Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed]Hijack This Log


  • This topic is locked This topic is locked
7 replies to this topic

#1 rubberduck

rubberduck

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 22 July 2007 - 11:21 AM

Logfile of HijackThis v1.99.1
Scan saved at 1:16:59 PM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\COMPAQ~1\MYDOCU~1\WNSXS~1\nslookup.exe
C:\WINDOWS\system32\??mbols\?vchost.exe
C:\Program Files\WinPop\winpop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\alg.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7852R\hijackthis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {354A698E-F468-829D-4912-898DCE208FCB} - C:\WINDOWS\system32\bbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {79D0CF6F-65B8-4D2E-98C3-BEF5C6D6CB73} - C:\WINDOWS\system32\jkhfd.dll
O2 - BHO: (no name) - {932632FB-3667-40BD-8748-9C9370B605ED} - C:\Program Files\WindowsUpdate\hopeteby83122.dll (file missing)
O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\WINDOWS\system32\lrbfvxvx.dll
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: 0 - {B2EE8CBA-AA5A-4AA1-C7B3-7FFFDADF9B66} - C:\Program Files\ComPlus Applications\labu866.dll (file missing)
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\khfccbc.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [bantool] C:\WINDOWS\system32\L3\iasdll.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\xbguhsoj.dll",forkonce
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Rwss] "C:\DOCUME~1\COMPAQ~1\MYDOCU~1\WNSXS~1\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Rgznpvp] C:\WINDOWS\system32\??mbols\?vchost.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1184866022031
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll
O20 - Winlogon Notify: khfccbc - C:\WINDOWS\SYSTEM32\khfccbc.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    Advertisements

Register to Remove


#2 rubberduck

rubberduck

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 23 July 2007 - 07:58 AM

would someone please look at my topic i am at my wits end ..thank you.

#3 Blade81

Blade81

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,065 posts
  • Interests:Floorball, football, music, computers..
  • MVP

Posted 23 July 2007 - 03:14 PM

Hi

Download and run the following PurityScan uninstaller from on of the two below links:

PurityScan Uninstaller Link 1

PurityScan Uninstaller Link 2


1. Save the Uninstaller to your desktop.
2. Double click on the OiUninstaller.exe icon on your desktop.
3. Click on
Run
.
4. Enter the four digit code that is displayed and click on
Uninstall
.
5. Click on
Ok
and reboot your computer.


For more explicit instructions with snapshots of some windows from the uninstall tool, see the below link:

OuterInfo Uninstaller Snapshots



1. Download this file -
combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply with a fresh hjt log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#4 rubberduck

rubberduck

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 23 July 2007 - 09:54 PM

thank you for repling .

"Compaq_Administrator" - 2007-07-23 23:41:40 - ComboFix 07-07-23.6 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\khfecdd.dll
C:\WINDOWS\system32\reliqsmp.dll
C:\WINDOWS\system32\xbguhsoj.dll
C:\WINDOWS\system32\acngsslh.exe
C:\WINDOWS\system32\chkwrnja.exe
C:\WINDOWS\system32\eoouempl.exe
C:\WINDOWS\system32\djqkpxxf.dll
C:\WINDOWS\system32\lrbfvxvx.dll
C:\WINDOWS\system32\khfecdd.dll
C:\WINDOWS\system32\dfhkj.bak1
C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\dfhkj.tmp
C:\WINDOWS\system32\pmsqiler.ini
C:\WINDOWS\system32\joshugbx.ini
C:\WINDOWS\system32\dfhkj.bak1
C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\dfhkj.tmp
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\khfccbc.dll
C:\WINDOWS\system32\khfccbc.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ActivationCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ProductCode
C:\DOCUME~1\COMPAQ~1\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\COMPAQ~1\APPLIC~1\WinAntiVirus Pro 2007\avtasks.dat
C:\DOCUME~1\COMPAQ~1\APPLIC~1\WinAntiVirus Pro 2007\CookieList.dat
C:\DOCUME~1\COMPAQ~1\APPLIC~1\WinAntiVirus Pro 2007\history.db
C:\DOCUME~1\COMPAQ~1\APPLIC~1\WinAntiVirus Pro 2007\Logs\update.log
C:\DOCUME~1\COMPAQ~1\APPLIC~1\WinAntiVirus Pro 2007\Logs\wa7Support.log
C:\DOCUME~1\COMPAQ~1\APPLIC~1\WinAntiVirus Pro 2007\Logs\winav.log
C:\DOCUME~1\COMPAQ~1\APPLIC~1\WinAntiVirus Pro 2007\PGE.dat
C:\Documents and Settings\COMPAQ~1.\err.log
C:\Documents and Settings\COMPAQ~1.\ResErrors.log
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\companion wizard\compwiz.exe
C:\Program Files\Common Files\companion wizard\WapCHK.dll
C:\Program Files\Common Files\microsoft shared\web folders\ibm00001.dll
C:\Program Files\Common Files\microsoft shared\web folders\ibm00004.dll
C:\Program Files\Common Files\microsoft shared\web folders\ibm00005.dll
C:\Program Files\Common Files\microsoft shared\web folders\ibm00006.dll
C:\Program Files\Common Files\microsoft shared\web folders\ibm00007.dll
C:\Program Files\Common Files\winantivirus pro 2007
C:\Program Files\Common Files\winantivirus pro 2007\err.log
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\Program Files\winpop\winpop.exe
C:\temp\tn3
C:\UWA7P
C:\WINDOWS\b122.exe
C:\WINDOWS\DOWNLO~1\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe
C:\WINDOWS\system32\bhobiuwg.exe
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\jlmtswtf.exe
C:\WINDOWS\system32\L0
C:\WINDOWS\system32\L0\mwspasrt83122.exe
C:\WINDOWS\system32\L1
C:\WINDOWS\system32\L1\w0716.exe
C:\WINDOWS\system32\L2
C:\WINDOWS\system32\L2\st2.exe
C:\WINDOWS\system32\L3
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\plnetuwp.exe
C:\WINDOWS\system32\pyctoupt.exe
C:\WINDOWS\system32\qaffdusm.exe
C:\WINDOWS\system32\stera.job
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\uqljcyux.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\yaxomoyt.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_FOPN
-------\LEGACY_NTMLSVC
-------\core
-------\NtmlSvc


((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))


2007-07-23 23:35 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-23 23:34 126,016 --a------ C:\WINDOWS\system32\fhrmsxyj.dll
2007-07-22 16:16 <DIR> d---s---- C:\DOCUME~1\LOCALS~1\UserData
2007-07-22 16:16 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
2007-07-22 12:36 <DIR> d-------- C:\5dc110d0222e22e3c65c62645dcc
2007-07-22 12:25 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-22 12:09 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-07-22 11:14 <DIR> d-------- C:\a62fe7bc7b89b5c15d5d252b0525ad
2007-07-21 19:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-20 14:32 <DIR> d-------- C:\WINDOWS\wt
2007-07-20 09:58 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-19 13:39 <DIR> d-------- C:\Program Files\Panicware
2007-07-19 12:25 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\PC Tools
2007-07-19 12:24 22,528 --a------ C:\WINDOWS\system32\drivers\AVHook.sys
2007-07-19 12:24 15,872 --a------ C:\WINDOWS\system32\drivers\AVRec.sys
2007-07-19 12:24 15,872 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys
2007-07-19 12:24 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2007-07-19 12:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Tools
2007-07-19 12:23 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-19 02:00 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-07-19 02:00 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-07-18 19:25 <DIR> d--hs---- C:\RECYCLER
2007-07-18 14:18 <DIR> d-------- C:\Program Files\GameTap
2007-07-18 14:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GameTap
2007-07-18 14:17 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\InstallShield
2007-07-18 13:11 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-07-18 11:57 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\acccore
2007-07-18 11:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-07-18 11:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-07-18 11:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-07-18 11:54 <DIR> d-------- C:\Program Files\Viewpoint
2007-07-18 11:53 335 --a------ C:\WINDOWS\nsreg.dat
2007-07-18 11:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-07-18 11:39 <DIR> dr-hs---- C:\cmdcons
2007-07-18 11:39 <DIR> d-------- C:\WINDOWS\setupupd
2007-07-18 11:39 <DIR> d-------- C:\WINDOWS\setup.pss
2007-07-18 11:32 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-07-18 11:32 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-07-18 11:28 <DIR> d-------- C:\Temp\brr
2007-07-18 11:28 <DIR> d-------- C:\Tempc2
2007-07-18 11:28 <DIR> d-------- C:\Temp
2007-07-18 11:03 <DIR> d---s---- C:\DOCUME~1\COMPAQ~1\UserData
2007-07-18 06:19 1,310,720 --ah----- C:\DOCUME~1\COMPAQ~1\NTUSER.DAT
2007-07-18 06:19 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\WINDOWS
2007-07-18 06:19 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Symantec
2007-07-18 06:19 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\SampleView
2007-07-18 06:19 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Real
2007-07-18 06:19 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\InterMute
2007-07-18 06:19 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Apple Computer
2007-07-18 06:18 262,144 --a------ C:\DOCUME~1\ALLUSE~1\NTUSER.DAT
2007-07-18 06:18 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2007-07-18 06:17 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-07-18 06:17 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-18 06:17 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\WINDOWS
2007-07-18 06:17 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Symantec
2007-07-18 06:17 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\SampleView
2007-07-18 06:17 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Real
2007-07-18 06:17 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\InterMute
2007-07-18 06:17 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Apple Computer
2007-07-18 06:15 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-07-18 06:15 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-07-18 06:15 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-07-18 06:14 <DIR> d--hs---- C:\System Volume Information
2007-07-18 06:10 247 --a------ C:\WINDOWS\system\hpsysdrv.dat
2007-07-18 06:09 <DIR> d-------- C:\WINDOWS\I386
2007-07-18 06:04 <DIR> dr-h----- C:\MSOCache
2007-07-18 06:04 <DIR> dr------- C:\WINDOWS\Offline Web Pages
2007-07-18 06:04 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Documents
2007-07-18 06:03 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2007-07-18 03:26 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Google
2007-07-18 03:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-18 03:20 98,304 --a------ C:\WINDOWS\system32\ps2.EXE
2007-07-18 03:20 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-18 03:20 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2007-07-18 03:20 <DIR> d-------- C:\WINDOWS\system32\Lang


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-24 03:48:57 3,649 ----a-w C:\WINDOWS\viassary-hp.reg
2007-07-20 18:32:18 -------- d-----w C:\Program Files\WildTangent
2007-07-20 13:58:40 -------- d--h--w C:\Program Files\WindowsUpdate
2007-07-19 17:14:33 -------- d-----w C:\Program Files\Symantec
2007-07-19 17:14:33 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-18 18:18:12 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-18 10:09:49 -------- d-----w C:\Program Files\Windows NT
2007-07-18 10:09:47 -------- d-----w C:\Program Files\Movie Maker
2007-07-18 10:09:47 -------- d-----w C:\Program Files\Messenger
2007-07-18 07:23:56 -------- d-----w C:\Program Files\Google
2007-07-18 07:21:39 -------- d-----w C:\Program Files\Easy Internet signup
2007-07-18 07:20:31 1,819 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_ED792AA-ABA SR1522X NA570_YC_0Pres_QMXF526_E53NAprRED2_47_IGoldfish3_SASUSTeK Computer INC._V1.xx_B3.20_T050331_WXP2_L409_M504_J80_7Intel_8Pentium 4_92.93_#050808_N10EC8139_Z11C1048C_G80862582_O.MRK
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{932632FB-3667-40BD-8748-9C9370B605ED}]
C:\Program Files\WindowsUpdate\hopeteby83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}]
C:\WINDOWS\system32\WinNB58.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B2EE8CBA-AA5A-4AA1-C7B3-7FFFDADF9B66}]
C:\Program Files\ComPlus Applications\labu866.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\system32\WinNB58.dll [ ]

[HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\system32\WinNB58.dll [ ]

[-HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 12:36]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10]

C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\Startup\
Compaq Organize.lnk - C:\Program Files\Hewlett-Packard\Compaq Organize\bin\displayAgent.exe [2005-06-02 19:52:23]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
SpySubtract.lnk - C:\Program Files\InterMute\SpySubtract\sslaunch.exe [2005-06-02 19:51:32]

R0 fasttx2k;fasttx2k;C:\WINDOWS\system32\DRIVERS\fasttx2k.sys
R2 AVFilter;AVFilter;C:\WINDOWS\system32\drivers\AVFilter.sys
R3 AVHook;AVHook;C:\WINDOWS\system32\drivers\AVHook.sys
R3 AVRec;AVRec;C:\WINDOWS\system32\drivers\AVRec.sys
R3 HidUsb;Microsoft HID Class Driver;C:\WINDOWS\system32\DRIVERS\hidusb.sys
R3 Ps2;PS2;C:\WINDOWS\system32\DRIVERS\PS2.sys
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver;C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
R3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINDOWS\system32\DRIVERS\usbccgp.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;USB2 Enabled Hub;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
R3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
S3 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;C:\WINDOWS\system32\drivers\HdAudio.sys
S3 PcdrNdisuio;PCDRNDISUIO Usermode I/O Protocol;C:\WINDOWS\system32\DRIVERS\pcdrndisuio.sys


Contents of the 'Scheduled Tasks' folder
2007-07-18 07:21:39 C:\WINDOWS\tasks\Easy Internet Sign-up.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-23 23:48:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-23 23:49:38
C:\ComboFix-quarantined-files.txt ... 2007-07-23 23:49

--- E O F ---

#5 rubberduck

rubberduck

    New Member

  • Authentic Member
  • Pip
  • 13 posts

Posted 23 July 2007 - 10:02 PM

here is my updated hjt log ..

Logfile of HijackThis v1.99.1
Scan saved at 11:58:42 PM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\explorer.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {932632FB-3667-40BD-8748-9C9370B605ED} - C:\Program Files\WindowsUpdate\hopeteby83122.dll (file missing)
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: 0 - {B2EE8CBA-AA5A-4AA1-C7B3-7FFFDADF9B66} - C:\Program Files\ComPlus Applications\labu866.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Compaq Organize.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1184866022031
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#6 Blade81

Blade81

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,065 posts
  • Interests:Floorball, football, music, computers..
  • MVP

Posted 24 July 2007 - 04:21 AM

Hi


Start hjt, click do a system scan only, check:
O2 - BHO: (no name) - {932632FB-3667-40BD-8748-9C9370B605ED} - C:\Program Files\WindowsUpdate\hopeteby83122.dll (file missing)
O2 - BHO: Mirar - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O2 - BHO: 0 - {B2EE8CBA-AA5A-4AA1-C7B3-7FFFDADF9B66} - C:\Program Files\ComPlus Applications\labu866.dll (file missing)
O3 - Toolbar: Mirar - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

Close browsers and other windows. Click fix checked.


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Delete following files if found:
C:\Program Files\WindowsUpdate\hopeteby83122.dll
C:\WINDOWS\system32\WinNB58.dll
C:\Program Files\ComPlus Applications\labu866.dll
C:\WINDOWS\system32\WinNB58.dll


Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\fhrmsxyj.dll

Folder::
C:\5dc110d0222e22e3c65c62645dcc
C:\a62fe7bc7b89b5c15d5d252b0525ad
C:\Tempc2
C:\Temp


Save this as
CFScript


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log with a fresh hjt log.
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#7 Blade81

Blade81

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,065 posts
  • Interests:Floorball, football, music, computers..
  • MVP

Posted 02 August 2007 - 11:57 AM

rubberduck, how's it going?
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#8 Blade81

Blade81

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 1,065 posts
  • Interests:Floorball, football, music, computers..
  • MVP

Posted 12 August 2007 - 01:07 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users