Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I keep getting my explorer hacked somehow - can you help?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I keep getting my explorer hacked somehow - can you help?

Unread postby Fortygirl » May 21st, 2008, 4:09 pm

Hi Any help will be appreciated. I keep getting trojan popups with my Avast program.
I have not understood how to stop these. Thank you.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:05 PM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\bfgclient\bfgclient.exe
C:\Program Files\bfgclient\bfggameservices.exe
C:\Program Files\Jigs@w Puzzle 2\jp2v.exe
C:\Program Files\Jigs@w Puzzle 2\jp2v.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {4D1277E3-AD9F-4677-A977-725C7E20602D} - C:\WINDOWS\system32\ddcDuUMc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O20 - Winlogon Notify: ddcDuUMc - C:\WINDOWS\SYSTEM32\ddcDuUMc.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 3556 bytes
Fortygirl
Active Member
 
Posts: 5
Joined: May 21st, 2008, 3:55 pm
Advertisement
Register to Remove

Re: I keep getting my explorer hacked somehow - can you help?

Unread postby peku006 » May 22nd, 2008, 1:11 am

Welcome to the MWR forums. My name is peku006. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research. Please be patient and I'd be grateful if you would note the following:

1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic. Please stay at one forum for help.
3. Please continue reading posts until I give the All Clear. It is important to note this, as a clean looking HijackThis is not always a sign your system is clean.

Note: I am still in training here at Malware Removal, however I will be working under the direct supervision of one of our Malware Experts. Any recommendations will first be approved before being given to you. Because of this, there may be a short delay in getting our responses to you, however be assured that we will be working diligently on your problem.
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: I keep getting my explorer hacked somehow - can you help?

Unread postby peku006 » May 22nd, 2008, 8:06 am

Hello Fortygirl

1 - Download and Run VundoFix
Please download VundoFix.exe by Atribune save it to your desktop.
  • Double click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Fix Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • A log will be saved here: C:\vundofix.txt

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

If you receive this error - "Run-time error '339': Component 'comdlg32.ocx' or one its dependencies not correctly registered: a file is missing or invalid" , please download this file and save it to your desktop.
  • Right click on Comdlg32.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • On the text box above the Browse button, copy and paste in C:\Windows\system32.
  • Click OK.
  • Uncheck (untick) the Show extracted files box and click Finish.
  • Click on Start > Run and copy and paste in the following into the Run box:

    REGSVR32 C:\Windows\system32\comdlg32.ocx
  • Press Enter.
  • You should receive this message - DllRegisterServer in C:\Windows\system32\comdlg32.ocx succeeded.
  • Click OK and restart your computer. Then try running VundoFix again.

2 - uninstall list

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

3 - Status Check
Please reply with
1. the vundofix.txt
2. the uninstall list
3. a fresh HijackThis log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: I keep getting my explorer hacked somehow - can you help?

Unread postby Fortygirl » May 22nd, 2008, 11:03 pm

Hi peku006

I ran the VundoFix - and it came back with no infections found?

Any suggestions? I still have the Avast prompts telling me to move them to the chest.

Thank you,
Fortygirl
Fortygirl
Active Member
 
Posts: 5
Joined: May 21st, 2008, 3:55 pm

Re: I keep getting my explorer hacked somehow - can you help?

Unread postby peku006 » May 23rd, 2008, 5:47 am

Hi Fortygirl

Let us take a deeper look.

1 - Scan With ComboFix

Please visit this webpage for download links, and instructions for running ComboFix -

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says -

The Recovery Console was successfully installed.

Please continue as follows -

  • Close/Disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

2 - Status Check
Please reply with

1. the ComboFix log
2. a fresh HijackThis log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: I keep getting my explorer hacked somehow - can you help?

Unread postby Fortygirl » May 23rd, 2008, 12:57 pm

Hi and thank you so much!

I did not see any Recovery Console? But this is the log from Combofix
And the HiJack log is following:

Thanks FG

PS: I have 3 sets of CD restore discs from Windows!! but they do not work for some reason. So I have had to go bit by bit to make my XP Home edition to the manufac. installs. I may not understand too much but I did all drivers so I could keep my sounds and such.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
ComboFix 08-05-21.3 - Owner 2008-05-23 11:38:10.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.469 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-23 00:55 . 2008-05-23 00:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-23 00:55 . 2008-05-23 00:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-22 23:40 . 2008-05-22 23:40 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-05-22 22:20 . 2008-05-22 22:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Gaijin Ent
2008-05-21 22:43 . 2008-05-21 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Astar Games
2008-05-18 06:49 . 2008-05-18 06:49 <DIR> d-------- C:\ISeeYouXP
2008-05-18 06:49 . 2005-01-14 01:41 11,254 --a------ C:\WINDOWS\system32\locate.com
2008-05-18 06:41 . 2008-05-18 06:41 <DIR> d-------- C:\!KillBox
2008-05-18 06:39 . 2008-05-18 06:39 <DIR> d-------- C:\VundoFix Backups
2008-05-18 06:29 . 2008-05-18 06:55 <DIR> d-------- C:\Program Files\a-squared Free
2008-05-18 06:26 . 2008-05-18 06:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 22:59 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-05-17 22:59 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-05-14 12:45 . 2008-05-14 12:55 354 ---hs---- C:\WINDOWS\system32\missspqw.ini
2008-05-14 10:46 . 2008-05-14 10:46 474 ---hs---- C:\WINDOWS\system32\qdjtdawn.ini
2008-05-14 10:39 . 2008-05-14 10:39 29,824 --a------ C:\WINDOWS\system32\ddcDuUMc.dll
2008-05-14 10:13 . 2008-05-13 17:48 90,112 --a------ C:\WINDOWS\oadkxrts.exe
2008-05-11 11:59 . 2008-05-23 02:44 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-08 22:07 . 2008-05-08 22:07 <DIR> d-------- C:\Program Files\BigJig
2008-05-06 08:28 . 2008-05-06 08:28 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-04 14:11 . 2005-10-31 19:17 135,168 --------- C:\WINDOWS\system32\RtlCPAPI.dll
2008-05-04 12:31 . 2008-05-04 12:31 21 --a------ C:\WINDOWS\Status.mif
2008-05-01 14:13 . 2008-05-01 14:13 10 --a------ C:\usb002
2008-05-01 14:12 . 2008-05-01 14:12 3 --a------ C:\usb
2008-04-29 10:37 . 2008-04-29 10:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-04-29 09:35 . 2008-04-29 09:35 <DIR> d-------- C:\Program Files\Essentials Codec Pack
2008-04-28 08:43 . 2008-05-07 15:02 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\GlarySoft
2008-04-28 08:40 . 2008-04-28 08:40 <DIR> d-------- C:\Program Files\Glary Utilities
2008-04-28 07:57 . 2008-04-28 07:57 8,192 --a------ C:\WINDOWS\Rpoint.exe
2008-04-27 13:01 . 2008-04-27 13:01 <DIR> d-------- C:\Program Files\Musicnotes
2008-04-25 15:06 . 2008-04-26 00:51 <DIR> d-------- C:\Program Files\MediaCoder Audio Edition

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 07:55 --------- d-----w C:\Program Files\PopCap Games
2008-05-23 07:55 --------- d-----w C:\Program Files\LimeWire
2008-05-23 07:55 --------- d-----w C:\Program Files\Jewel Quest Solitaire II
2008-05-23 07:55 --------- d-----w C:\Program Files\Jewel Quest II
2008-05-23 05:43 --------- d-----w C:\Program Files\Jewel Quest Solitaire
2008-05-22 23:28 --------- d-----w C:\Program Files\Mystery Case Files - Madame Fate
2008-05-19 14:53 33,280 ----a-w C:\WINDOWS\system32\clipsrv.exe
2008-05-16 12:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\iWin
2008-05-13 14:14 --------- d-----w C:\Program Files\HP
2008-05-13 12:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Big Fish Games
2008-05-11 16:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-05-11 15:49 --------- d-----w C:\Program Files\Jigs@w Puzzle 2
2008-05-11 15:49 --------- d-----w C:\Program Files\Elements
2008-05-11 15:49 --------- d-----w C:\Program Files\CCleaner
2008-05-11 15:49 --------- d-----w C:\Program Files\AceMoney
2008-05-11 15:49 --------- d-----w C:\Program Files\Accounts and Budget Free V5.0
2008-05-11 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Musicnotes
2008-05-09 15:21 --------- d-----w C:\Program Files\Java
2008-05-07 20:02 --------- d-----w C:\Program Files\Trillian
2008-05-07 20:02 --------- d-----w C:\Program Files\Google
2008-05-07 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-07 20:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\stickies
2008-05-07 18:40 --------- d-----w C:\Program Files\Oberon Media
2008-05-04 20:50 --------- d-----w C:\Program Files\Canon
2008-05-04 20:29 --------- d-----w C:\Program Files\BigFishGames
2008-05-04 20:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-04 19:08 105,088 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
2008-05-04 18:45 --------- d-----w C:\Program Files\ATI Technologies
2008-05-04 18:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-05-04 18:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Friends Games
2008-04-28 13:54 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-28 13:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-04-28 13:46 --------- d-----w C:\Program Files\Trivial Pursuit Bring On The 90s
2008-04-22 00:13 --------- d-----w C:\Program Files\bfgclient
2008-04-16 13:59 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-04-16 05:39 --------- d-----w C:\Program Files\Auslogics
2008-04-16 05:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Auslogics
2008-04-12 16:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-11 12:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\AlauxSoft
2008-04-11 04:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-04-07 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\FireGlow
2008-04-03 20:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\Image Zone Express
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-26 13:20 --------- d-----w C:\Program Files\Mystery Case Files - Huntsville
2008-03-26 13:20 --------- d-----w C:\Documents and Settings\Owner\Application Data\OfficeUpdate12
2008-03-26 13:10 --------- d-----w C:\Program Files\Realtek
2008-03-26 13:10 --------- d-----w C:\Program Files\QuickTime
2008-03-26 13:10 --------- d-----w C:\Program Files\Picasa2
2008-03-25 15:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\HP
2008-03-25 02:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\SugarGames
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 21:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 21:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 21:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 20:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 20:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-23_11.25.20.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-22 21:37:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 16:35:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-12 16:44:11 1,152,888 ----a-w C:\WINDOWS\system32\aswBoot.exe
+ 2008-05-15 23:24:43 1,152,888 ----a-w C:\WINDOWS\system32\aswBoot.exe
- 2008-05-12 16:32:02 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
+ 2008-05-15 23:12:36 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
- 2008-05-12 16:33:19 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
+ 2008-05-15 23:13:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
- 2008-05-12 16:38:45 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys
+ 2008-05-15 23:16:06 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys
- 2008-05-12 16:38:25 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
+ 2008-05-15 23:18:33 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
- 2008-05-12 16:34:42 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
+ 2008-05-15 23:15:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
- 2008-05-12 16:36:18 77,904 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys
+ 2008-05-15 23:20:32 78,416 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys
- 2008-05-12 16:33:38 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
+ 2008-05-15 23:14:11 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
+ 2008-05-23 16:35:37 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D1277E3-AD9F-4677-A977-725C7E20602D}]
2008-05-14 10:39 29824 --a------ C:\WINDOWS\system32\ddcDuUMc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 05:54 16010240 C:\WINDOWS\RTHDCPL.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-12 11:39 79224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4D1277E3-AD9F-4677-A977-725C7E20602D}"= C:\WINDOWS\system32\ddcDuUMc.dll [2008-05-14 10:39 29824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcDuUMc]
ddcDuUMc.dll 2008-05-14 10:39 29824 C:\WINDOWS\system32\ddcDuUMc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"gusvc"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 18:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 18:16]
S3 Gcr432;Gcr432;C:\WINDOWS\system32\Drivers\gcr432.sys [2001-10-04 16:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{487c636c-b721-11dc-8164-00142ae4ba4d}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-05-23 16:35:46 C:\WINDOWS\Tasks\GlaryInitialize.job"
- C:\Program Files\Glary Utilities\initialize.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 11:40:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ddcDuUMc.dll
.
Completion time: 2008-05-23 11:42:08
ComboFix-quarantined-files.txt 2008-05-23 16:42:04
ComboFix2.txt 2008-05-23 16:25:58

Pre-Run: 12,046,471,168 bytes free
Post-Run: 12,035,219,456 bytes free

182 --- E O F --- 2008-05-14 08:03:32




~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:57 AM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {4D1277E3-AD9F-4677-A977-725C7E20602D} - C:\WINDOWS\system32\ddcDuUMc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O20 - Winlogon Notify: ddcDuUMc - C:\WINDOWS\SYSTEM32\ddcDuUMc.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 3768 bytes
Fortygirl
Active Member
 
Posts: 5
Joined: May 21st, 2008, 3:55 pm

Re: I keep getting my explorer hacked somehow - can you help?

Unread postby peku006 » May 24th, 2008, 5:26 am

Hi Fortygirl

Microsoft's Recovery Console is not to be confused with OEM manufacturer's recovery disks/partitions. Unlike the OEM options, RC does not perform a destructive reinstall of the machine.
The Windows Recovery Console is designed to help you recover when your Windows-based computer does not start properly or does not start at all.

P2P - I see you have P2P software ( Limewire ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

1 - RECOVERY CONSOLE

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Image

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    Image
  • When the tool is finished, it will produce a report for you.

2 - Status Check
Please reply with

1. the ComboFix log
2. a fresh HijackThis log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: I keep getting my explorer hacked somehow - can you help?

Unread postby Fortygirl » May 24th, 2008, 3:32 pm

Thank you so much for your help.

This is the Combofix and the Hijack will follow.

################################

ComboFix 08-05-21.3 - Owner 2008-05-24 14:22:04.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.486 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\FhiOYJlm.ini
C:\WINDOWS\system32\FhiOYJlm.ini2
C:\WINDOWS\system32\mlJYOihF.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-24 14:16 . 2008-05-24 14:16 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-05-24 14:16 . 2008-05-24 14:16 <DIR> d-------- C:\CanonMP
2008-05-24 14:16 . 2005-05-07 00:00 140,288 --a------ C:\WINDOWS\system32\CNMLM7M.DLL
2008-05-23 20:16 . 2008-05-23 20:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SultansLabyrinth
2008-05-23 00:55 . 2008-05-23 00:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-23 00:55 . 2008-05-23 00:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-22 23:40 . 2008-05-22 23:40 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-05-22 22:20 . 2008-05-22 22:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Gaijin Ent
2008-05-21 22:43 . 2008-05-21 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Astar Games
2008-05-18 06:49 . 2008-05-18 06:49 <DIR> d-------- C:\ISeeYouXP
2008-05-18 06:49 . 2005-01-14 01:41 11,254 --a------ C:\WINDOWS\system32\locate.com
2008-05-18 06:41 . 2008-05-18 06:41 <DIR> d-------- C:\!KillBox
2008-05-18 06:39 . 2008-05-18 06:39 <DIR> d-------- C:\VundoFix Backups
2008-05-18 06:29 . 2008-05-18 06:55 <DIR> d-------- C:\Program Files\a-squared Free
2008-05-18 06:26 . 2008-05-18 06:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 22:59 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-05-17 22:59 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-05-14 12:45 . 2008-05-14 12:55 354 ---hs---- C:\WINDOWS\system32\missspqw.ini
2008-05-14 10:46 . 2008-05-14 10:46 474 ---hs---- C:\WINDOWS\system32\qdjtdawn.ini
2008-05-14 10:39 . 2008-05-14 10:39 29,824 --a------ C:\WINDOWS\system32\ddcDuUMc.dll
2008-05-14 10:13 . 2008-05-13 17:48 90,112 --a------ C:\WINDOWS\oadkxrts.exe
2008-05-11 11:59 . 2008-05-24 00:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-08 22:07 . 2008-05-08 22:07 <DIR> d-------- C:\Program Files\BigJig
2008-05-06 08:28 . 2008-05-06 08:28 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-04 14:11 . 2005-10-31 19:17 135,168 --------- C:\WINDOWS\system32\RtlCPAPI.dll
2008-05-04 12:31 . 2008-05-04 12:31 21 --a------ C:\WINDOWS\Status.mif
2008-05-01 14:13 . 2008-05-01 14:13 10 --a------ C:\usb002
2008-05-01 14:12 . 2008-05-01 14:12 3 --a------ C:\usb
2008-04-29 10:37 . 2008-04-29 10:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-04-29 09:35 . 2008-04-29 09:35 <DIR> d-------- C:\Program Files\Essentials Codec Pack
2008-04-28 08:43 . 2008-05-07 15:02 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\GlarySoft
2008-04-28 08:40 . 2008-04-28 08:40 <DIR> d-------- C:\Program Files\Glary Utilities
2008-04-28 07:57 . 2008-04-28 07:57 8,192 --a------ C:\WINDOWS\Rpoint.exe
2008-04-27 13:01 . 2008-04-27 13:01 <DIR> d-------- C:\Program Files\Musicnotes
2008-04-25 15:06 . 2008-04-26 00:51 <DIR> d-------- C:\Program Files\MediaCoder Audio Edition

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 18:39 --------- d-----w C:\Program Files\LimeWire
2008-05-24 05:53 --------- d-----w C:\Program Files\Jewel Quest II
2008-05-24 00:51 0 ----a-w C:\Program Files\temp01
2008-05-23 17:28 --------- d-----w C:\Program Files\Mystery Case Files - Madame Fate
2008-05-23 07:55 --------- d-----w C:\Program Files\PopCap Games
2008-05-23 07:55 --------- d-----w C:\Program Files\Jewel Quest Solitaire II
2008-05-23 05:43 --------- d-----w C:\Program Files\Jewel Quest Solitaire
2008-05-16 12:41 --------- d-----w C:\Documents and Settings\Owner\Application Data\iWin
2008-05-13 14:14 --------- d-----w C:\Program Files\HP
2008-05-13 12:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Big Fish Games
2008-05-11 16:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-05-11 15:49 --------- d-----w C:\Program Files\Jigs@w Puzzle 2
2008-05-11 15:49 --------- d-----w C:\Program Files\Elements
2008-05-11 15:49 --------- d-----w C:\Program Files\CCleaner
2008-05-11 15:49 --------- d-----w C:\Program Files\AceMoney
2008-05-11 15:49 --------- d-----w C:\Program Files\Accounts and Budget Free V5.0
2008-05-11 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Musicnotes
2008-05-09 15:21 --------- d-----w C:\Program Files\Java
2008-05-07 20:02 --------- d-----w C:\Program Files\Trillian
2008-05-07 20:02 --------- d-----w C:\Program Files\Google
2008-05-07 20:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-07 20:00 --------- d-----w C:\Documents and Settings\Owner\Application Data\stickies
2008-05-07 18:40 --------- d-----w C:\Program Files\Oberon Media
2008-05-04 20:50 --------- d-----w C:\Program Files\Canon
2008-05-04 20:29 --------- d-----w C:\Program Files\BigFishGames
2008-05-04 20:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-04 19:08 105,088 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
2008-05-04 18:45 --------- d-----w C:\Program Files\ATI Technologies
2008-05-04 18:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2008-05-04 18:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Friends Games
2008-04-28 13:54 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-28 13:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-04-28 13:46 --------- d-----w C:\Program Files\Trivial Pursuit Bring On The 90s
2008-04-22 00:13 --------- d-----w C:\Program Files\bfgclient
2008-04-16 13:59 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-04-16 05:39 --------- d-----w C:\Program Files\Auslogics
2008-04-16 05:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Auslogics
2008-04-12 16:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-11 12:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\AlauxSoft
2008-04-11 04:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-04-07 02:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\FireGlow
2008-04-03 20:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\Image Zone Express
2008-03-26 13:20 --------- d-----w C:\Program Files\Mystery Case Files - Huntsville
2008-03-26 13:20 --------- d-----w C:\Documents and Settings\Owner\Application Data\OfficeUpdate12
2008-03-26 13:10 --------- d-----w C:\Program Files\Realtek
2008-03-26 13:10 --------- d-----w C:\Program Files\QuickTime
2008-03-26 13:10 --------- d-----w C:\Program Files\Picasa2
2008-03-25 15:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\HP
2008-03-25 02:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\SugarGames
.

((((((((((((((((((((((((((((( snapshot@2008-05-23_11.25.20.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-22 21:37:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 19:25:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2008-05-11 16:39:29 76,487 ----a-w C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat
+ 2008-05-23 17:13:30 76,487 ----a-w C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat
- 2008-05-11 16:39:29 2,378 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2008-05-23 17:13:30 2,378 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
- 2008-05-12 16:44:11 1,152,888 ----a-w C:\WINDOWS\system32\aswBoot.exe
+ 2008-05-15 23:24:43 1,152,888 ----a-w C:\WINDOWS\system32\aswBoot.exe
- 2008-05-12 16:32:02 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
+ 2008-05-15 23:12:36 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
- 2008-05-12 16:33:19 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
+ 2008-05-15 23:13:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
- 2008-05-12 16:38:45 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys
+ 2008-05-15 23:16:06 20,560 ----a-w C:\WINDOWS\system32\drivers\aswFsBlk.sys
- 2008-05-12 16:38:25 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
+ 2008-05-15 23:18:33 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
- 2008-05-12 16:34:42 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
+ 2008-05-15 23:15:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
- 2008-05-12 16:36:18 77,904 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys
+ 2008-05-15 23:20:32 78,416 ----a-w C:\WINDOWS\system32\drivers\aswSP.sys
- 2008-05-12 16:33:38 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
+ 2008-05-15 23:14:11 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
+ 2005-05-07 05:00:00 274,944 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMCB7M.DLL
+ 2005-05-07 05:00:00 100,352 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMCP7M.DLL
+ 2005-05-07 05:00:00 151,552 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMD57M.DLL
+ 2005-05-07 05:00:00 397,312 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMDR7M.DLL
+ 2005-05-07 05:00:00 19,968 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMFU7M.DLL
+ 2005-05-07 05:00:00 92,160 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMLR7M.DLL
+ 2005-05-07 05:00:00 25,088 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMOP7M.DLL
+ 2005-05-07 05:00:00 23,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP07M.DAT
+ 2005-05-07 05:00:00 27,140 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP17M.DAT
+ 2005-05-07 05:00:00 30,320 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMP27M.DAT
+ 2005-05-07 05:00:00 7,168 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMPI7M.DLL
+ 2005-05-07 05:00:00 89,088 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMPV7M.DLL
+ 2005-05-07 05:00:00 223,744 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSB7M.DLL
+ 2005-05-07 05:00:00 39,936 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSD7M.DLL
+ 2005-05-07 05:00:00 194,048 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSM7M.DLL
+ 2005-05-07 05:00:00 39,424 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSQ7M.DLL
+ 2005-05-07 05:00:00 69,632 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMSR7M.DLL
+ 2005-05-07 05:00:00 663,552 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUB7M.DLL
+ 2005-05-07 05:00:00 1,635,840 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUI7M.DLL
+ 2005-05-07 05:00:00 254,464 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMUR7M.DLL
+ 2005-05-07 05:00:00 6,656 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\CNMW37M.DLL
+ 2005-05-07 05:00:00 274,944 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMCB7M.DLL
+ 2005-05-07 05:00:00 100,352 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMCP7M.DLL
+ 2005-05-07 05:00:00 151,552 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMD57M.DLL
+ 2005-05-07 05:00:00 397,312 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMDR7M.DLL
+ 2005-05-07 05:00:00 19,968 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMFU7M.DLL
+ 2005-05-07 05:00:00 92,160 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMLR7M.DLL
+ 2005-05-07 05:00:00 25,088 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMOP7M.DLL
+ 2005-05-07 05:00:00 23,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMP07M.DAT
+ 2005-05-07 05:00:00 27,140 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMP17M.DAT
+ 2005-05-07 05:00:00 30,320 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMP27M.DAT
+ 2005-05-07 05:00:00 7,168 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMPI7M.DLL
+ 2005-05-07 05:00:00 89,088 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMPV7M.DLL
+ 2005-05-07 05:00:00 223,744 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMSB7M.DLL
+ 2005-05-07 05:00:00 39,936 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMSD7M.DLL
+ 2005-05-07 05:00:00 194,048 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMSM7M.DLL
+ 2005-05-07 05:00:00 39,424 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMSQ7M.DLL
+ 2005-05-07 05:00:00 69,632 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMSR7M.DLL
+ 2005-05-07 05:00:00 663,552 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMUB7M.DLL
+ 2005-05-07 05:00:00 1,635,840 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMUI7M.DLL
+ 2005-05-07 05:00:00 254,464 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMUR7M.DLL
+ 2005-05-07 05:00:00 6,656 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\canonmp800b2ef\CNMW37M.DLL
+ 2008-05-24 19:25:04 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5cc.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D1277E3-AD9F-4677-A977-725C7E20602D}]
2008-05-14 10:39 29824 --a------ C:\WINDOWS\system32\ddcDuUMc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 05:54 16010240 C:\WINDOWS\RTHDCPL.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4D1277E3-AD9F-4677-A977-725C7E20602D}"= C:\WINDOWS\system32\ddcDuUMc.dll [2008-05-14 10:39 29824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcDuUMc]
ddcDuUMc.dll 2008-05-14 10:39 29824 C:\WINDOWS\system32\ddcDuUMc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"gusvc"=3 (0x3)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 18:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 18:16]
S3 Gcr432;Gcr432;C:\WINDOWS\system32\Drivers\gcr432.sys [2001-10-04 16:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{487c636c-b721-11dc-8164-00142ae4ba4d}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-05-24 19:25:16 C:\WINDOWS\Tasks\GlaryInitialize.job"
- C:\Program Files\Glary Utilities\initialize.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 14:25:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ddcDuUMc.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
.
**************************************************************************
.
Completion time: 2008-05-24 14:28:07 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-05-24 19:28:02
ComboFix2.txt 2008-05-24 18:31:52
ComboFix3.txt 2008-05-24 18:23:55
ComboFix4.txt 2008-05-23 16:42:09
ComboFix5.txt 2008-05-23 16:25:58

Pre-Run: 12,270,891,008 bytes free
Post-Run: 12,197,220,352 bytes free

247 --- E O F --- 2008-05-14 08:03:32


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:30:03 PM, on 5/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.0.1
O2 - BHO: (no name) - {4D1277E3-AD9F-4677-A977-725C7E20602D} - C:\WINDOWS\system32\ddcDuUMc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O20 - Winlogon Notify: ddcDuUMc - C:\WINDOWS\SYSTEM32\ddcDuUMc.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 3404 bytes
Fortygirl
Active Member
 
Posts: 5
Joined: May 21st, 2008, 3:55 pm

Re: I keep getting my explorer hacked somehow - can you help?

Unread postby peku006 » May 25th, 2008, 5:35 am

Hi Fortygirl

I see you are using Wild Tangent. It is not malware, but is sometimes thought to bring malware along. Wild Tangent is a video game software company specializing in online games. It has even made a partnership with AOL to include itself as part of the AOL Instant Messenger for their AIM games section. The WildTangent Web Driver is their technology that allows you to play 3D games over the Internet. Although it’s not technically considered spyware, it does have built in components to update itself and gather information about the computer system including
  1. Operating System Version
  2. CPU Type and Speed
  3. Memory Amount
    Video Card type and Driver Version
  4. Sound Card type and Driver Version
  5. DirectX Version
    Location that the Web Driver was installed from
  6. It is also a MAJOR resource hog.
For more information, see WildTangent Removal Instructions and Help and Inside Wild Tangent-Delivering High-End 3-D Content To A Web Site Near You.
Unless you are an extremely avid games player, I recommend you uninstall Wild Tangent: To uninstall Wild Tangent:
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight Wild Tangent, click Remove.
  4. Close the Add or Remove Programs and the Control Panel windows.

1 - Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
File::
C:\WINDOWS\system32\missspqw.ini
C:\WINDOWS\system32\qdjtdawn.ini
C:\WINDOWS\system32\ddcDuUMc.dll
C:\WINDOWS\oadkxrts.exe
C:\WINDOWS\iun6002.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D1277E3-AD9F-4677-A977-725C7E20602D}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4D1277E3-AD9F-4677-A977-725C7E20602D}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcDuUMc]


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

2 - Malwarebytes' Anti-Malware

    Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

3 - Status Check
Please reply with

1. the Malwarebytes' Anti-Malware Log
2. the ComboFix log
3. a fresh HijackThis log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: I keep getting my explorer hacked somehow - can you help?

Unread postby Fortygirl » May 26th, 2008, 10:23 am

I tried to remove WildTanget within Control panel and it wasn't listed there to remove???

I do not know what CFScript is - to be able to open into Notepad?

Thank you.
Fortygirl
Active Member
 
Posts: 5
Joined: May 21st, 2008, 3:55 pm

Re: I keep getting my explorer hacked somehow - can you help?

Unread postby peku006 » May 26th, 2008, 11:14 am

Hi Fortygirl
I tried to remove WildTanget within Control panel and it wasn't listed there to remove
It's away,that's good news...

I do not know what CFScript is

i will try explain a little more......

1 - Run CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code: Select all
File::
C:\WINDOWS\system32\missspqw.ini
C:\WINDOWS\system32\qdjtdawn.ini
C:\WINDOWS\system32\ddcDuUMc.dll
C:\WINDOWS\oadkxrts.exe
C:\WINDOWS\iun6002.exe
Folder::
C:\Documents and Settings\All Users\Application Data\WildTangent
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D1277E3-AD9F-4677-A977-725C7E20602D}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4D1277E3-AD9F-4677-A977-725C7E20602D}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcDuUMc]


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Image
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

2 - Malwarebytes' Anti-Malware

    Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

3 - Status Check
Please reply with

1. the Malwarebytes' Anti-Malware Log
2. the ComboFix log
3. a fresh HijackThis log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: I keep getting my explorer hacked somehow - can you help?

Unread postby NonSuch » May 31st, 2008, 4:55 am

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 287 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware