the code with the following:

sc stop SNDSrvc
sc delete SNDSrvc
del delete.bat
exit

Now continue with the instructions pertaining to running this bat file and deleting the folder as explained in my previous post.


2. Once Step #1 is totally completed, please:

Please download this file - combofix.exe by sUBs
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log.
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

Regards,

Trevuren

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#11 BrokenShadow

BrokenShadow

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 28 June 2007 - 12:57 PM

1. I did everything you said and I deleted the symantec folder.

2.

Combofix log

"HP_Ejer" - 2007-06-28 20:36:10 - ComboFix 07-06-28.4 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



Infected copy of C:\WINDOWS\system32\drivers\ndis.sys was found & disinfected
C:\cp1467.nls
Restored copy from - C:\WINDOWS\system32\dllcache\ndis.sys



((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 )))))))))))))))))))))))))))))))


2007-06-28 20:35 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-28 11:12 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-28 11:12 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-28 11:12 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-28 11:12 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-28 11:12 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-28 11:12 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-28 11:12 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-28 01:06 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1.THO\NTUSER.DAT
2007-06-28 01:06 <DIR> dr------- C:\DOCUME~1\ADMINI~1.THO\Menuen Start
2007-06-28 01:06 <DIR> dr------- C:\DOCUME~1\ADMINI~1.THO\Foretrukne
2007-06-28 01:06 <DIR> dr------- C:\DOCUME~1\ADMINI~1.THO\Dokumenter
2007-06-28 01:06 <DIR> d--h----- C:\DOCUME~1\ADMINI~1.THO\Skabeloner
2007-06-28 01:06 <DIR> d--h----- C:\DOCUME~1\ADMINI~1.THO\Printere
2007-06-28 01:06 <DIR> d--h----- C:\DOCUME~1\ADMINI~1.THO\Lokale indstillinger
2007-06-28 01:06 <DIR> d--h----- C:\DOCUME~1\ADMINI~1.THO\Andre computere
2007-06-28 01:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1.THO\WINDOWS
2007-06-28 01:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1.THO\Skrivebord
2007-06-28 01:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1.THO\APPLIC~1\Symantec
2007-06-28 01:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1.THO\APPLIC~1\SampleView
2007-06-28 01:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1.THO\APPLIC~1\Intervideo
2007-06-28 01:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1.THO\APPLIC~1\Apple Computer
2007-06-28 01:03 186,880 --a------ C:\LSPFix.exe
2007-06-27 22:56 <DIR> d-------- C:\Programmer\Alwil Software
2007-06-26 01:21 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-26 01:21 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menuen Start
2007-06-26 01:21 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Foretrukne
2007-06-26 01:21 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Dokumenter
2007-06-26 01:21 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Skabeloner
2007-06-26 01:21 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Printere
2007-06-26 01:21 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Lokale indstillinger
2007-06-26 01:21 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Andre computere
2007-06-26 01:21 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-06-26 01:21 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Skrivebord
2007-06-26 01:21 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-06-26 01:21 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-06-26 01:21 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Intervideo
2007-06-26 01:21 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-06-26 00:35 <DIR> d-------- C:\Programmer\uTorrent


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-28 10:13:13 -------- d-----w C:\Programmer\Diablo II
2007-06-28 09:08:33 -------- d-----w C:\Programmer\Fælles filer
2007-06-27 16:27:42 -------- d-----w C:\Programmer\StepMania
2007-06-27 16:21:39 69,706 ----a-w C:\WINDOWS\system32\perfc006.dat
2007-06-27 16:21:39 408,334 ----a-w C:\WINDOWS\system32\perfh006.dat
2007-06-26 12:14:23 -------- d-----w C:\Programmer\Warcraft III
2007-06-26 10:00:18 -------- d-----w C:\Programmer\Fælles filer\System
2007-06-25 23:33:16 -------- d-----w C:\DOCUME~1\HP_Ejer\APPLIC~1\uTorrent
2007-06-25 23:01:03 -------- d-----w C:\Programmer\RPGXP
2007-06-25 22:26:56 -------- d-----w C:\DOCUME~1\HP_Ejer\APPLIC~1\Azureus
2007-06-25 22:19:47 -------- d-----w C:\Programmer\GetRight
2007-06-25 22:02:23 -------- d-----w C:\Programmer\Symantec
2007-06-25 21:52:17 -------- d-----w C:\Programmer\Fælles filer\Real
2007-06-25 21:51:54 -------- d-----w C:\DOCUME~1\HP_Ejer\APPLIC~1\Real
2007-06-25 21:51:07 -------- d-----w C:\Programmer\Silkroad
2007-06-25 21:50:16 -------- d-----w C:\Programmer\Pcsx2
2007-06-25 21:35:01 -------- d-----w C:\Programmer\Fælles filer\Microsoft Shared
2007-06-25 21:29:24 -------- d--h--w C:\Programmer\InstallShield Installation Information
2007-06-25 21:26:58 -------- d-----w C:\Programmer\DivX
2007-05-30 17:20:15 -------- d-----w C:\Programmer\Diablo III
2007-05-30 17:19:59 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-05-27 13:15:57 16 ----a-w C:\WINDOWS\popcinfot.dat
2007-05-21 15:02:28 -------- d-----w C:\DOCUME~1\HP_Ejer\APPLIC~1\Skype
2007-05-16 15:14:25 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-04 16:34:41 -------- d-----w C:\Programmer\Windows Media Connect 2
2007-04-25 14:22:43 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:14:26 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-12 11:55:09 21,504 ----a-w C:\WINDOWS\system32\ahdbngwjthp.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 22:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"HPHUPD06"="c:\Programmer\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" []
"ISUSPM Startup"="C:\PROGRA~1\FLLESF~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 14:03]
"ISUSScheduler"="C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe" []
"nwiz"="nwiz.exe" [2004-09-29 21:23 C:\WINDOWS\system32\nwiz.exe]
"SiSPower"="SiSPower.dll" [2004-09-24 10:49 C:\WINDOWS\system32\SiSPower.dll]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 21:47 C:\WINDOWS\ALCXMNTR.EXE]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 22:54]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 17:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Programmer\Messenger\msmsgs.exe" [2004-10-13 18:24]
"LogitechSoftwareUpdate"="C:\Programmer\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]
"msnmsgr"="C:\Programmer\MSN Messenger\msnmsgr.exe" [2006-07-29 19:34]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClockSync]
"C:\Programmer\ClockSync\Sync.exe" /q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Programmer\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Programmer\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Programmer\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
"C:\Programmer\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"SNDSrvc"=2 (0x2)
"iPodService"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-28 20:47:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-28 20:48:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-28 20:48

--- E O F ---


Fresh HJT log

Logfile of HijackThis v1.99.1
Scan saved at 20:54:44, on 28-06-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe
C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: HP-visning - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Programmer\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HPHUPD06] c:\Programmer\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FLLESF~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmer\Fælles filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmer\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mangadownload.net
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://www.narutomania.com
O15 - Trusted Zone: http://www.tegnebordet.dk
O15 - Trusted Zone: http://www.thewhiteferret.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#12 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 28 June 2007 - 03:37 PM

A. Please RUN HijackThis
  • Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\ahdbngwjthp.dll
C:\LSPFix.exe

Folder::
C:\DOCUME~1\ADMINI~1.THO\APPLIC~1\Symantec
C:\Programmer\Symantec
C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec


3. Save the above as ComboFix-Do.txt

4. Then drag the ComboFix-Do.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

C. Please do an online scan with Kaspersky Online Virus Scanner (Use Internet Explorer as your Browser)

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Next Click on Free Virus Scanner, then Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information into your next post also.
Regards

Trevuren

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#13 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 11 July 2007 - 12:09 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users