WiredWX Hobby Weather ToolsLog in

 


Adware, Trojans, etc. I need help with - Hijack This Log included

3 posters

descriptionSolvedAdware, Trojans, etc. I need help with - Hijack This Log included

more_horiz
My niece wanted me to take her laptop on to see if I could do anything with it. From what she told me, it seemed like it's spyware and such...redirecting, homepage hijacked. She said even when she would do a google search and go to one of the results that it wouldn't be the page she was looking for (sounded like redirecting).

Well, the first thing I did was open up the internet browser and it was on some about:blank homepage. I was able to go to a few websites that I tried to go to, but did get some popup or extra browser window that wouldn't close titled "Contextual Ads".

Windows Security was prompting me to update and restart, so I did that. I also updated AVG and it found a couple of Trojan horses called SHeur2.GIF and Trojanhorse Downloader.Generic8.HTG

I also downloaded Super Anti-Spyware and it found several Adwares and a few trojans including Trojan.Vundo and Trojan DNSChanger-Codec, Rogue.Component/Trace, among several other things and fixed them.

I also ran Malwarebytes and fixed what it found.

Anyway, I also downloaded HiJack This and the log is below. Is there anything in it that needs to be fixed?

HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:38 AM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {3AA95AAE-E4EC-460E-8842-B24E3847C8B5} - C:\WINDOWS\system32\ddcCSjiI.dll (file missing)
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [628009724] "C:\Documents and Settings\All Users\Application Data\1468717278\628009724.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - AppInit_DLLs: rinwfm.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6956 bytes


Thanks in advance!

descriptionSolvedRe: Adware, Trojans, etc. I need help with - Hijack This Log included

more_horiz
Hello.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {3AA95AAE-E4EC-460E-8842-B24E3847C8B5} - C:\WINDOWS\system32\ddcCSjiI.dll (file missing)
    O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
    O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll
    O4 - HKLM\..\Run: [628009724] "C:\Documents and Settings\All Users\Application Data\1468717278\628009724.exe"
    O20 - AppInit_DLLs: rinwfm.dll


  • Press "Fix Checked"
  • Close Hijack This.


Delete this folder in bold:
C:\Program Files\alot

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionSolvedRe: Adware, Trojans, etc. I need help with - Hijack This Log included

more_horiz
OK, I had already ran Malwarebytes and fixed what it found. I also updated Java. Now, I have fixed what you said to on HiJack This.

I also ran Malwarebytes again and the log is below:

Malwarebytes' Anti-Malware 1.31
Database version: 1563
Windows 5.1.2600 Service Pack 3

12/28/2008 1:51:34 PM
mbam-log-2008-12-28 (13-51-34).txt

Scan type: Quick Scan
Objects scanned: 51066
Time elapsed: 9 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\grandpack (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\GrandPack (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\user\Local Settings\Temp\ismbar2.exe (Adware.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\GrandPack\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Last edited by LadySmith on 28th December 2008, 8:15 pm; edited 1 time in total

descriptionSolvedRe: Adware, Trojans, etc. I need help with - Hijack This Log included

more_horiz
Just in case you need it, here's another HJT log as well:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:46 PM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5921 bytes

descriptionSolvedRe: Adware, Trojans, etc. I need help with - Hijack This Log included

more_horiz
Lets see if any of the vundo remains.


  • Download combofix from here, use the top links - combofix.exe
  • Please disable your local AV (Anti-virus) by right clicking it's icon in the tray, and exit it.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Adware, Trojans, etc. I need help with - Hijack This Log included Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Adware, Trojans, etc. I need help with - Hijack This Log included Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionSolvedRe: Adware, Trojans, etc. I need help with - Hijack This Log included

more_horiz
Here's the ComboFix.txt:

ComboFix 08-12-28.04 - user 2008-12-29 11:43:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.155 [GMT -6:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\Google\T-Scan
c:\documents and settings\user\Application Data\Google\T-Scan\n.gif
c:\documents and settings\user\Application Data\Google\T-Scan\t.gif
c:\documents and settings\user\Application Data\Google\T-Scan\y.gif
c:\windows\system32\_000111_.tmp.dll
c:\windows\system32\IijSCcdd.ini
c:\windows\system32\IijSCcdd.ini2
c:\windows\Tasks\jngtsbnz.job
c:\windows\wiaserviv.log

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-29 11:37 . 2008-12-29 11:37 d-------- c:\documents and settings\All Users\Application Data\Avg7
2008-12-28 13:40 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-28 13:40 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-28 13:39 . 2008-12-28 13:40 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-28 02:31 . 2008-12-28 02:31 d-------- c:\program files\Java
2008-12-28 02:31 . 2008-12-28 02:31 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-28 02:31 . 2008-12-28 02:31 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-28 01:31 . 2008-12-28 02:07 d-------- c:\documents and settings\user\.SunDownloadManager
2008-12-28 01:17 . 2008-12-28 01:17 0 --a------ c:\windows\nsreg.dat
2008-12-27 22:34 . 2008-12-27 22:34 33,832 --a------ c:\windows\system32\xjrkzjvc.exe
2008-12-27 22:34 . 2008-12-27 22:34 127 --a------ c:\windows\system32\MRT.INI
2008-12-27 22:12 . 2008-10-16 14:38 6,066,176 --a------ c:\windows\system32\SETB7.tmp
2008-12-27 22:12 . 2008-10-16 14:38 1,160,192 --a------ c:\windows\system32\SETA9.tmp
2008-12-27 22:12 . 2008-10-16 14:38 826,368 --a------ c:\windows\system32\SETA7.tmp
2008-12-27 22:12 . 2008-10-16 14:38 477,696 --a------ c:\windows\system32\SETAF.tmp
2008-12-27 22:12 . 2008-10-16 14:38 459,264 --a------ c:\windows\system32\SETB1.tmp
2008-12-27 22:12 . 2008-10-16 14:38 383,488 --a------ c:\windows\system32\SETB9.tmp
2008-12-27 22:12 . 2008-10-16 14:38 267,776 --a------ c:\windows\system32\SETB5.tmp
2008-12-27 22:12 . 2008-10-16 14:38 233,472 --a------ c:\windows\system32\SETA8.tmp
2008-12-27 22:12 . 2008-10-16 14:38 124,928 --a------ c:\windows\system32\SETC1.tmp
2008-12-27 22:12 . 2008-10-16 14:38 105,984 --a------ c:\windows\system32\SETAA.tmp
2008-12-27 22:12 . 2008-10-16 14:38 63,488 --a------ c:\windows\system32\SETBE.tmp
2008-12-27 22:12 . 2008-10-16 14:38 52,224 --a------ c:\windows\system32\SETB0.tmp
2008-12-27 22:11 . 2008-12-13 00:40 3,593,216 --a------ c:\windows\system32\SETA3.tmp
2008-12-27 22:03 . 2008-12-28 02:48 d-------- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2008-12-27 22:03 . 2008-12-27 22:03 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-27 21:58 . 2008-12-27 21:58 d-------- c:\documents and settings\user\Application Data\Malwarebytes
2008-12-27 21:57 . 2008-12-27 21:57 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 12:00 . 2008-12-08 12:00 d-------- c:\windows\system32\config\systemprofile\Application Data\alot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 09:53 --------- d-----w c:\documents and settings\user\Application Data\LimeWire
2008-12-13 14:07 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-12-11 19:02 --------- d-----w c:\program files\Google
2008-11-17 21:39 --------- d-----w c:\documents and settings\user\Application Data\Twain
2008-11-17 02:06 --------- d-----w c:\documents and settings\user\Application Data\HP
2008-11-17 02:01 --------- d-----w c:\documents and settings\LocalService\Application Data\HP
2008-11-17 01:42 --------- d-----w c:\program files\HP
2008-11-17 01:42 --------- d-----w c:\program files\Hewlett-Packard
2008-11-17 01:42 --------- d-----w c:\program files\Common Files\HP
2008-11-12 04:18 --------- d-----w c:\program files\LimeWire
2008-11-01 23:48 --------- d-----w c:\documents and settings\user\Application Data\alot
2008-10-28 21:43 --------- d-----w c:\documents and settings\user\Application Data\MySpace
2008-10-28 21:42 --------- d-----w c:\program files\MySpace
2008-03-14 03:42 13,195 ----a-w c:\documents and settings\user\ZGUICFG.DAT
2008-03-08 17:26 13,195 ----a-w c:\documents and settings\user\ZGUICFGW.DAT
2008-01-21 04:02 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-19 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-27 868352]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\user\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2008-10-16 1746224]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-09-24 00:08 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-04-17 17:27 9117696 c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-28 02:31 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-10-19 21:18 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 atiide;atiide;c:\windows\system32\DRIVERS\atiide.sys [2008-01-15 3456]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-10 14336]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys [2008-10-16 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys [2008-10-16 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys [2008-10-16 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys [2008-10-16 59776]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\BCMWLTRY.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-12-29 11:48:47 - machine was rebooted [user]
ComboFix-quarantined-files.txt 2008-12-29 17:48:44

Pre-Run: 50,830,643,200 bytes free
Post-Run: 51,028,074,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

170 --- E O F --- 2008-12-28 06:22:58

descriptionSolvedRe: Adware, Trojans, etc. I need help with - Hijack This Log included

more_horiz
Hello.
CF log says winlogon is infected, so we need to find out if it really is infected.

Locate this file below in bold:
c:\windows\system32\winlogon.exe
Upload it to this site for a scan.
http://virusscan.jotti.org/
Copy and paste the report back here.

descriptionSolvedRe: Adware, Trojans, etc. I need help with - Hijack This Log included

more_horiz
Ok, I ran it through the online scanner (that is awesome btw...going through all of those scanners! Thanks for that website!). Here are the results:
Service load: 0% 100%

File: winlogon.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: ed0ef0a136dec83df69f04118870003e
Packers detected: -
re are the results:


Scanner results
Scan taken on 29 Dec 2008 18:33:39 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

descriptionSolvedRe: Adware, Trojans, etc. I need help with - Hijack This Log included

more_horiz
Hello.
I see Limewire installed on this system.
Limewire is one of the biggest P2P programs out there, and is a malware writers favourite playground. Chances are you will be instantly infected by anything downloaded from Limewire.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Limewire


Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\xjrkzjvc.exe
c:\windows\system32\SETB7.tmp
c:\windows\system32\SETA9.tmp
c:\windows\system32\SETA7.tmp
c:\windows\system32\SETAF.tmp
c:\windows\system32\SETB1.tmp
c:\windows\system32\SETB9.tmp
c:\windows\system32\SETB5.tmp
c:\windows\system32\SETA8.tmp
c:\windows\system32\SETC1.tmp
c:\windows\system32\SETAA.tmp
c:\windows\system32\SETBE.tmp
c:\windows\system32\SETB0.tmp
c:\windows\system32\SETA3.tmp

Folder::
c:\windows\system32\config\systemprofile\Application Data\alot
c:\documents and settings\user\Application Data\Twain
c:\documents and settings\user\Application Data\LimeWire
c:\program files\LimeWire


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Adware, Trojans, etc. I need help with - Hijack This Log included Sfxdaw

This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

descriptionSolvedRe: Adware, Trojans, etc. I need help with - Hijack This Log included

more_horiz
Ok, I removed the Limewire and did what you said. I've told her that Limewire is bad for things like that, but she said that she just uses it from time to time and closes it out as soon as she's done. She'll probably end up putting it back on there. :sigh:

Anyway, here's the log. I'll have to break it up because it keeps telling me that the message is too big.

ComboFix 08-12-28.04 - user 2008-12-29 13:19:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.145 [GMT -6:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\SETA3.tmp
c:\windows\system32\SETA7.tmp
c:\windows\system32\SETA8.tmp
c:\windows\system32\SETA9.tmp
c:\windows\system32\SETAA.tmp
c:\windows\system32\SETAF.tmp
c:\windows\system32\SETB0.tmp
c:\windows\system32\SETB1.tmp
c:\windows\system32\SETB5.tmp
c:\windows\system32\SETB7.tmp
c:\windows\system32\SETB9.tmp
c:\windows\system32\SETBE.tmp
c:\windows\system32\SETC1.tmp
c:\windows\system32\xjrkzjvc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\LimeWire
c:\documents and settings\user\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\user\Application Data\LimeWire\createtimes.cache
c:\documents and settings\user\Application Data\LimeWire\downloads.dat
c:\documents and settings\user\Application Data\LimeWire\fileurns.bak
c:\documents and settings\user\Application Data\LimeWire\fileurns.cache
c:\documents and settings\user\Application Data\LimeWire\filters.props
c:\documents and settings\user\Application Data\LimeWire\gnutella.net
c:\documents and settings\user\Application Data\LimeWire\installation.props
c:\documents and settings\user\Application Data\LimeWire\library.dat
c:\documents and settings\user\Application Data\LimeWire\limewire.props
c:\documents and settings\user\Application Data\LimeWire\mojito.props
c:\documents and settings\user\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\user\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\user\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\user\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\user\Application Data\LimeWire\questions.props
c:\documents and settings\user\Application Data\LimeWire\responses.cache
c:\documents and settings\user\Application Data\LimeWire\simpp.xml
c:\documents and settings\user\Application Data\LimeWire\spam.dat
c:\documents and settings\user\Application Data\LimeWire\tables.props
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\user\Application Data\LimeWire\ttrees.cache
c:\documents and settings\user\Application Data\LimeWire\ttroot.cache
c:\documents and settings\user\Application Data\LimeWire\version.xml
c:\documents and settings\user\Application Data\LimeWire\versions.props
c:\documents and settings\user\Application Data\LimeWire\xml\data\audio.sxml2
c:\documents and settings\user\Application Data\Twain
c:\windows\system32\config\systemprofile\Application Data\alot
c:\windows\system32\SETA3.tmp
c:\windows\system32\SETA7.tmp
c:\windows\system32\SETA8.tmp
c:\windows\system32\SETA9.tmp
c:\windows\system32\SETAA.tmp
c:\windows\system32\SETAF.tmp
c:\windows\system32\SETB0.tmp
c:\windows\system32\SETB1.tmp
c:\windows\system32\SETB5.tmp
c:\windows\system32\SETB7.tmp
c:\windows\system32\SETB9.tmp
c:\windows\system32\SETBE.tmp
c:\windows\system32\SETC1.tmp
c:\windows\system32\xjrkzjvc.exe

descriptionSolvedRe: Adware, Trojans, etc. I need help with - Hijack This Log included

more_horiz
.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-29 12:23 . 2008-12-29 12:25 d-------- c:\windows\system32\drivers\Avg
2008-12-29 12:23 . 2008-12-29 12:23 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-29 12:23 . 2008-12-29 12:23 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-29 12:23 . 2008-12-29 12:23 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-29 12:22 . 2008-12-29 12:22 d-------- c:\program files\AVG
2008-12-29 12:22 . 2008-12-29 13:11 d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-28 13:40 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-28 13:40 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-28 13:39 . 2008-12-28 13:40 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-28 02:31 . 2008-12-28 02:31 d-------- c:\program files\Java
2008-12-28 02:31 . 2008-12-28 02:31 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-28 02:31 . 2008-12-28 02:31 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-28 01:31 . 2008-12-28 02:07 d-------- c:\documents and settings\user\.SunDownloadManager
2008-12-28 01:17 . 2008-12-28 01:17 0 --a------ c:\windows\nsreg.dat
2008-12-27 22:34 . 2008-12-27 22:34 127 --a------ c:\windows\system32\MRT.INI
2008-12-27 22:03 . 2008-12-28 02:48 d-------- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2008-12-27 22:03 . 2008-12-27 22:03 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-27 21:58 . 2008-12-27 21:58 d-------- c:\documents and settings\user\Application Data\Malwarebytes
2008-12-27 21:57 . 2008-12-27 21:57 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-16 22:28 47,578 ----a-w c:\windows\system32\fglyjgpntkyvmnb.exe
2008-12-13 14:07 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-12-11 19:02 --------- d-----w c:\program files\Google
2008-12-05 23:48 53,942 ----a-w c:\windows\system32\cont_adsoftinc-remove.exe
2008-11-30 18:24 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-17 09:21 3,416 ----a-w c:\windows\system32\PerfStringBackup.TMP
2008-11-17 02:06 --------- d-----w c:\documents and settings\user\Application Data\HP
2008-11-17 02:01 --------- d-----w c:\documents and settings\LocalService\Application Data\HP
2008-11-17 01:42 --------- d-----w c:\program files\HP
2008-11-17 01:42 --------- d-----w c:\program files\Hewlett-Packard
2008-11-17 01:42 --------- d-----w c:\program files\Common Files\HP
2008-11-01 23:48 --------- d-----w c:\documents and settings\user\Application Data\alot
2008-10-28 21:43 --------- d-----w c:\documents and settings\user\Application Data\MySpace
2008-10-28 21:42 --------- d-----w c:\program files\MySpace
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\SET95.tmp
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-03-14 03:42 13,195 ----a-w c:\documents and settings\user\ZGUICFG.DAT
2008-03-08 17:26 13,195 ----a-w c:\documents and settings\user\ZGUICFGW.DAT
2008-01-21 04:02 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-29_11.48.20.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-29 18:23:16 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2008-12-29 19:06:58 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_344.dat
+ 2006-12-02 04:56:00 96,256 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-02 04:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 04:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 04:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-02 06:25:52 1,101,824 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-02 06:25:56 1,093,120 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 06:25:58 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 06:26:00 57,856 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 06:08:00 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 06:08:00 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 06:08:00 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 06:08:00 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 06:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 06:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 06:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 06:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 06:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 06:46:44 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-19 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^VZAccess Manager.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\VZAccess Manager.lnk
backup=c:\windows\pss\VZAccess Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-12-29 12:22 1261336 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-09-24 00:08 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-04-17 17:27 9117696 c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-06-27 02:21 868352 c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-28 02:31 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-10-19 21:18 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R0 atiide;atiide;c:\windows\system32\DRIVERS\atiide.sys [2008-01-15 3456]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-29 97928]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-29 76040]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2004-08-10 14336]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-29 875288]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-29 231704]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys [2008-10-16 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys [2008-10-16 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys [2008-10-16 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys [2008-10-16 59776]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(984)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-12-29 13:21:33
ComboFix-quarantined-files.txt 2008-12-29 19:21:31

Pre-Run: 50,973,061,120 bytes free
Post-Run: 51,046,244,352 bytes free

254 --- E O F --- 2008-12-28 06:22:58

descriptionSolvedRe: Adware, Trojans, etc. I need help with - Hijack This Log included

more_horiz
Hello.
There are two files leftover that might have been missed.

Please download the OTMoveIt3 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :processes
    explorer.exe

    :files
    c:\windows\system32\fglyjgpntkyvmnb.exe
    c:\windows\system32\SET95.tmp

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

descriptionSolvedRe: Adware, Trojans, etc. I need help with - Hijack This Log included

more_horiz
OK, I did the OTMoveIt, but when I tried to copy the Results window, all I got was a ding and the OTMoveIt program window was not active. Then, behind it, I noticed a message about rebooting system. Now, that it's rebooted, the OTMoveIt program on the desktop is not showing the icon. It's just showing that blue and white program icon thingy. I've tried to click on it but get nothing.

descriptionSolvedRe: Adware, Trojans, etc. I need help with - Hijack This Log included

more_horiz
OK, I think I found the log at C:\OTMoveIt\MovedFiles

Here it is:
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
c:\windows\system32\fglyjgpntkyvmnb.exe moved successfully.
c:\windows\system32\SET95.tmp moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\user\LOCALS~1\Temp\Perflib_Perfdata_35c.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\user\LOCALS~1\Temp\Perflib_Perfdata_c88.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_344.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12292008_134157

descriptionSolvedRe: Adware, Trojans, etc. I need help with - Hijack This Log included

more_horiz
I'm actually surprised that worked.
AVG8 doesn't like OTMoveIt, but AVG7 has no problems.

Please delete these two folders now:
C:\Qoobox
C:\_OTMoveIt

What problems remain?

descriptionSolvedRe: Adware, Trojans, etc. I need help with - Hijack This Log included

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum