Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HiJackThis log submittal

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: HiJackThis log submittal

Unread postby muppy03 » April 20th, 2009, 12:08 am

Hi Tim, Have a look at the following files

c:\program files\MOVIES
c:\program files\TEMP DOWNLOADS
c:\program files\TORRENTS
c:\program files\New Folder
c:\program files\SONGS AND VIDEOS
c:\program files\PERSONAL
c:\program files\Backgrounds
c:\program files\Work related
c:\program files\Fun & Games
c:\program files\PHONE ITEMS
c:\program files\DESIGN PRO


Did you create these folders? And do you know what they all are? Take note that if you placed them in program files they really need to be put in a folder of their own.

Please reply and let me know about the above :flower:
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia
Advertisement
Register to Remove

Re: HiJackThis log submittal

Unread postby Tim98TA » April 20th, 2009, 12:28 am

Yes, I have created them all. I created them a LONG time, ie: years, ago. The Design Pro and the New Folder are the only ones I haven't used since they have been created. The others I use almost on a daily basis.
Tim98TA
Regular Member
 
Posts: 24
Joined: April 7th, 2009, 11:59 pm

Re: HiJackThis log submittal

Unread postby muppy03 » April 20th, 2009, 4:27 am

Hi Tim, that looks better now :thumbright:

How is the computer running?


Did you uninstall AVG8?

Let’s remove some remnants of it.

  • Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
Code: Select all
:Files
c:\documents and settings\All Users\Application Data\avg8
c:\program files\AVG

  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

Next Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. Adobe Reader 9.
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Next Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply

Please reply with:-
  • OTMoveit3 log
  • Kaspersky Report
  • Answer on how the computer is running.
  • New HJT log
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: HiJackThis log submittal

Unread postby Tim98TA » April 20th, 2009, 10:21 pm

Computer seems to be running better. I have yet to try a defrag, but I will. Hasn't frozen up on my lately.


c:\documents and settings\All Users\Application Data\avg8\Log moved successfully.
c:\documents and settings\All Users\Application Data\avg8 moved successfully.
c:\program files\AVG\AVG8\log moved successfully.
c:\program files\AVG\AVG8\avgam moved successfully.
c:\program files\AVG\AVG8 moved successfully.
c:\program files\AVG moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04202009_185207



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, April 20, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, April 21, 2009 01:45:46
Records in database: 2064606
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 175012
Threat name: 10
Infected objects: 68
Suspicious objects: 5
Duration of the scan: 03:22:02


File name / Threat name / Threats count
C:\Documents and Settings\Tim Creswell\Application Data\Thunderbird\Profiles\o6xxxsxi.default\Mail\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Paylap.ev 2
C:\Documents and Settings\Tim Creswell\Application Data\Thunderbird\Profiles\o6xxxsxi.default\Mail\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Tim Creswell\Application Data\Thunderbird\Profiles\o6xxxsxi.default\Mail\Mail\Local Folders\Trash Infected: Trojan-Spy.HTML.Paylap.ev 2
C:\Documents and Settings\Tim Creswell\Application Data\Thunderbird\Profiles\o6xxxsxi.default\Mail\Mail\Local Folders\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Tim Creswell\Application Data\Thunderbird\Profiles\o6xxxsxi.default\Mail\pop.east.cox-1.net\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Tim Creswell\Application Data\Thunderbird\Profiles\o6xxxsxi.default\Mail\pop.east.cox-1.net\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\Mozilla Firefox\plugins\NPMySrWB.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1
C:\Program Files\Mozilla Thunderbird\Thunderbird 1.5.0.10 en-US - 2007-07-04.pcv Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\Mozilla Thunderbird\Thunderbird 1.5.0.10 en-US - 2007-07-04.pcv Infected: Email-Worm.Win32.Sober.y 55
C:\Program Files\MyWebSearchWB\bar\1.bin\NPMYSRWB.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1
C:\Program Files\MyWebSearchWB\bar\1.bin\W6PLUGIN.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.l 1
C:\Program Files\Screen Savers\Spaceship\countdown.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bu 1
C:\Program Files\Screen Savers\waterfallsetup.exe Infected: not-a-virus:AdWare.Win32.Gator.1023 1
C:\Program Files\Screen Savers\wtrfal13.zip Infected: not-a-virus:AdWare.Win32.Gator.1023 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gaopdxitujetvaordqlclkiuneqmtumncepyna.sys.vir Infected: Trojan.Win32.Tdss.zos 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_gaopdxylgkolmxyujhqcuxobasaluoendodhtr_.sys.zip Infected: Trojan.Win32.Agent2.ibc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gaopdxeknwpjuwlssxxaiqeplpvjtvupmtongk.dll.vir Infected: Packed.Win32.Tdss.f 1

The selected area was scanned.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:31 PM, on 4/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\SYSTEM32\Rpcnet.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSCM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\DOCUME~1\TIMCRE~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=4070529
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=uvf ... 0agTV7XP4c
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 4652104328
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Recovery ActiveX Control Module) - http://www.lojackforlaptops.com/ctmweb/testoc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FDDD8F9-144B-4888-B1B7-3ECC0D513606}: NameServer = 68.28.58.92 68.28.50.91
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\SYSTEM32\Rpcnet.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12973 bytes
Last edited by Tim98TA on April 21st, 2009, 2:47 am, edited 2 times in total.
Tim98TA
Regular Member
 
Posts: 24
Joined: April 7th, 2009, 11:59 pm

Re: HiJackThis log submittal

Unread postby muppy03 » April 20th, 2009, 11:44 pm

Do you have the rest of the reply? :flower:
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: HiJackThis log submittal

Unread postby Tim98TA » April 21st, 2009, 12:32 am

muppy03 wrote:Do you have the rest of the reply? :flower:

I am running the Kaspersky Scan at the moment. Didn't know it would take this long, was the reason for posting the first log. I will post results tomorrow.
Tim98TA
Regular Member
 
Posts: 24
Joined: April 7th, 2009, 11:59 pm

Re: HiJackThis log submittal

Unread postby Tim98TA » April 21st, 2009, 11:05 pm

all results posted above
Tim98TA
Regular Member
 
Posts: 24
Joined: April 7th, 2009, 11:59 pm

Re: HiJackThis log submittal

Unread postby muppy03 » April 22nd, 2009, 4:57 am

Hi Tim,

Please take note you have infected emails. Unfortunately I do not know which ones they might be.

We will run a BitDefender scan which will be able to pin point what e-mails are infected. Also empty the email TRASH as there is also infection in there.


Before we do that
  • Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the lines in the codebox below.
Code: Select all
:Files
C:\Program Files\Mozilla Firefox\plugins\NPMySrWB.dll
C:\Program Files\MyWebSearchWB
C:\Program Files\Screen Savers\Spaceship\countdown.exe 
C:\Program Files\Screen Savers\waterfallsetup.exe 
C:\Program Files\Screen Savers\wtrfal13.zip 


  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

    BitDefender Online Scan

    Please perform an online scan using Internet Explorer at this website - http://www.bitdefender.com/scan8/ie.html

    Under SCANNING OPTIONS, use the following Settings:
    • Image
    • Action options - Report only
    • Second option - Report only
    Once finished, click on "Click here to export the scan results"

    Save the report to your desktop, then post those results in your next reply.

Please reply with:-
  • OTmoveit3 report
  • Bitdefender report
  • New HJT log
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: HiJackThis log submittal

Unread postby Tim98TA » April 22nd, 2009, 7:54 am

========== FILES ==========
DllUnregisterServer procedure not found in C:\Program Files\Mozilla Firefox\plugins\NPMySrWB.dll
C:\Program Files\Mozilla Firefox\plugins\NPMySrWB.dll NOT unregistered.
C:\Program Files\Mozilla Firefox\plugins\NPMySrWB.dll moved successfully.
C:\Program Files\MyWebSearchWB\bar\Settings moved successfully.
C:\Program Files\MyWebSearchWB\bar\History moved successfully.
C:\Program Files\MyWebSearchWB\bar\Cache moved successfully.
C:\Program Files\MyWebSearchWB\bar\1.bin moved successfully.
C:\Program Files\MyWebSearchWB\bar moved successfully.
C:\Program Files\MyWebSearchWB moved successfully.
C:\Program Files\Screen Savers\Spaceship\countdown.exe moved successfully.
C:\Program Files\Screen Savers\waterfallsetup.exe moved successfully.
C:\Program Files\Screen Savers\wtrfal13.zip moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04222009_042355






BitDefender Online Scanner
Scan report generated at: Mon, Apr 27, 2009 - 22:12:06
Scan path: C:\;D:\;
Statistics
Time
03:38:57
Files
1472963
Folders
17019
Boot Sectors
0
Archives
258436
Packed Files
95598
Results
Identified Viruses
3
Infected Files
8
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
8
Engines Info
Virus Definitions
2850442
Engine build
AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)
Scan plugins
17
Archive plugins
45
Unpack plugins
7
E-mail plugins
6
System plugins
4
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status

C:\Program Files\InstallShield Installation Information\{C65D81C3-3FC2-4B01-B515-7C6F805886BC}\Setup.exe

Infected with: Gen:Malware.Heur.20649B8B8B

C:\Program Files\InstallShield Installation Information\{C65D81C3-3FC2-4B01-B515-7C6F805886BC}\Setup.exe


Disinfection failed

C:\Program Files\InstallShield Installation Information\{C65D81C3-3FC2-4B01-B515-7C6F805886BC}\Setup.exe


Deleted

C:\Program Files\Work related\MISC FORMS\AUTO DWG\DWG2PDF.exe=>(IExpress 0)=>Setup.exe


Infected with: Gen:Malware.Heur.20649B8B8B

C:\Program Files\Work related\MISC FORMS\AUTO DWG\DWG2PDF.exe=>(IExpress 0)=>Setup.exe


Disinfection failed

C:\Program Files\Work related\MISC FORMS\AUTO DWG\DWG2PDF.exe=>(IExpress 0)=>Setup.exe


Deleted

C:\Program Files\Work related\MISC FORMS\AUTO DWG\DWG2PDF.exe=>(IExpress 0)


Update failed

C:\Program Files\Work related\SUNCOR\2007 EP TA\PERSONAL\New Folder\DWG2PDF.exe=>(IExpress 0)=>Setup.exe


Infected with: Gen:Malware.Heur.20649B8B8B

C:\Program Files\Work related\SUNCOR\2007 EP TA\PERSONAL\New Folder\DWG2PDF.exe=>(IExpress 0)=>Setup.exe


Disinfection failed

C:\Program Files\Work related\SUNCOR\2007 EP TA\PERSONAL\New Folder\DWG2PDF.exe=>(IExpress 0)=>Setup.exe


Deleted

C:\Program Files\Work related\SUNCOR\2007 EP TA\PERSONAL\New Folder\DWG2PDF.exe=>(IExpress 0)


Update failed

C:\Program Files\Work related\UNIVERSAL\DWG2PDF.exe=>(IExpress 0)=>Setup.exe


Infected with: Gen:Malware.Heur.20649B8B8B

C:\Program Files\Work related\UNIVERSAL\DWG2PDF.exe=>(IExpress 0)=>Setup.exe


Disinfection failed

C:\Program Files\Work related\UNIVERSAL\DWG2PDF.exe=>(IExpress 0)=>Setup.exe


Deleted

C:\Program Files\Work related\UNIVERSAL\DWG2PDF.exe=>(IExpress 0)


Update failed

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP531\A0128504.dll


Infected with: Trojan.TDss.EH

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP531\A0128504.dll


Disinfection failed

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP531\A0128504.dll


Deleted

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP534\A0130957.exe


Infected with: Gen:Malware.Heur.20649B8B8B

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP534\A0130957.exe


Disinfection failed

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP534\A0130957.exe


Deleted

C:\_OTMoveIt\MovedFiles\04222009_042355\Program Files\Screen Savers\waterfallsetup.exe=>wise0015


Infected with: Gen:Adware.Heur.A0E51A1A1A

C:\_OTMoveIt\MovedFiles\04222009_042355\Program Files\Screen Savers\waterfallsetup.exe=>wise0015


Disinfection failed

C:\_OTMoveIt\MovedFiles\04222009_042355\Program Files\Screen Savers\waterfallsetup.exe=>wise0015


Deleted

C:\_OTMoveIt\MovedFiles\04222009_042355\Program Files\Screen Savers\waterfallsetup.exe


Update failed

C:\_OTMoveIt\MovedFiles\04222009_042355\Program Files\Screen Savers\wtrfal13.zip=>waterfallsetup.exe=>wise0015


Infected with: Gen:Adware.Heur.A0E51A1A1A

C:\_OTMoveIt\MovedFiles\04222009_042355\Program Files\Screen Savers\wtrfal13.zip=>waterfallsetup.exe=>wise0015


Disinfection failed

C:\_OTMoveIt\MovedFiles\04222009_042355\Program Files\Screen Savers\wtrfal13.zip=>waterfallsetup.exe=>wise0015


Deleted

C:\_OTMoveIt\MovedFiles\04222009_042355\Program Files\Screen Savers\wtrfal13.zip=>waterfallsetup.exe


Update failed






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:26 PM, on 4/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\SYSTEM32\Rpcnet.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSCM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\DOCUME~1\TIMCRE~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=4070529
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=uvf ... 0agTV7XP4c
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://a248.e.akamai.net
O15 - Trusted Zone: http://kb.bitdefender.com
O15 - Trusted Zone: http://ssl-hints.netflame.cc
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 4652104328
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Recovery ActiveX Control Module) - http://www.lojackforlaptops.com/ctmweb/testoc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FDDD8F9-144B-4888-B1B7-3ECC0D513606}: NameServer = 68.28.58.92 68.28.50.91
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\SYSTEM32\Rpcnet.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 13500 bytes
Last edited by Tim98TA on April 28th, 2009, 1:47 am, edited 1 time in total.
Tim98TA
Regular Member
 
Posts: 24
Joined: April 7th, 2009, 11:59 pm

Re: HiJackThis log submittal

Unread postby muppy03 » April 22nd, 2009, 6:08 pm

Thanks for letting me know ;)
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: HiJackThis log submittal

Unread postby Tim98TA » April 28th, 2009, 1:47 am

Update in post above
Tim98TA
Regular Member
 
Posts: 24
Joined: April 7th, 2009, 11:59 pm

Re: HiJackThis log submittal

Unread postby muppy03 » April 29th, 2009, 5:38 am

Hi Tim,

Unfortunately Bitdefender did not find the reported infected emails from our Kaspersky scan. Do you still use Thunderbird and do you need the mail stored in the infected folders? I ask as you are using a very outdated version. The latest version is 2.0.0.21. If not used the best thing to do would be to remove Thunderbird completely and download the latest version once everything belonging to the present version is deleted.

The below paths are where the infected emails are located. If you still need these folders my advice would be to delete anything suspicious or un-needed in the listed inboxes.

Code: Select all
C:\Documents and Settings\Tim Creswell\Application Data\Thunderbird\Profiles\o6xxxsxi.default\Mail\Mail\Local Folders\Inbox 
C:\Documents and Settings\Tim Creswell\Application Data\Thunderbird\Profiles\o6xxxsxi.default\Mail\pop.east.cox-1.net\Inbox


Infection was also shown In the below .pcv files. These files are the format in which backups for firefox and thunderbird profiles are saved in. The 2007 date shows that the files are outdated. The latest version as I mentioned above is 2.0.0.21. Thunderbird needs updating as the version you have is unsecure. It might be time to make new backups as the ones you have are infected and therefore should not be used.


Code: Select all
C:\Program Files\Mozilla Thunderbird\Thunderbird 1.5.0.10 en-US - 2007-07-04.pcv Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\Mozilla Thunderbird\Thunderbird 1.5.0.10 en-US - 2007-07-04.pcv Infected: Email-Worm.Win32.Sober.y 55


NEXT Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present

    O15 - Trusted Zone: <http://a248.e.akamai.net>
    O15 - Trusted Zone: <http://kb.bitdefender.com>
    O15 - Trusted Zone: <http://ssl-hints.netflame.cc>


Once selected close all windows except HJT an click on Fix Checked

Have you tried the defrag yet? How is everything else going?

Please reply with:-
  • NEW HJT log
  • Answer to questions regarding Thunderbird and Defrag
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: HiJackThis log submittal

Unread postby Tim98TA » April 29th, 2009, 9:30 pm

Do you still use Thunderbird and do you need the mail stored in the infected folders? I ask as you are using a very outdated version. The latest version is 2.0.0.21.
Yes, Thunderbird is all I use. I checked my version and it is up to date with 2.0.0.21

The below paths are where the infected emails are located. If you still need these folders my advice would be to delete anything suspicious or un-needed in the listed inboxes.
Code: Select all
C:\Documents and Settings\Tim Creswell\Application Data\Thunderbird\Profiles\o6xxxsxi.default\Mail\Mail\Local Folders\Inbox 
C:\Documents and Settings\Tim Creswell\Application Data\Thunderbird\Profiles\o6xxxsxi.default\Mail\pop.east.cox-1.net\Inbox

I deleted both folders. They were both empty.

Infection was also shown In the below .pcv files. These files are the format in which backups for firefox and thunderbird profiles are saved in. The 2007 date shows that the files are outdated. The latest version as I mentioned above is 2.0.0.21. Thunderbird needs updating as the version you have is unsecure. It might be time to make new backups as the ones you have are infected and therefore should not be used.
Code: Select all
C:\Program Files\Mozilla Thunderbird\Thunderbird 1.5.0.10 en-US - 2007-07-04.pcv Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\Mozilla Thunderbird\Thunderbird 1.5.0.10 en-US - 2007-07-04.pcv Infected: Email-Worm.Win32.Sober.y 55

I deleted that file.

Have you tried the defrag yet? How is everything else going?
Will try now.

Will edit this post with defrag results as well as new HJT list.

Here is the defrag results. It didn't finish.
Disk Defragmenter
Volume (C:)
Volume size = 181 GB
Cluster size = 4 KB
Used space = 111 GB
Free space = 70.65 GB
Percent free space = 38 %
Volume fragmentation
Total fragmentation = 12 %
File fragmentation = 24 %
Free space fragmentation = 0 %
File fragmentation
Total files = 181,288
Average file size = 765 KB
Total fragmented files = 32
Total excess fragments = 52,447
Average fragments per file = 1.28
Pagefile fragmentation
Pagefile size = 2.00 GB
Total fragments = 1
Folder fragmentation
Total folders = 17,028
Fragmented folders = 1
Excess folder fragments = 0
Master File Table (MFT) fragmentation
Total MFT size = 226 MB
MFT record count = 199,875
Percent MFT in use = 86 %
Total MFT fragments = 5

Disk Defragmenter
Volume (C:)
Fragments File Size Files that cannot be defragmented
2 693 MB \Program Files\TORRENTS\Office Space.avi
463 737 MB \Documents and Settings\Tim Creswell\Local Setting
3 1.27 GB \Program Files\MOVIES\DVD's\TROPIC THUNDER.avi
3 1.27 GB \Program Files\TORRENTS\Tropic Thunder KLAXXON\Tro
22,914 2.04 GB \Documents and Settings\Tim Creswell\Application D
28,666 2.32 GB \Documents and Settings\Tim Creswell\Application D



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:43 PM, on 4/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\SYSTEM32\Rpcnet.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSCM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\DOCUME~1\TIMCRE~1\LOCALS~1\Temp\clclean.0001
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=4070529
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=uvf ... 0agTV7XP4c
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 4652104328
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Recovery ActiveX Control Module) - http://www.lojackforlaptops.com/ctmweb/testoc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FDDD8F9-144B-4888-B1B7-3ECC0D513606}: NameServer = 68.28.58.92 68.28.50.91
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\SYSTEM32\Rpcnet.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 13397 bytes


Things actually are running good. No freeze ups lately.
Tim98TA
Regular Member
 
Posts: 24
Joined: April 7th, 2009, 11:59 pm

Re: HiJackThis log submittal

Unread postby muppy03 » April 30th, 2009, 5:16 pm

Hi Tim, well things are looking good my end. I did not need the defrag results, I asked if you could run it as one of your initial problems was that you could not. Good to see that it all works now.:thumbright:

I am glad those inboxes were empty and you were able to delete them, saves any worry of re-infecting your system.

If you are not having any further problems lets start cleaning up some of the tools we used.

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Image
The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.

NEXT
  • Double-click OTMoveIt3.exe. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

MBAM is a great tool for you to keep and use on a regular basis.

Let me know when the above is done and we can move on to some final instructions. ;)
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: HiJackThis log submittal

Unread postby Tim98TA » April 30th, 2009, 9:05 pm

Got everything deleted as requested.
Tried to run the defrag again, but it gets to about 13% the quits and I get this report:
Fragments---------File Size-----------------------Files that cannot be defragmented
2--------------------699 MB----------\Program Files\MOVIES\DVD's\WHAT HAPPENS IN VEGAS.avi
463-------------------737 MB----------\Documents and Settings\Tim Creswell\Local Settings\Application Data\Google\GoogleEarth\dbCache.dat
3--------------------1.27 GB----------\Program Files\MOVIES\DVD's\TROPIC THUNDER.avi
3--------------------1.27 GB----------\Program Files\TORRENTS\Tropic Thunder KLAXXON\Tropic Thunder KLAXXON.avi
22,963----------------2.05 GB----------\Documents and Settings\Tim Creswell\Application Data\Thunderbird\Profiles\o6xxxsxi.default\Mail\pop.east.cox-1.net\Inbox
30,168----------------2.43 GB-----------\Documents and Settings\Tim Creswell\Application Data\Thunderbird\Profiles\o6xxxsxi.default\Mail\pop.east.cox-1.net\Trash

When I try to go to these files: \Documents and Settings\Tim Creswell\Application Data\Thunderbird\Profiles\o6xxxsxi.default\Mail\pop.east.cox-1.net\Inbox
----------------------------------\Documents and Settings\Tim Creswell\Application Data\Thunderbird\Profiles\o6xxxsxi.default\Mail\pop.east.cox-1.net\Trash
I get as far as \Documents and Settings\Tim Creswell. There is no folder called Application Data any longer. I KNOW it was there in the past. What could have happened?
The report also tells me that I SHOULD defrag.
Tim98TA
Regular Member
 
Posts: 24
Joined: April 7th, 2009, 11:59 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware