Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

hijack this and silent runners log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

hijack this and silent runners log

Unread postby jfurt » August 24th, 2005, 7:30 pm

to whom this may concern:

I have been having some trouble getting rid of both "Hoowah" and "coowebsearch" along with several other resident problems.

I installed the Tauscan trial edition and have yet to be able to delete several files and processes that were tied to it even with Advanced Uninstaller Pro

there is also some rememnant of an ad blocker running that is stopping me from running several java applets

I've run: AVG, Housecall, spybot & lavasoft adware

I've attached logs for both Hijackthis, Silent Runners, and Itty Bitty process manager

any help that you can provide would be GREATLY appreciated


Logfile of HijackThis v1.99.1
Scan saved at 6:48:37 PM, on 8/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
H:\avg\avgupsvc.exe
E:\Program Files\Microsoft Hardware\Mouse\point32.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\DOCUME~1\Louie\LOCALS~1\Temp\sysnet.exe
E:\WINDOWS\dejadlk.EXE
E:\Program Files\Tweak-XP\tranicon.exe
E:\WINDOWS\xjmhssz.exe
E:\WINDOWS\system32\ctfmon.exe
H:\avg\avgamsvr.exe
H:\avg\avgcc.exe
H:\avg\avgemc.exe
E:\Program Files\Hijack this\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/def ... earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - E:\WINDOWS\system32\fofqqdjm.dll
O4 - HKLM\..\Run: [AVG7_CC] H:\avg\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] H:\avg\avgemc.exe
O4 - HKLM\..\Run: [lanbrup] E:\WINDOWS\system32\lanbrup.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [POINTER] E:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Sysnet] E:\DOCUME~1\Louie\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [Media Access] E:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [dejadlk] E:\WINDOWS\dejadlk.EXE
O4 - HKCU\..\Run: [TransparentIcons] "E:\Program Files\Tweak-XP\tranicon.exe" -ex
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\BenQ\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\avg\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\avg\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - E:\WINDOWS\xjmhssz.exe



"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TransparentIcons" = ""E:\Program Files\Tweak-XP\tranicon.exe" -ex" ["Totalidea Software"]
"ctfmon.exe" = "E:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AVG7_CC" = "H:\avg\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "H:\avg\avgemc.exe" ["GRISOFT, s.r.o."]
"lanbrup" = "E:\WINDOWS\system32\lanbrup.exe" [null data]
"NeroFilterCheck" = "E:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"POINTER" = "E:\Program Files\Microsoft Hardware\Mouse\point32.exe" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"SunJavaUpdateSched" = "E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Sysnet" = "E:\DOCUME~1\Louie\LOCALS~1\Temp\sysnet.exe" [null data]
"pjmjpiu" = "E:\WINDOWS\pjmjpiu.EXE" ["System Service"]
"Media Access" = "E:\Program Files\Media Access\MediaAccK.exe" [file not found]
"TraySantaCruz" = "E:\WINDOWS\system32\tbctray.exe" ["Voyetra Turtle Beach, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "E:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "H:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{71D1708F-973D-4600-AF01-AD86688403AE}\(Default) = "LANBridge Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "E:\WINDOWS\system32\fofqqdjm.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "E:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "E:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "E:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "E:\WINDOWS\system32\Audiodev.dll" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "E:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "H:\avg\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "H:\avg\avgse.dll" ["GRISOFT, s.r.o."]
"{B6122A50-EAB5-11D3-9E7F-EBF4F0595714}" = "Tauscan Menu"
-> {CLSID}\InProcServer32\(Default) = "H:\Program Files\Agnitum\Tauscan 1.7\Taumenu.dll" ["Agnitum Ltd."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "H:\avg\avgse.dll" ["GRISOFT, s.r.o."]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {CLSID}\InProcServer32\(Default) = "h:\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]
Tauscan Menu\(Default) = "{B6122A50-EAB5-11D3-9E7F-EBF4F0595714}"
-> {CLSID}\InProcServer32\(Default) = "H:\Program Files\Agnitum\Tauscan 1.7\Taumenu.dll" ["Agnitum Ltd."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "E:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
Tauscan Menu\(Default) = "{B6122A50-EAB5-11D3-9E7F-EBF4F0595714}"
-> {CLSID}\InProcServer32\(Default) = "H:\Program Files\Agnitum\Tauscan 1.7\Taumenu.dll" ["Agnitum Ltd."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "H:\avg\avgse.dll" ["GRISOFT, s.r.o."]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {CLSID}\InProcServer32\(Default) = "h:\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]
Tauscan Menu\(Default) = "{B6122A50-EAB5-11D3-9E7F-EBF4F0595714}"
-> {CLSID}\InProcServer32\(Default) = "H:\Program Files\Agnitum\Tauscan 1.7\Taumenu.dll" ["Agnitum Ltd."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "E:\Documents and Settings\Louie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Louie" & "All Users" startup folders:
-------------------------------------------------------

E:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"InterVideo WinCinema Manager" -> shortcut to: "E:\Program Files\BenQ\Common\Bin\WinCinemaMgr.exe" ["InterVideo Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 34
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."]

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "E:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "E:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "H:\avg\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "H:\avg\avgupsvc.exe" ["GRISOFT, s.r.o."]
IPv6 Helper Service, 6to4, "E:\WINDOWS\system32\svchost.exe -k netsvcs" {"E:\WINDOWS\System32\6to4svc.dll" [MS]}
Machine Debug Manager, MDM, ""E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
NVIDIA Driver Helper Service, NVSvc, "E:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows Overlay Components, Windows Overlay Components, "E:\WINDOWS\mhsewhj.exe" [null data]
Windows User Mode Driver Framework, UMWdf, "E:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 29 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 28 seconds.
---------- (total run time: 93 seconds)


IBPM

Process list saved on 7:28:15 PM, on 8/24/2005
Platform: WinNT 5.01.2600 SP2

[pid] [full path to filename] [file version] [company name]
568 E:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
644 E:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
688 E:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
700 E:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
852 E:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
972 E:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1288 E:\WINDOWS\system32\spoolsv.exe 5.1.2600.2180 Microsoft Corporation
1532 E:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
1680 H:\avg\avgupsvc.exe 7.1.0.321 GRISOFT, s.r.o.
1728 E:\Program Files\Microsoft Hardware\Mouse\point32.exe 3.10.0.393 Microsoft Corporation
1756 E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe 7.0.9064.9150 Microsoft Corporation
1788 E:\WINDOWS\System32\nvsvc32.exe 6.14.10.4523 NVIDIA Corporation
1924 E:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
2004 E:\Program Files\Tweak-XP\tranicon.exe 1.0.0.0 Totalidea Software
204 E:\WINDOWS\xjmhssz.exe
216 E:\WINDOWS\system32\ctfmon.exe 5.1.2600.2180 Microsoft Corporation
3224 H:\avg\avgamsvr.exe 7.1.0.321 GRISOFT, s.r.o.
3268 H:\avg\avgcc.exe 7.1.0.338 GRISOFT, s.r.o.
3276 H:\avg\avgemc.exe 7.1.0.338 GRISOFT, s.r.o.
3920 E:\Program Files\Internet Explorer\iexplore.exe 6.0.2900.2180 Microsoft Corporation
1848 h:\PowerArchiver\POWERARC.EXE 9.25.2.0 ConeXware, Inc.
228 E:\DOCUME~1\Louie\LOCALS~1\Temp\_PA924\IBProcMan.exe 1.4.0.0 Soeperman Enterprises Ltd.
jfurt
Active Member
 
Posts: 5
Joined: August 24th, 2005, 7:13 pm
Advertisement
Register to Remove

Unread postby Bertha » August 27th, 2005, 3:20 pm

Hi

Sorry for the wait,

As its has been several days things may have chnaged, please can you post a fresh HJT Log

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

new logs, HELLLLLLPPP!!!

Unread postby jfurt » August 27th, 2005, 11:43 pm

here are my logs as of 8/27

thanks again for any insight

HTJ
Logfile of HijackThis v1.99.1
Scan saved at 11:36:42 PM, on 8/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Microsoft Hardware\Mouse\point32.exe
E:\Program Files\Tweak-XP\tranicon.exe
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\ipndiqo.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Hijack this\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/def ... earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - E:\WINDOWS\system32\fofqqdjm.dll
O4 - HKLM\..\Run: [AVG7_CC] H:\avg\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] H:\avg\avgemc.exe
O4 - HKLM\..\Run: [lanbrup] E:\WINDOWS\system32\lanbrup.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [POINTER] E:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Media Access] E:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [ipndiqo] E:\WINDOWS\ipndiqo.EXE
O4 - HKCU\..\Run: [TransparentIcons] "E:\Program Files\Tweak-XP\tranicon.exe" -ex
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\BenQ\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\avg\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\avg\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - E:\WINDOWS\xjmhssz.exe

Silent runners

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TransparentIcons" = ""E:\Program Files\Tweak-XP\tranicon.exe" -ex" ["Totalidea Software"]
"ctfmon.exe" = "E:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AVG7_CC" = "H:\avg\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "H:\avg\avgemc.exe" ["GRISOFT, s.r.o."]
"lanbrup" = "E:\WINDOWS\system32\lanbrup.exe" [null data]
"NeroFilterCheck" = "E:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"POINTER" = "E:\Program Files\Microsoft Hardware\Mouse\point32.exe" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"SunJavaUpdateSched" = "E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Media Access" = "E:\Program Files\Media Access\MediaAccK.exe" [file not found]
"ipndiqo" = "E:\WINDOWS\ipndiqo.EXE" ["System Service"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "E:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "H:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{71D1708F-973D-4600-AF01-AD86688403AE}\(Default) = "LANBridge Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "E:\WINDOWS\system32\fofqqdjm.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "E:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "E:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "E:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "E:\WINDOWS\system32\Audiodev.dll" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "E:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "H:\avg\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "H:\avg\avgse.dll" ["GRISOFT, s.r.o."]
"{B6122A50-EAB5-11D3-9E7F-EBF4F0595714}" = "Tauscan Menu"
-> {CLSID}\InProcServer32\(Default) = "H:\Program Files\Agnitum\Tauscan 1.7\Taumenu.dll" ["Agnitum Ltd."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "H:\avg\avgse.dll" ["GRISOFT, s.r.o."]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {CLSID}\InProcServer32\(Default) = "h:\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]
Tauscan Menu\(Default) = "{B6122A50-EAB5-11D3-9E7F-EBF4F0595714}"
-> {CLSID}\InProcServer32\(Default) = "H:\Program Files\Agnitum\Tauscan 1.7\Taumenu.dll" ["Agnitum Ltd."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "E:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
Tauscan Menu\(Default) = "{B6122A50-EAB5-11D3-9E7F-EBF4F0595714}"
-> {CLSID}\InProcServer32\(Default) = "H:\Program Files\Agnitum\Tauscan 1.7\Taumenu.dll" ["Agnitum Ltd."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "H:\avg\avgse.dll" ["GRISOFT, s.r.o."]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {CLSID}\InProcServer32\(Default) = "h:\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]
Tauscan Menu\(Default) = "{B6122A50-EAB5-11D3-9E7F-EBF4F0595714}"
-> {CLSID}\InProcServer32\(Default) = "H:\Program Files\Agnitum\Tauscan 1.7\Taumenu.dll" ["Agnitum Ltd."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "E:\Documents and Settings\Louie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Louie" & "All Users" startup folders:
-------------------------------------------------------

E:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"InterVideo WinCinema Manager" -> shortcut to: "E:\Program Files\BenQ\Common\Bin\WinCinemaMgr.exe" ["InterVideo Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 34
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."]

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "E:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "E:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

IPv6 Helper Service, 6to4, "E:\WINDOWS\system32\svchost.exe -k netsvcs" {"E:\WINDOWS\System32\6to4svc.dll" [MS]}
Machine Debug Manager, MDM, ""E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
NVIDIA Driver Helper Service, NVSvc, "E:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "E:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 20 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 28 seconds.
---------- (total run time: 77 seconds)


IBPM

Process list saved on 11:40:42 PM, on 8/27/2005
Platform: WinNT 5.01.2600 SP2

[pid] [full path to filename] [file version] [company name]
568 E:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
640 E:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
684 E:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
696 E:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
848 E:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
976 E:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1288 E:\WINDOWS\system32\spoolsv.exe 5.1.2600.2180 Microsoft Corporation
1488 E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe 7.0.9064.9150 Microsoft Corporation
1516 E:\WINDOWS\System32\nvsvc32.exe 6.14.10.4523 NVIDIA Corporation
1648 E:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1932 E:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
1064 E:\Program Files\Microsoft Hardware\Mouse\point32.exe 3.10.0.393 Microsoft Corporation
1140 E:\Program Files\Tweak-XP\tranicon.exe 1.0.0.0 Totalidea Software
1216 E:\WINDOWS\system32\ctfmon.exe 5.1.2600.2180 Microsoft Corporation
2404 E:\WINDOWS\ipndiqo.exe 1.0.0.0 System Service
2308 E:\Program Files\Internet Explorer\iexplore.exe 6.0.2900.2180 Microsoft Corporation
1864 E:\Documents and Settings\Louie\My Documents\IBProcMan.exe 1.4.0.0 Soeperman Enterprises Ltd.



I still fighting with hoowah as well as win-fixer and a few other nasties. and i'm still trying to root out a few pieces of tauscan and outpost firewall that are giving me some trouble. i want to install zone alarm but not until i can get rid of the rememnants.

any help u can give me would be greatly appreciated
thanx
jfurt
Active Member
 
Posts: 5
Joined: August 24th, 2005, 7:13 pm

Unread postby Bertha » August 31st, 2005, 1:31 pm

Hi,

Sorry for the wait I never got the email notifications on this topic,

Please post just a fresh HJT Log for now, and if needed we can use other scans

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

thanks for getting back

Unread postby jfurt » August 31st, 2005, 4:15 pm

sorry for all of the excess info

and if you could walk me through this i would appreciate it very much i have a couple of comptia certs and i'm looking to get a sec. + cert soon so i've joined the university here to get a jump on things.

thanx


Logfile of HijackThis v1.99.1
Scan saved at 4:15:12 PM, on 8/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
H:\avg\avgamsvr.exe
H:\avg\avgupsvc.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
H:\avg\avgcc.exe
H:\avg\avgemc.exe
E:\Program Files\Microsoft Hardware\Mouse\point32.exe
E:\WINDOWS\system32\tbctray.exe
E:\Program Files\Tweak-XP\tranicon.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\BenQ\Common\Bin\WinCinemaMgr.exe
E:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Hijack this\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - E:\WINDOWS\system32\fofqqdjm.dll
O4 - HKLM\..\Run: [AVG7_CC] H:\avg\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] H:\avg\avgemc.exe
O4 - HKLM\..\Run: [lanbrup] E:\WINDOWS\system32\lanbrup.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [POINTER] E:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Media Access] E:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [ipndiqo] E:\WINDOWS\ipndiqo.EXE
O4 - HKLM\..\Run: [TraySantaCruz] E:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [TransparentIcons] "E:\Program Files\Tweak-XP\tranicon.exe" -ex
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\BenQ\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\avg\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\avg\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - E:\WINDOWS\xjmhssz.exe (file missing)

thanks again
jfurt
Active Member
 
Posts: 5
Joined: August 24th, 2005, 7:13 pm

Unread postby Bertha » August 31st, 2005, 4:24 pm

Moved to the Shadow Board (Room 06) as you are now a Trainee

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby Bertha » August 31st, 2005, 4:33 pm

jfurt,

Usually we ask Trainees to guide themselves through the proces, however as your new and have been waiting, then lets go straight to the cleaning :D

Please reply to the topic in room 06
Posted the fix here incase you miss the topic being moved

===============

If you haven't ran HouseCall lately, let's go back to www.trendmicro.com, download the latest definitions, and run it.


===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com

R3 - Default URLSearchHook is missing

O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - E:\WINDOWS\system32\fofqqdjm.dll

O4 - HKLM\..\Run: [lanbrup] E:\WINDOWS\system32\lanbrup.exe
O4 - HKLM\..\Run: [ipndiqo] E:\WINDOWS\ipndiqo.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
...(Unless you've set these with a anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)

O23 - Service: Windows Overlay Components - Unknown owner - E:\WINDOWS\xjmhssz.exe (file missing)


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

E:\WINDOWS\system32\fofqqdjm.dll
E:\WINDOWS\system32\lanbrup.exe
E:\WINDOWS\ipndiqo.EXE
E:\WINDOWS\xjmhssz.exe

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin


===============

Post back a new log, and let me know how everything goes.

-

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby jfurt » August 31st, 2005, 11:26 pm

thanx muchly for the help

here's a new hjt log all should be clear

Logfile of HijackThis v1.99.1
Scan saved at 11:24:46 PM, on 8/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
H:\avg\avgcc.exe
H:\avg\avgemc.exe
E:\Program Files\Microsoft Hardware\Mouse\point32.exe
E:\WINDOWS\system32\tbctray.exe
E:\Program Files\Tweak-XP\tranicon.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\BenQ\Common\Bin\WinCinemaMgr.exe
H:\avg\avgamsvr.exe
H:\avg\avgupsvc.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Yahoo!\Messenger\YPager.exe
E:\Program Files\Hijack this\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] H:\avg\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] H:\avg\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [POINTER] E:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TraySantaCruz] E:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [TransparentIcons] "E:\Program Files\Tweak-XP\tranicon.exe" -ex
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\BenQ\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\avg\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\avg\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe



thanx again
jfurt
Active Member
 
Posts: 5
Joined: August 24th, 2005, 7:13 pm

Unread postby Bertha » September 1st, 2005, 11:18 am

This is my normal post for when you are clear - which you now are - or seem to be. Please advise of any problems you still have :-

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

  1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
    You can find instructions on how to enable and re enable system restore here:
    Managing Windows Millennium System Restore
    or
    Windows XP System Restore Guide
    re-enable system restore with instructions from tutorial above
  2. Make your Internet Explorer more secure - This can be done by following these simple instructions:

    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.

      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialise and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
    Computer Safety On line - Anti-Virus
  4. Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls
  6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  8. Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line - Anti-Malware
  10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.


Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Thanx

Unread postby jfurt » September 1st, 2005, 4:39 pm

thank you too much far all of your help
jfurt
Active Member
 
Posts: 5
Joined: August 24th, 2005, 7:13 pm

Unread postby NonSuch » September 14th, 2005, 4:29 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27228
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware