Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HiJack Log - browsers being killed, Win32.Brontok warning

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HiJack Log - browsers being killed, Win32.Brontok warning

Unread postby krc » July 10th, 2009, 2:26 am

Computer mysteriously rebooted this afternoon.
Any time I tried to start the browser, the window showed something like "Insecure Navigation ..."
Then, the browsers would die when I tried to move on. Both IE and Firefox (latest 3.5). IE is old - don't use much anymore.

Also, windows security center pops up with "win32.brontok" warning... pops up every so often.

Trying to run a full scan on spyware doctor - intelli scan has turned up nothing.

Here is the hijack log....

All started today.

Hijack log below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:59 PM, on 7/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Write DVD!\saimon.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
D:\iTunes\iTunesHelper.exe
C:\Documents and Settings\Karl\Application Data\Google\zlgai50494.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoflt07.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Write DVD!\saimon.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\iTunes\iTunesHelper.exe
C:\Documents and Settings\Karl\Application Data\Google\zlgai50494.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [realteks] "C:\Documents and Settings\Karl\Application Data\Google\zlgai50494.exe" 2
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-343818398-73586283-682003330-1003\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Karl')
O4 - HKUS\S-1-5-21-343818398-73586283-682003330-1003\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Karl')
O4 - S-1-5-21-343818398-73586283-682003330-1003 Startup: Sid Registration.lnk = E:\ATR1.EXE (User 'Karl')
O4 - S-1-5-21-343818398-73586283-682003330-1003 Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe (User 'Karl')
O4 - S-1-5-21-343818398-73586283-682003330-1003 User Startup: Sid Registration.lnk = E:\ATR1.EXE (User 'Karl')
O4 - S-1-5-21-343818398-73586283-682003330-1003 User Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe (User 'Karl')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O4 - Global Startup: HPAiODevice(hp officejet k series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/tes ... eGames.cab
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://fpass.ed.gov/vdesk/terminal/f5t ... 9,327,1558
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://fpass.ed.gov/vdesk/terminal/Ins ... ,0327,1604
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks Static Application Tunnel Control) - https://fpass.ed.gov/vdesk/terminal/urT ... ,0122,2001
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 7691429593
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://fpass.ed.gov/vdesk/terminal/urx ... 9,327,1553
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://metricstream.webex.com/client/T ... eatgpc.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://fpass.ed.gov/vdesk/terminal/urx ... 9,327,1548
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe

--
End of file - 11053 bytes
You do not have the required permissions to view the files attached to this post.
krc
Active Member
 
Posts: 11
Joined: July 10th, 2009, 2:17 am
Advertisement
Register to Remove

Re: HiJack Log - browsers being killed, Win32.Brontok warning

Unread postby MWR 3 day Mod » July 13th, 2009, 12:08 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: HiJack Log - browsers being killed, Win32.Brontok warning

Unread postby Bio-Hazard » July 13th, 2009, 4:36 am

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • I f you don't know or understand something please don't hesitate to ask.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.

No Reply Within 3 Days Will Result In Your Topic Being Closed!!




STEP 1

Download DDS

Please download DDS by sUBs from one of the links below and save it to your desktop:

Image
Download DDS and save it to your desktop from:

Link1
Link2
Link3

Please disable any anti-malware program that will block scripts from running before running DDS.

  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply


STEP 2


Gmer

Please download Gmer by Gmer and save it to your desktop.

  • Right click on gmer.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will start extracting.
  • Once done, check (tick) the Show extracted files box and click Finish.
  • Double click on gmer.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the Gmer scan log and post it in your next reply.
  • Close Gmer.

Note: Do not run any programs while Gmer is running.



Next Reply

Please reply with:
  • DDS.txt
  • Attach.txt
  • Gmer log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: HiJack Log - browsers being killed, Win32.Brontok warning

Unread postby krc » July 14th, 2009, 2:05 am

OK - I initially tried to run DDS but the first time I ran it never completed, and eventually blue screened.
I then ran gmer, but when I came home (it seems to take a couple of hours) there was another blue screen.

So, I identified the process from the earlier hijack log:
C:\Documents and Settings\Karl\Application Data\Google\zlgai50494.exe

I downloaded a process killer and terminated the process... now the DDS runs (see below) and I have restarted GMER. I know I should not kill things off, but the system is so unstable that I need to be able to kill that process to be able to get anything to run (or the browsers kill themselves and blue screens start up).

I will attach the gmer log once it completes.

I did notices that GMER did report a process problem with the zlgai50494.exe before blue screening, and the text color was red. Can't remember the exact wording, but it was about the "Process:"


Anyway, please find DDS below (but remember that the zlgai50494.exe was killed off):

DDS (Ver_09-06-26.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/11/2003 2:47:57 PM
System Uptime: 7/13/2009 10:16:59 PM (0 hours ago)
Motherboard: ASUSTeK Computer Inc. | | P4P800
Processor: Intel(R) Pentium(R) 4 CPU 2.60GHz | CPU 1 | 2605/200mhz
Processor: Intel(R) Pentium(R) 4 CPU 2.60GHz | CPU 1 | 2605/200mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 39 GiB total, 1.002 GiB free.
D: is FIXED (NTFS) - 35 GiB total, 21.166 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 3Com Gigabit LOM (3C940)
Device ID: PCI\VEN_10B7&DEV_1700&SUBSYS_80EB1043&REV_12\4&2E98101C&0&28F0
Manufacturer: 3Com
Name: 3Com Gigabit LOM (3C940)
PNP Device ID: PCI\VEN_10B7&DEV_1700&SUBSYS_80EB1043&REV_12\4&2E98101C&0&28F0
Service: EL2000
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems SSL VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems SSL VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CSVirtA
==== System Restore Points ===================
RP730: 6/10/2009 3:00:30 AM - Software Distribution Service 3.0
RP731: 6/11/2009 7:11:57 AM - System Checkpoint
RP732: 6/12/2009 8:17:22 AM - System Checkpoint
RP733: 6/13/2009 8:50:57 AM - System Checkpoint
RP734: 6/14/2009 9:51:01 AM - System Checkpoint
RP735: 6/21/2009 9:05:24 PM - System Checkpoint
RP736: 6/22/2009 10:21:51 PM - System Checkpoint
RP737: 6/23/2009 10:34:56 PM - System Checkpoint
RP738: 6/24/2009 11:13:01 PM - System Checkpoint
RP739: 6/26/2009 12:05:18 AM - System Checkpoint
RP740: 6/27/2009 12:33:50 AM - System Checkpoint
RP741: 6/28/2009 12:39:59 AM - System Checkpoint
RP742: 6/29/2009 3:09:49 AM - System Checkpoint
RP743: 6/30/2009 3:33:50 AM - System Checkpoint
RP744: 7/1/2009 4:33:53 AM - System Checkpoint
RP745: 7/2/2009 5:33:50 AM - System Checkpoint
RP746: 7/3/2009 6:33:54 AM - System Checkpoint
RP747: 7/4/2009 7:35:20 AM - System Checkpoint
RP748: 7/5/2009 9:57:53 PM - System Checkpoint
RP749: 7/6/2009 11:52:05 PM - System Checkpoint
RP750: 7/8/2009 1:45:53 AM - System Checkpoint
RP751: 7/9/2009 4:10:10 AM - System Checkpoint
RP752: 7/9/2009 9:26:22 PM - Spyware Doctor: Cleaning Threats
RP753: 7/10/2009 10:20:27 PM - System Checkpoint
RP754: 7/11/2009 11:20:20 PM - System Checkpoint
RP755: 7/12/2009 11:51:06 PM - System Checkpoint
==== Installed Programs ======================
Add-ons
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0
Adobe Shockwave Player
Ahead Nero Express
AirPlus G
ANIO Service
ANIWZCS2 Service
Annotations
Annotations Help
Apple Mobile Device Support
Apple Software Update
ASUS Probe V2.21.03
ASUSUpdate
Block Diagrams
Block Diagrams Help
Bonjour
Borders and Backgrounds
Borders and Backgrounds Help
Building Architecture
Building Architecture Help
Building Services
Building Services Help
CAD Drawing Converter
CAD Drawing Converter Help
CAD Drawing Converter Samples
CAD Drawing Display
Callouts and Connectors
Callouts and Connectors Help
Cisco SSL VPN Client
Clip Art and Symbols
Clip Art and Symbols Help
Compatibility Pack for the 2007 Office system
Custom Patterns
Custom Properties Editor
Database Wizard
Developing Visio Solutions Help
Disney Pirates of the Caribbean Online
Duke Nukem - Manhattan Project
Electrical Engineering
Electrical Engineering Help
Enter The Matrix
Facilities Management
Facilities Management Help
Flowcharts
Flowcharts Help
Fluid Power
Fluid Power Help
Forms and Charts
Forms and Charts Help
Foundation technical
GameSpy Arcade
Google Earth
Google SketchUp 6
Google Toolbar for Internet Explorer
Google Updater
Graphics Filters
Help for Visio 2000 (HTML Help)
Help_Technical
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
hp officejet k series
hp officejet k series - 2
iTunes
Java(TM) 6 Update 3
LEGO® Indiana Jones™
Lord of the Rings: The Fellowship of the Ring
LOTR The Return of the King tm
Maps
Maps Help
Mechanical Engineering
Mechanical Engineering Help
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft FrontPage Client - English
Microsoft Halo
Microsoft Halo Trial
Microsoft Office 2000 SR-1 Premium
Microsoft Repository
Microsoft SQL Server Desktop Engine (NETSDK)
Microsoft Visio 2000 (IE)
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual Studio .NET Enterprise Architect 2003 - English
Microsoft Visual Studio Service Pack 3
Mozilla Firefox (3.5)
MSDN Library for Visual Studio .NET 2003
MSN Toolbar
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Network Diagrams
Network Diagrams Help
Norton Security Scan
NVIDIA Drivers
Office Layout
Office Layout Help
Organization Charts
Organization Charts Help
Page Layout Wizard
Prevx 3.0
PrimoPDF
PrimoPDF Redistribution Package
Process Engineering
Process Engineering Help
Program Files
Program Files Help
Program Files Technical
Project Schedules
Project Schedules Help
Property Reporting Wizard
QuickTime
Release Notes Technical
Rhapsody Player Engine
RideMax for Disneyland 5.1
Riven
SanDisk ImageMate/SecureMate
Save as HTML
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926247)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939373)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB942830)
Security Update for Windows XP (KB942831)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970483)
Shape Explorer Help
Sid Meier's Pirates!
Solutions
SoundMAX
Spyware Doctor 6.0
Star Wars Battlefront II
TaxACT 2007
TaxACT 2008
TaxACT 2008 California
TaxACT California 2007
TBS WMP Plug-in
Ulead Burn.Now
Ulead DVD MovieFactory 2 SE
Ulead DVD PictureShow 2 SE
Ulead DVD Player
Ulead VideoStudio 7 SE DVD
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
USB Storage Driver
VBA
Visio
Visio Core Files
Visio Technical Core Files
Visual Studio .NET Enterprise Architect 2003 - English
Visual Studio.NET Baseline - English
WD Diagnostics
WDCSAM Driver
WebEx
WebFldrs XP
Windows Driver Package - Western Digital Technologies (WDC_SAM) WDC_SAM (12/05/2006 1.0.0007.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinSCP 4.2.1 beta
Write DVD!
Xfire (remove only)
==== Event Viewer Messages From Past Week ========
7/9/2009 9:16:53 PM, error: Service Control Manager [7000] - The ASInsHelp service failed to start due to the following error: The system cannot find the file specified.
7/13/2009 7:11:51 AM, error: Service Control Manager [7034] - The ANIWZCSd Service service terminated unexpectedly. It has done this 1 time(s).
krc
Active Member
 
Posts: 11
Joined: July 10th, 2009, 2:17 am

Re: HiJack Log - browsers being killed, Win32.Brontok warning

Unread postby Bio-Hazard » July 14th, 2009, 2:58 am

Hello!

Is this a business computer?


So, I identified the process from the earlier hijack log:
C:\Documents and Settings\Karl\Application Data\Google\zlgai50494.exe


Yes that one is a baddie.

I downloaded a process killer and terminated the process... now the DDS runs (see below) and I have restarted GMER. I know I should not kill things off, but the system is so unstable that I need to be able to kill that process to be able to get anything to run (or the browsers kill themselves and blue screens start up).

I will attach the gmer log once it completes.

I did notices that GMER did report a process problem with the zlgai50494.exe before blue screening, and the text color was red. Can't remember the exact wording, but it was about the "Process:"


You did fine. Problem i have is that, some of these infections will block tools we use so thats why i would like to see Gmer report before we start cleaning.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: HiJack Log - browsers being killed, Win32.Brontok warning

Unread postby krc » July 14th, 2009, 6:50 am

Hello -

No, this is not a business PC.

Anyway, I also realized I forgot a log:

I will post once gmers completes.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Karl at 22:42:01.56 on Mon 07/13/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.488 [GMT -7:00]

============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Write DVD!\saimon.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
D:\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Karl\My Documents\Problem\dds.pif
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [Write DVD-R!] c:\program files\write dvd!\saimon.exe
mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [DataCaching] c:\progra~1\dataca~1\FLashKsk.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "d:\itunes\iTunesHelper.exe"
mRun: [realteks] "c:\documents and settings\karl\application data\google\zlgai50494.exe" 2
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\karl\startm~1\programs\startup\sidreg~1.lnk - e:\ATR1.EXE
StartupFolder: c:\docume~1\karl\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\Xfire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet k series\bin\hpoorn07.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~2.lnk - c:\program files\hewlett-packard\aio\hp officejet k series\bin\hpoorn07.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/Shar ... vSniff.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/ ... mvadvd.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/tes ... eGames.cab
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://fpass.ed.gov/vdesk/terminal/f5t ... 9,327,1558
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://fpass.ed.gov/vdesk/terminal/Ins ... ,0327,1604
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/Shar ... /cabsa.cab
DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - hxxps://fpass.ed.gov/vdesk/terminal/urT ... ,0122,2001
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microso ... 7691429593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/C ... B?37966.63
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://fpass.ed.gov/vdesk/terminal/urx ... 9,327,1553
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://metricstream.webex.com/client/T ... eatgpc.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://fpass.ed.gov/vdesk/terminal/urx ... 9,327,1548
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} -
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\karl\applic~1\mozilla\firefox\profiles\lbv9wjj3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPuroamHost.dll
FF - plugin: d:\itunes\mozilla plugins\npitunes.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
============= SERVICES / DRIVERS ===============
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-9 130936]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-7-11 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-7-11 27656]
R1 saicdr;saicdr;c:\windows\system32\drivers\Saicdr.sys [2003-12-31 51456]
R1 saicdrwup;saicdrwup;c:\windows\system32\drivers\saicdrwup.sys [2003-12-31 3328]
R1 saiudf;saiudf;c:\windows\system32\drivers\Saiudf.sys [2003-12-31 360960]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-7-11 4368952]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2009-1-11 72672]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-9-23 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-9-23 1095560]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-3-22 450400]
R3 SDSTOR2K;SanDisk USB ImageMate/SecureMate Mass Storage Driver;c:\windows\system32\drivers\SDSTOR2K.SYS [2007-11-17 37781]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2007-4-1 22136]
S3 MSSQL$NETSDK;MSSQL$NETSDK;c:\program files\microsoft sql server\mssql$netsdk\binn\sqlservr.exe -snetsdk --> c:\program files\microsoft sql server\mssql$netsdk\binn\sqlservr.exe -sNETSDK [?]
S3 SQLAgent$NETSDK;SQLAgent$NETSDK;c:\program files\microsoft sql server\mssql$netsdk\binn\sqlagent.exe -i netsdk --> c:\program files\microsoft sql server\mssql$netsdk\binn\sqlagent.EXE -i NETSDK [?]
=============== Created Last 30 ================
2009-07-11 20:22 4,307 a------- c:\documents and settings\karl\nah_log.dat
2009-07-11 12:41 27,656 a------- c:\windows\system32\drivers\pxsec.sys
2009-07-11 12:41 22,024 a------- c:\windows\system32\drivers\pxscan.sys
2009-07-11 12:41 <DIR> --d----- c:\program files\Prevx
2009-07-11 12:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2009-07-11 12:40 65 a------- c:\windows\wininit.ini
2009-07-09 21:47 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-07-09 21:47 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-07-09 21:47 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-09 21:47 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-07-09 21:47 <DIR> --d----- c:\program files\common files\PC Tools
2009-07-09 21:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-07-09 21:09 78,848 a------- c:\documents and settings\karl\nah_huhy.exe
2009-06-22 16:51 <DIR> --d----- c:\program files\GameSpy Arcade
==================== Find3M ====================
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-07 08:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-28 21:52 659,456 a------- c:\windows\system32\wininet.dll
2009-04-28 21:52 81,920 -------- c:\windows\system32\ieencode.dll
2009-04-17 02:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 08:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2003-07-16 19:26 448,640 a------- c:\windows\inf\EL2K_N64.sys
2003-07-16 19:22 147,328 a------- c:\windows\inf\EL2K_XP.sys
2003-06-03 00:47 147,328 a------- c:\windows\inf\EL2K_2K.sys
============= FINISH: 22:42:37.44 ===============
krc
Active Member
 
Posts: 11
Joined: July 10th, 2009, 2:17 am

Re: HiJack Log - browsers being killed, Win32.Brontok warning

Unread postby krc » July 15th, 2009, 12:55 am

Hi,

I am having trouble getting gmer to run and complete. Scan starts off fine, but then when I come back down it has blue screen of death. I killed of the z*.exe program as mentioned in the previous posts, but something still seems amiss. I also disconnected from the network and tried - same problem.

Any ideas?

Thanks....
krc
Active Member
 
Posts: 11
Joined: July 10th, 2009, 2:17 am

Re: HiJack Log - browsers being killed, Win32.Brontok warning

Unread postby Bio-Hazard » July 15th, 2009, 6:30 am

Hello!

No, this is not a business PC.


I hope i didnt offend you, but i needed to ask.

Lets try another approach.

ATF-Cleaner

Please download ATF Cleaner by Atribune.

  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords please click No at the prompt.
  • Click Exit on the Main menu to close the program.


Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the Perform Full Scan option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • Malwarebytes Antimalware log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: HiJack Log - browsers being killed, Win32.Brontok warning

Unread postby krc » July 17th, 2009, 11:14 pm

OK -

I had some difficulty getting the applications on the machine in question - it looks like the USB was also disabled so the jump drive did not work. So, in order to use the Inet to download, I killed off the alg*.exe process that I had identified above (I had not wanted to do that except as a last resort to make sure the scanner saw this as a running process - but it still found the file). I was forced to reboot to finish the virus cleanup.

The browser now seems to work without any redirection, and the alg* is not running.

I also attached a hijack log - are things looking better?

Thanks for the help again... :)
Karl

4 errors were detected:
Malwarebytes' Anti-Malware 1.39
Database version: 2453
Windows 5.1.2600 Service Pack 2

7/17/2009 7:52:31 PM
mbam-log-2009-07-17 (19-52-31).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 323903
Time elapsed: 2 hour(s), 6 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\Karl\Application Data\Google\Shell32.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\realteks (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Karl\application data\Google\Shell32.dll (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\Karl\application data\Google\zlgai50494.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Here is the subsequent hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:53 PM, on 7/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Write DVD!\saimon.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Sid Registration.lnk = E:\ATR1.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O4 - Global Startup: HPAiODevice(hp officejet k series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/tes ... eGames.cab
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://fpass.ed.gov/vdesk/terminal/f5t ... 9,327,1558
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://fpass.ed.gov/vdesk/terminal/Ins ... ,0327,1604
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks Static Application Tunnel Control) - https://fpass.ed.gov/vdesk/terminal/urT ... ,0122,2001
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 7691429593
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://fpass.ed.gov/vdesk/terminal/urx ... 9,327,1553
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://metricstream.webex.com/client/T ... eatgpc.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://fpass.ed.gov/vdesk/terminal/urx ... 9,327,1548
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe

--
End of file - 9525 bytes
krc
Active Member
 
Posts: 11
Joined: July 10th, 2009, 2:17 am

Re: HiJack Log - browsers being killed, Win32.Brontok warning

Unread postby Bio-Hazard » July 18th, 2009, 4:12 am

Hello!

Things are looking much better.

Does PCtools Spyware Doctor have antivirus component?

ATF-Cleaner

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords please click No at the prompt.
  • Click Exit on the Main menu to close the program.


Kaspersky Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply along with a fresh HijackThis log.


Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason it's extremely important that you keep the program up to date and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 14.
  • Go to HERE
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 14
  • Click the Download button to the right
  • From the dropdown menu choose your platform. Which is Windows
  • Dont change the language box.
  • Click on the radio button to Accept License Agreement and after that click continue
  • Click on Windows Offline Installation Multi-language and save the downloaded file to your computer
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 2 Runtime Environment JRE or JSE)
  • Reboot your computer
  • Delete the folder C:\Program Files\Java if present
  • Install the new version by running the newly-downloaded file and follow the on-screen instructions.
  • Reboot your computer


Update Adobe Reader

Your version of Adobe Reader is out-of-date. There are known security issues with older versions of Adobe Reader. It is strongly suggested that you update to the current version. Please uninstall older version of Adobe Reader before installing the latest version.

If you are using a FULL featured, purchased version of Adobe Acrobat Reader.
These instructions will remove the current version of Adobe Reader and replace it with the limited feature FREE version. If you want to replace the paid for version with the free version, then continue, otherwise DO NOT perform these steps!

  • Click Start
  • Control Panel
  • Double clicking on Add/Remove Programs
  • Locate older version of Adobe Reader and click on Change/Remove to uninstall it
  • Click HERE to download the latest version of Adobe Reader.
  • Select your Windows version and click on Download. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
  • Close your Internet browser and open it again.

If you don't like Adobe Reader, you can download Foxit PDF Reader from HERE. It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.



Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • Answer to My question
  • Malwarebytes Antimalware log
  • Kaspersky Log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: HiJack Log - browsers being killed, Win32.Brontok warning

Unread postby krc » July 19th, 2009, 3:38 pm

OK -

I don't have the AV portion of spyware doctor.

I ran the Kaspersky and nothing was detected.

The machine does seem to be running better, but I am still suspicious as there are certain time where things seem to "slow down". Plus, I am not sure of all the process on the process list (which I include at the end of this post). At least the win32.brontok popup is
not running and the zlg*.exe process seems to be removed and gone.

Thanks for all the help, by the way.


The Malwarebytes' Anti-Malware log is below - nothing detected.

Malwarebytes' Anti-Malware 1.39
Database version: 2453
Windows 5.1.2600 Service Pack 2

7/19/2009 12:57:40 AM
mbam-log-2009-07-19 (00-57-40).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 310332
Time elapsed: 1 hour(s), 57 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HiJack Log::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:14 PM, on 7/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Write DVD!\saimon.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
D:\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Sid Registration.lnk = E:\ATR1.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O4 - Global Startup: HPAiODevice(hp officejet k series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/tes ... eGames.cab
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://fpass.ed.gov/vdesk/terminal/f5t ... 9,327,1558
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://fpass.ed.gov/vdesk/terminal/Ins ... ,0327,1604
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se1140.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks Static Application Tunnel Control) - https://fpass.ed.gov/vdesk/terminal/urT ... ,0122,2001
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 7691429593
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://fpass.ed.gov/vdesk/terminal/urx ... 9,327,1553
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://metricstream.webex.com/client/T ... eatgpc.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://fpass.ed.gov/vdesk/terminal/urx ... 9,327,1548
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - (no file)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe

--
End of file - 8926 bytes


Here is also a process list that I see running on the machine right now:

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org

ImageName PID Threads Priority CPU Owner
Idle 0 2 0 34 Error 0x6 : The handle is invalid.

System 4 64 8 0 Error 0x5 : Access is denied.

smss.exe 496 3 11 0 NT AUTHORITY\SYSTEM
csrss.exe 556 13 13 0 NT AUTHORITY\SYSTEM
winlogon.exe 584 18 13 0 NT AUTHORITY\SYSTEM
services.exe 636 16 9 0 NT AUTHORITY\SYSTEM
lsass.exe 648 19 9 0 NT AUTHORITY\SYSTEM
svchost.exe 804 19 8 0 NT AUTHORITY\SYSTEM
svchost.exe 888 10 8 0 Error 0x5 : Access is denied.

svchost.exe 940 64 8 0 NT AUTHORITY\SYSTEM
svchost.exe 1000 6 8 0 Error 0x5 : Access is denied.

svchost.exe 1056 11 8 0 Error 0x5 : Access is denied.

spoolsv.exe 1116 11 8 0 NT AUTHORITY\SYSTEM
explorer.exe 1368 11 8 0 KCHRISMAN\Karl
SMax4PNP.exe 1472 5 8 0 KCHRISMAN\Karl
SMax4.exe 1484 2 8 0 KCHRISMAN\Karl
Saimon.exe 1512 3 8 0 KCHRISMAN\Karl
AirGCFG.exe 1520 3 8 0 KCHRISMAN\Karl
WZCSLDR2.exe 1536 7 8 0 KCHRISMAN\Karl
jusched.exe 1552 1 8 0 KCHRISMAN\Karl
FLASHKSK.EXE 1572 1 8 0 KCHRISMAN\Karl
WDBtnMgr.exe 1580 1 8 0 KCHRISMAN\Karl
rundll32.exe 1612 1 8 0 KCHRISMAN\Karl
rundll32.exe 1700 3 8 0 KCHRISMAN\Karl
iTunesHelper.exe 1708 8 8 0 KCHRISMAN\Karl
GoogleToolbarNotifier.exe 1720 4 8 0 KCHRISMAN\Karl
msnmsgr.exe 1728 8 8 0 KCHRISMAN\Karl
hpoorn07.exe 1752 2 8 0 KCHRISMAN\Karl
hpoorn07.exe 1768 4 8 0 KCHRISMAN\Karl
sqlmangr.exe 1840 2 8 0 KCHRISMAN\Karl
hpoevm07.exe 168 13 8 0 KCHRISMAN\Karl
hposts07.exe 276 2 8 0 KCHRISMAN\Karl
hposts07.exe 356 2 8 0 KCHRISMAN\Karl
hpofxm07.exe 364 15 8 0 KCHRISMAN\Karl
cmd.exe 1048 1 8 0 KCHRISMAN\Karl
svchost.exe 1200 1 8 0 Error 0x5 : Access is denied.

AppleMobileDeviceService.exe 1244 3 8 0 NT AUTHORITY\SYSTEM
mDNSResponder.exe 1300 4 8 0 NT AUTHORITY\SYSTEM
jqs.exe 1644 5 4 0 NT AUTHORITY\SYSTEM
LxrSII1s.exe 560 2 8 0 NT AUTHORITY\SYSTEM
mdm.exe 1748 5 8 0 NT AUTHORITY\SYSTEM
msdtc.exe 696 14 8 0 Error 0x5 : Access is denied.

nvsvc32.exe 1596 4 8 0 NT AUTHORITY\SYSTEM
snmp.exe 1884 5 8 0 NT AUTHORITY\SYSTEM
SMAgent.exe 2060 2 8 0 NT AUTHORITY\SYSTEM
svchost.exe 2088 5 8 0 NT AUTHORITY\SYSTEM
mqsvc.exe 2296 25 8 0 NT AUTHORITY\SYSTEM
mqtgsvc.exe 2536 9 8 0 NT AUTHORITY\SYSTEM
iPodService.exe 3144 11 8 0 NT AUTHORITY\SYSTEM
alg.exe 3748 5 8 0 Error 0x5 : Access is denied.

wuauclt.exe 1648 3 8 0 KCHRISMAN\Karl
taskmgr.exe 1800 3 13 0 KCHRISMAN\Karl
firefox.exe 1312 20 8 8 KCHRISMAN\Karl
iexplore.exe 3000 22 8 0 KCHRISMAN\Karl
HijackThis.exe 3264 4 8 0 KCHRISMAN\Karl
notepad.exe 3840 1 8 0 KCHRISMAN\Karl
Process.exe 844 1 13 0 KCHRISMAN\Karl
krc
Active Member
 
Posts: 11
Joined: July 10th, 2009, 2:17 am

Re: HiJack Log - browsers being killed, Win32.Brontok warning

Unread postby Bio-Hazard » July 20th, 2009, 5:43 pm

The machine does seem to be running better, but I am still suspicious as there are certain time where things seem to "slow down". Plus, I am not sure of all the process on the process list (which I include at the end of this post). At least the win32.brontok popup is
not running and the zlg*.exe process seems to be removed and gone.


All your running processes are fine.



Remove HijackThis entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - (no file)
  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.


Slow Computer

Read here What to do if your Computer is running slowly


Antivirus

Looking over your log it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect cleans and erase harmful virus files on a computer Web server or network. Unchecked virus files can unintentionally be forwarded to others including trading partners and thereby spreading infection. Because new viruses regularly emerge anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present and will clean delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:


It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer then only one of them should be active in memory at a time.


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: HiJack Log - browsers being killed, Win32.Brontok warning

Unread postby krc » July 22nd, 2009, 11:28 am

Here is the latest HJ Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:59 AM, on 7/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Write DVD!\saimon.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
D:\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Write DVD-R!] C:\Program Files\Write DVD!\saimon.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Sid Registration.lnk = E:\ATR1.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O4 - Global Startup: HPAiODevice(hp officejet k series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/tes ... eGames.cab
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} (F5 Networks Dynamic Application Tunnel Control) - https://fpass.ed.gov/vdesk/terminal/f5t ... 9,327,1558
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://fpass.ed.gov/vdesk/terminal/Ins ... ,0327,1604
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se1140.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks Static Application Tunnel Control) - https://fpass.ed.gov/vdesk/terminal/urT ... ,0122,2001
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 7691429593
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://fpass.ed.gov/vdesk/terminal/urx ... 9,327,1553
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://metricstream.webex.com/client/T ... eatgpc.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://fpass.ed.gov/vdesk/terminal/urx ... 9,327,1548
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe

--

I installed Avira and it found a couple of issues also:

Avira AntiVir Personal
Report file date: Wednesday, July 22, 2009 04:37

Scanning for 1561236 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : KCHRISMAN

Version information:
BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 5/11/2009 17:14:47
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 11:20:28
ANTIVIR2.VDF : 7.1.4.253 1779200 Bytes 7/19/2009 11:20:52
ANTIVIR3.VDF : 7.1.5.15 119808 Bytes 7/22/2009 11:20:54
Engineversion : 8.2.0.222
AEVDF.DLL : 8.1.1.1 106868 Bytes 4/30/2009 19:52:04
AESCRIPT.DLL : 8.1.2.18 442746 Bytes 7/22/2009 11:21:16
AESCN.DLL : 8.1.2.3 127347 Bytes 5/14/2009 19:02:01
AERDL.DLL : 8.1.2.4 430452 Bytes 7/22/2009 11:21:14
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/28/2009 00:07:20
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/22/2009 11:21:11
AEHEUR.DLL : 8.1.0.143 1864055 Bytes 7/22/2009 11:21:10
AEHELP.DLL : 8.1.4.5 229748 Bytes 7/22/2009 11:20:59
AEGEN.DLL : 8.1.1.48 348532 Bytes 7/22/2009 11:20:57
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 22:32:40
AECORE.DLL : 8.1.7.5 180597 Bytes 7/22/2009 11:20:55
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 22:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 18:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 23:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 18:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+PCK,+SPR,

Start of the scan: Wednesday, July 22, 2009 04:37

Starting search for hidden objects.
'85259' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'mqtgsvc.exe' - '1' Module(s) have been scanned
Scan process 'mqsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SMAgent.exe' - '1' Module(s) have been scanned
Scan process 'snmp.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'msdtc.exe' - '1' Module(s) have been scanned
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Scan process 'LxrSII1s.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'hpofxm07.exe' - '1' Module(s) have been scanned
Scan process 'hposts07.exe' - '1' Module(s) have been scanned
Scan process 'hposts07.exe' - '1' Module(s) have been scanned
Scan process 'hpoevm07.exe' - '1' Module(s) have been scanned
Scan process 'sqlmangr.exe' - '1' Module(s) have been scanned
Scan process 'hpoorn07.exe' - '1' Module(s) have been scanned
Scan process 'hpoorn07.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'WDBtnMgr.exe' - '1' Module(s) have been scanned
Scan process 'FLASHKSK.EXE' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'WZCSLDR2.exe' - '1' Module(s) have been scanned
Scan process 'AirGCFG.exe' - '1' Module(s) have been scanned
Scan process 'Saimon.exe' - '1' Module(s) have been scanned
Scan process 'SMax4.exe' - '1' Module(s) have been scanned
Scan process 'SMax4PNP.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
53 processes with 53 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '68' files ).


Starting the file scan:

Begin scan in 'C:\' <KARL>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Karl\Desktop\ComboFix.exe
[0] Archive type: RAR SFX (self extracting)
--> 32788R22FWJFW\NirCmd.cfexe
[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application
--> 32788R22FWJFW\nircmd.com
[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application
--> 32788R22FWJFW\NirCmdC.cfexe
[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.1.B application
--> 32788R22FWJFW\psexec.cfexe
[1] Archive type: RSRC
--> Object
[DETECTION] Contains recognition pattern of the APPL/PsExec.E application
C:\Documents and Settings\Karl\My Documents\Data\WORKBkup\Oct04Planning.ZIP
[0] Archive type: ZIP
--> Documents and Settings/kchrisman.USINGENICO/My Documents/ManagementMtgBak.ppt
[DETECTION] Contains recognition pattern of the EXP/PPT.Dropper.Gen exploit
C:\Documents and Settings\Karl\My Documents\Data\WORKBkup\Deal\ManagementMtgBak.ppt
[DETECTION] Contains recognition pattern of the EXP/PPT.Dropper.Gen exploit
C:\Documents and Settings\Karl\My Documents\Data\WORKBkup\documents\ManagementMtgBak.ppt
[DETECTION] Contains recognition pattern of the EXP/PPT.Dropper.Gen exploit
C:\Documents and Settings\Karl\My Documents\Data\WORKBkup\documents\Oct04Planning.ZIP
[0] Archive type: ZIP
--> Documents and Settings/kchrisman.USINGENICO/My Documents/ManagementMtgBak.ppt
[DETECTION] Contains recognition pattern of the EXP/PPT.Dropper.Gen exploit
C:\System Volume Information\_restore{0372FECD-4BF7-4CC1-866B-197AF6A14408}\RP759\A0067012.dll
[DETECTION] Is the TR/Trash.Gen Trojan
Begin scan in 'D:\' <New Volume>
D:\Data\WORKBkup\Oct04Planning.ZIP
[0] Archive type: ZIP
--> Documents and Settings/kchrisman.USINGENICO/My Documents/ManagementMtgBak.ppt
[DETECTION] Contains recognition pattern of the EXP/PPT.Dropper.Gen exploit
D:\Data\WORKBkup\Deal\ManagementMtgBak.ppt
[DETECTION] Contains recognition pattern of the EXP/PPT.Dropper.Gen exploit
D:\Data\WORKBkup\documents\ManagementMtgBak.ppt
[DETECTION] Contains recognition pattern of the EXP/PPT.Dropper.Gen exploit
D:\Data\WORKBkup\documents\Oct04Planning.ZIP
[0] Archive type: ZIP
--> Documents and Settings/kchrisman.USINGENICO/My Documents/ManagementMtgBak.ppt
[DETECTION] Contains recognition pattern of the EXP/PPT.Dropper.Gen exploit

Beginning disinfection:
C:\Documents and Settings\Karl\Desktop\ComboFix.exe
[NOTE] The file was moved to '4ad42df7.qua'!
C:\Documents and Settings\Karl\My Documents\Data\WORKBkup\Oct04Planning.ZIP
[NOTE] The file was moved to '4adb2dec.qua'!
C:\Documents and Settings\Karl\My Documents\Data\WORKBkup\Deal\ManagementMtgBak.ppt
[DETECTION] Contains recognition pattern of the EXP/PPT.Dropper.Gen exploit
[NOTE] The file was moved to '4ad52dea.qua'!
C:\Documents and Settings\Karl\My Documents\Data\WORKBkup\documents\ManagementMtgBak.ppt
[DETECTION] Contains recognition pattern of the EXP/PPT.Dropper.Gen exploit
[NOTE] The file was moved to '4955538b.qua'!
C:\Documents and Settings\Karl\My Documents\Data\WORKBkup\documents\Oct04Planning.ZIP
[NOTE] The file was moved to '4ff5a7f5.qua'!
C:\System Volume Information\_restore{0372FECD-4BF7-4CC1-866B-197AF6A14408}\RP759\A0067012.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4a972db9.qua'!
D:\Data\WORKBkup\Oct04Planning.ZIP
[NOTE] The file was moved to '4ff75765.qua'!
D:\Data\WORKBkup\Deal\ManagementMtgBak.ppt
[DETECTION] Contains recognition pattern of the EXP/PPT.Dropper.Gen exploit
[NOTE] The file was moved to '4ad52deb.qua'!
D:\Data\WORKBkup\documents\ManagementMtgBak.ppt
[DETECTION] Contains recognition pattern of the EXP/PPT.Dropper.Gen exploit
[NOTE] The file was moved to '49ac6a04.qua'!
D:\Data\WORKBkup\documents\Oct04Planning.ZIP
[NOTE] The file was moved to '4adb2ded.qua'!


End of the scan: Wednesday, July 22, 2009 08:17
Used time: 1:57:48 Hour(s)

The scan has been done completely.

24135 Scanned directories
503799 Files were scanned
13 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
10 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
503784 Files not concerned
6184 Archives were scanned
2 Warnings
12 Notes
85259 Objects were scanned with rootkit scan
0 Hidden objects were found

Function of Machine:

Machine is running better. I am having a problem with the USB ports as it was not recognizing jump drives any longer. I am still working on that to see if I can identify the problem, and was able to get my keyboard/mouse USB back and going.

I also did setup an audit trail in the event view and see this:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The Windows Firewall has detected an application listening for incoming traffic.

Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 968
User account: NETWORK SERVICE
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 52188
Allowed: No
User notified: No
krc
Active Member
 
Posts: 11
Joined: July 10th, 2009, 2:17 am

Re: HiJack Log - browsers being killed, Win32.Brontok warning

Unread postby Bio-Hazard » July 22nd, 2009, 11:59 am

Hello!

That windows firewall entry is ok.

I installed Avira and it found a couple of issues also


Avira found a tool we used and some system restore points. Also it found some of your documents aswell.

I am having a problem with the USB ports as it was not recognizing jump drives any longer


When did this problem started?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: HiJack Log - browsers being killed, Win32.Brontok warning

Unread postby krc » July 22nd, 2009, 6:31 pm

Hi - thanks.

The problem with the USB started during the time we were trying to fix the virus issues. I am not sure if this is a legit issue or not, and will spend some more time tomorrow looking at it. Will let you know more.
krc
Active Member
 
Posts: 11
Joined: July 10th, 2009, 2:17 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware