Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Please help too many problems to list


  • Please log in to reply
5 replies to this topic

#1 leavang2007

leavang2007

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 05 October 2007 - 05:36 PM

Logfile of HijackThis v1.99.1
Scan saved at 6:22:45 PM, on 10/5/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\CM Data Software\CM DiskCleaner\OneClick Cleanup.exe
C:\Program Files\Paltalk Messenger\palstart.exe
C:\Program Files\Customizer XP\RAMIdle.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\Fast.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Documents and Settings\adidas\Desktop\New Folder\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Lea's Internet Connection ######
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://internet.true...s.com/proxy.pac
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ask Search Assistant BHO - {0A94B111-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: msscds32.msdn_hlp - {279A05E3-C129-4189-BA16-F0DB908C89B0} - (value not set) (file missing)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - (value not set) (file missing)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - (value not set) (file missing)
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [OneClick Cleanup] C:\Program Files\CM Data Software\CM DiskCleaner\OneClick Cleanup.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\adidas\LOCALS~1\Temp\winlogon.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O4 - Global Startup: RAMIdle.lnk = C:\Program Files\Customizer XP\RAMIdle.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &eBay Search - (value not set)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O20 - AppInit_DLLs: direct32.dll,iniwin32.dll,inicfg32.dll,2
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

    Advertisements

Register to Remove


#2 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 06 October 2007 - 08:21 AM

hi leavang2007,

you have several things going on--

i see several antivirus apps in your log:
Avast4
ClamWin
AntiVir
McAfee

only one antivirus app is needed, cant tell if that mcafee is av or something else. keep one, uninstall the others via the add/remove programs panel. after the uninstall reboot your computer. while you are in the add/remove programs listing look for and uninstall any toolbar or search helper that might be listed in there.

you are way behind on windows updates/patches. xp is up to service pack2 now.
we can clean up some, then you should get updated.

we will first use hjt then download and run more software.

first hjt:

scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: msscds32.msdn_hlp - {279A05E3-C129-4189-BA16-F0DB908C89B0} - (value not set) (file missing)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - (value not set) (file missing)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - (value not set) (file missing)
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\adidas\LOCALS~1\Temp\winlogon.exe
-----------------------------------------
first stop:

Please download ComboFix (by sUBs) from one of the following links:

http://www.techsuppo...Bs/ComboFix.exe

http://download.blee...Bs/ComboFix.exe

Save it to the Desktop.
Double-click combofix.exe and follow the prompts.

CAUTION: Do not mouse-click ComboFix's window while it is running.
It may cause it to stall.

When finished, it produces a log.

Please provide the contents of the ComboFix log in your reply-- and a new hjt log please.

shelf life
How Can I Reduce My Risk?

#3 leavang2007

leavang2007

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 06 October 2007 - 01:39 PM

thanks for your help and here's the new log files


ComboFix 07-10-06.5 - adidas 2007-10-06 13:30:29.1 - FAT32x86
Input Error: There is no script engine for file extension ".vbs".
Running from: C:\Documents and Settings\adidas\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\adidas\Desktop\internet.lnk
C:\WINDOWS\764.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_SYSLIBRARY
-------\SysLibrary


((((((((((((((((((((((((( Files Created from 2007-09-06 to 2007-10-06 )))))))))))))))))))))))))))))))
.

2007-10-06 13:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-04 17:05 <DIR> d-------- C:\Program Files\Avira
2007-10-04 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-10-04 17:04 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-04 17:04 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-04 17:04 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-04 17:03 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-10-04 17:03 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-04 17:03 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-04 16:56 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-10-04 16:54 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-04 16:33 <DIR> d-------- C:\Program Files\del.icio.us

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-26 16:19 --------- d-------- C:\Program Files\a-squared Anti-Malware
2007-08-25 17:33 --------- d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2007-08-21 16:04 --------- d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2007-08-15 22:42 27136 --a------ C:\WINDOWS\system32\satmat.exe
2007-08-15 22:42 18688 --a------ C:\WINDOWS\system32\SUSP.exe
2007-08-15 22:42 11008 --a------ C:\WINDOWS\system32\vxddsk.exe
2007-08-15 22:42 10752 --a------ C:\WINDOWS\system32\wml.exe
2007-08-15 22:41 27648 --a------ C:\WINDOWS\system32\Biprep.exe
2007-08-15 22:40 22784 --a------ C:\WINDOWS\flt.dll
2007-08-15 22:40 20992 --a------ C:\WINDOWS\pbar.dll
2007-08-15 22:40 19968 --a------ C:\WINDOWS\7search.dll
2007-08-15 22:38 31232 --a------ C:\WINDOWS\cdsm32.dll
2007-08-15 22:38 27904 --a------ C:\WINDOWS\swin32.dll
2007-08-15 22:37 19456 --a------ C:\WINDOWS\mspphe.dll
2007-08-15 22:37 12032 --a------ C:\WINDOWS\bjam.dll
2007-08-15 22:36 22272 --a------ C:\WINDOWS\system32\180ax.exe
2007-08-15 22:36 19712 --a------ C:\WINDOWS\system32\MSIXU.DLL
2007-08-15 22:36 10496 --a------ C:\WINDOWS\system32\WER8274.DLL
2007-08-15 22:35 29184 --a------ C:\WINDOWS\system32\salm.exe
2007-08-15 22:35 18944 --a------ C:\WINDOWS\system32\updatetc.exe
2007-08-15 22:34 979 --a------ C:\WINDOWS\system32\drivers\product_2_name_small.gif
2007-08-15 22:34 918 --a------ C:\WINDOWS\system32\drivers\s_detect.htm
2007-08-15 22:34 837 --a------ C:\WINDOWS\system32\drivers\blank.gif
2007-08-15 22:34 835 --a------ C:\WINDOWS\system32\drivers\style.css
2007-08-15 22:34 6575 --a------ C:\WINDOWS\system32\drivers\remove_spyware_button.gif
2007-08-15 22:34 65 --a------ C:\WINDOWS\system32\drivers\sep_hor.gif
2007-08-15 22:34 64 --a------ C:\WINDOWS\system32\drivers\close_icon.gif
2007-08-15 22:34 639 --a------ C:\WINDOWS\system32\drivers\star.gif
2007-08-15 22:34 6373 --a------ C:\WINDOWS\system32\drivers\secuity_center_logo.gif
2007-08-15 22:34 550 --a------ C:\WINDOWS\system32\drivers\star_small.gif
2007-08-15 22:34 53 --a------ C:\WINDOWS\system32\drivers\sep_vert.gif
2007-08-15 22:34 49 --a------ C:\WINDOWS\system32\drivers\spacer.gif
2007-08-15 22:34 48933 --a------ C:\WINDOWS\system32\drivers\pt.htm
2007-08-15 22:34 4723 --a------ C:\WINDOWS\system32\drivers\detect.htm
2007-08-15 22:34 425 --a------ C:\WINDOWS\system32\drivers\star_gray.gif
2007-08-15 22:34 3877 --a------ C:\WINDOWS\system32\drivers\warning_icon.gif
2007-08-15 22:34 360 --a------ C:\WINDOWS\system32\drivers\header_bg.gif
2007-08-15 22:34 3080 --a------ C:\WINDOWS\system32\drivers\product_3_header.gif
2007-08-15 22:34 2922 --a------ C:\WINDOWS\system32\drivers\footer_back.jpg
2007-08-15 22:34 291 --a------ C:\WINDOWS\system32\drivers\v.gif
2007-08-15 22:34 28459 --a------ C:\WINDOWS\system32\drivers\header_1.gif
2007-08-15 22:34 283 --a------ C:\WINDOWS\system32\drivers\x.gif
2007-08-15 22:34 2604 --a------ C:\WINDOWS\system32\drivers\product_1_header.gif
2007-08-15 22:34 2238 --a------ C:\WINDOWS\system32\drivers\download_box.gif
2007-08-15 22:34 223 --a------ C:\WINDOWS\system32\drivers\star_gray_small.gif
2007-08-15 22:34 2214 --a------ C:\WINDOWS\system32\drivers\product_2_header.gif
2007-08-15 22:34 2186 --a------ C:\WINDOWS\system32\drivers\alert_icon.gif
2007-08-15 22:34 215 --a------ C:\WINDOWS\system32\drivers\main_back.gif
2007-08-15 22:34 2090 --a------ C:\WINDOWS\system32\drivers\shadow.jpg
2007-08-15 22:34 1791 --a------ C:\WINDOWS\system32\drivers\win_logo.gif
2007-08-15 22:34 17152 --a------ C:\WINDOWS\saiemod.dll
2007-08-15 22:34 1714 --a------ C:\WINDOWS\system32\drivers\product_3_name_small.gif
2007-08-15 22:34 1647 --a------ C:\WINDOWS\system32\drivers\button_freescan.gif
2007-08-15 22:34 1619 --a------ C:\WINDOWS\system32\drivers\button_buynow.gif
2007-08-15 22:34 15421 --a------ C:\WINDOWS\system32\drivers\header_2.gif
2007-08-15 22:34 13618 --a------ C:\WINDOWS\system32\drivers\spy_away_box.jpg
2007-08-15 22:34 1330 --a------ C:\WINDOWS\system32\drivers\product_features.gif
2007-08-15 22:34 1253 --a------ C:\WINDOWS\system32\drivers\product_1_name_small.gif
2007-08-15 22:34 12326 --a------ C:\WINDOWS\system32\drivers\box_3.gif
2007-08-15 22:34 12313 --a------ C:\WINDOWS\system32\drivers\box_1.gif
2007-08-15 22:34 1204 --a------ C:\WINDOWS\system32\drivers\infected.gif
2007-08-15 22:34 11927 --a------ C:\WINDOWS\system32\drivers\box_2.gif
2007-08-15 22:34 11077 --a------ C:\WINDOWS\system32\drivers\header_4.gif
2007-08-15 22:34 10260 --a------ C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
2007-08-15 22:34 10193 --a------ C:\WINDOWS\system32\drivers\header_3.gif
2007-08-15 22:34 1014 --a------ C:\WINDOWS\system32\drivers\icon_warning.gif
2007-08-14 04:10 --------- d-------- C:\Program Files\SilverCreekCommonFiles
2007-08-14 04:10 --------- d-------- C:\Program Files\Hardwood Solitaire III
2007-08-12 14:05 --------- d-------- C:\Program Files\AskPBar
2007-08-12 14:00 --------- d-------- C:\Program Files\Paltalk Messenger
2007-08-12 14:00 --------- d-------- C:\Documents and Settings\adidas\Application Data\Paltalk
2007-08-10 18:30 --------- d-------- C:\Program Files\Mr.Men Click'em
2007-08-10 18:07 --------- d-------- C:\Program Files\Microsoft.NET
2007-08-09 14:06 --------- d-------- C:\Documents and Settings\adidas\Application Data\FinalBurner Audio CD
2007-08-05 23:48 --------- dr-h----- C:\Documents and Settings\All Users\Application Data\yahoo!
2006-03-18 10:53 26922 --a------ C:\Program Files\MoviePass Terms.html
2005-11-24 14:12 774144 --a------ C:\Program Files\RngInterstitial.dll
2004-06-09 16:03 832728 --a------ C:\Program Files\NPSWF32.dll
2004-03-12 14:05 4096 --------- C:\Documents and Settings\All Users\Application Data\Support.com
2003-05-22 22:35 3088896 --a------ C:\Program Files\frenchquizmachine.msi
2004-04-05 16:10:10 4,263 --sh--w C:\WINDOWS\windllreg1c.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-09-14 20:27]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2004-02-22 23:44]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"OneClick Cleanup"="C:\Program Files\CM Data Software\CM DiskCleaner\OneClick Cleanup.exe" [2006-10-08 12:46]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 15:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=1 (0x1)
"HideShutdownScripts"=1 (0x1)
"LogonType"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoFavoritesMenu"=0 (0x0)
"NoSMMyDocs"=0 (0x0)
"NoSMMyPictures"=0 (0x0)
"NoStartMenuMyMusic"=0 (0x0)
"NoRecentDocsHistory"=1 (0x1)
"NoRecentDocsNetHood"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoInstrumentation"=0 (0x0)
"NoSimpleStartMenu"=0 (0x0)
"NoWelcomeScreen"=1 (0x1)
"DisableLocalMachineRunOnce"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"NoNetworkConnections"=01000000
"NoRecentDocsMenu"=1 (0x1)
"NoFavoritesMenu"=0 (0x0)
"NoSMMyDocs"=0 (0x0)
"NoSMMyPictures"=0 (0x0)
"NoStartMenuMyMusic"=0 (0x0)
"NoRecentDocsHistory"=1 (0x1)
"NoRecentDocsNetHood"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoUserNameInStartMenu"=1 (0x1)
"NoInstrumentation"=0 (0x0)
"NoStartMenuPinnedList"=0 (0x0)
"ForceStartMenuLogoff"=0 (0x0)
"NoSharedDocuments"=0 (0x0)

.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 14:00:02 C:\WINDOWS\Tasks\Temporary Internet Files.job"
- E:\WINDOWS\Temporary Internet Files
"2007-10-02 02:44:40 C:\WINDOWS\Tasks\Windows Update.job"
- C:\WINDOWS\system32\wupdmgr.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-06 13:42:56
Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-06 13:49:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-06 13:49
.
--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 2:23:37 PM, on 10/6/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\CM Data Software\CM DiskCleaner\OneClick Cleanup.exe
C:\Program Files\Customizer XP\RAMIdle.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\adidas\Desktop\New Folder\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://internet.true...s.com/proxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [OneClick Cleanup] C:\Program Files\CM Data Software\CM DiskCleaner\OneClick Cleanup.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: RAMIdle.lnk = C:\Program Files\Customizer XP\RAMIdle.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

anything else?

#4 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 07 October 2007 - 07:34 AM

hi,

ok good. looks like you still have 2 or 3? antivirus:

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) -
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software -

is this also a antivirus?
Service: McAfee
------------------------
another download to get and run:
Download SmitfraudFix (by S!Ri) to your Desktop:

http://siri.urz.free...mitfraudFix.zip


Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. It will create a file named: c:\rapport.txt

stop at this point and post a HijackThis log along with the contents of the c:\rapport.txt.

shelf life
How Can I Reduce My Risk?

#5 leavang2007

leavang2007

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 18 October 2007 - 01:18 PM

Just saw the extra instructions hope I'm not too late SmitFraudFix v2.240 Scan done at 14:04:55.34, Thu 10/18/2007 Run from C:\Documents and Settings\adidas\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is FAT32 Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\susp.exe FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\adidas »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\adidas\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components] "Source"="http://www.cheatcc.c...ntral_logo.gif" "SubscribedURL"="http://www.cheatcc.c...ntral_logo.gif" "FriendlyName"="" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~3\\GOEC62~1.DLL" "LoadAppInit_DLLs"=dword:00000001 »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

#6 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 20 October 2007 - 08:12 AM

hi leavang2007, sorry for the delay. run the 2nd step of smitfraud in SAFE MODE: boot computer into safe mode. to reach safe mode: restart your computer and tap the f8 key during the boot up. chose the first option from the list: safe mode. log on the your regular account. locate the smitfraud icon on the desktop and double click it to start. from the main option menu, chose the second option (clean). after smitfraud runs-- disk clean will run, last when asked if you want to clean the registry, select y (yes) then enter. computer will reboot and after the restart produce a log. please save the log somewhere and post it in next reply. and a new hjt log. shelf life
How Can I Reduce My Risk?

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users