Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijack This Log - Trojan and Hijacker Problems

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijack This Log - Trojan and Hijacker Problems

Unread postby JayneM » July 10th, 2010, 11:34 pm

Greetings, and thank you in advance for helping me with this. I have successfully removed 7 trojans from my computer, but am still having problems with a recurring Trojan that seems to recreate itself every time I log onto my computer. I also ran Spybot, and it located a Hijacker, but before I could investigate it further whatever bug I have shuts my computer down.

Here is my Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:15:19, on 7/10/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ps2.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://your-searcher.com/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\qe31oah0.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1\SSaver\Ussshreg.exe /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; YComp 5.0.0.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.freeaddictinggames.com/game/brake-less/"
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\Owner\Application Data\SystemProc\lsass.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7961 bytes


And here is my uninstall log:

3DVIA player 4.1
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8
Adobe Shockwave Player 11.5
Amatrol Multimedia Content Manager
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
AutoSave
Avanquest update
Bookkeeper
CCleaner
Civilization III
Coloreal
CompuServe
Detto IntelliMover Demo
DivX
DivX Player
DjVu Browser Plug-in 4.1
easy Internet sign-up
Entriq MediaSphere 3.4.0.15
ExamView Pro
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
hp deskjet 950c series (Remove only)
Inactive HP Printer Drivers (Remove only)
Indeo® Software
Intel(R) Extreme Graphics Driver
Internet TRiLOGI (Educational)
InterVideo WinDVD 4
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java 2 Runtime Environment Standard Edition v1.3.1_09
Java 2 Runtime Environment, SE v1.4.0_01
Java 2 Runtime Environment, SE v1.4.2_11
Java Web Start
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Learn2 Player (Uninstall Only)
LimeWire 5.5.9
Malware Destroyer
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office 97, Standard Edition
Microsoft Office Excel Viewer 2003
Microsoft Office XP Small Business
Microsoft Silverlight
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Microtek ScanSuite 1.11
Microtek ScanWizard
Microtek ScanWizard for Windows NT V2.49
MPIO Manager 2
MPIO Plugins Pack
MSN
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
My Free Antivirus v2.2
Netscape (7.0)
NVIDIA Windows 2000/XP Display Drivers
PC-Doctor for Windows
PdfEdit995
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2003 New User Edition
Radio@Netscape
RealPlayer
RecordNow
RecordNow Update Manager
Registry Mechanic 5.2
S3Display
S3Gamma2
S3Info2
S3Overlay
ScanWizard 5
Secure Game Player
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Shockwave
ShowBiz
Simple Installer - Multilanguage Version
Spybot - Search & Destroy
Spybot - Search & Destroy 1.2
TaxCut Deluxe 2005
TaxCut Premium 2006
TES Construction Set
TrojanHunter 5.2
Ulead PhotoImpact 4.0
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB955759)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WatchGuard Mobile VPN with SSL client 10
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
WinZip
Yahoo! Login
ZoneAlarm
ZoneAlarm Spy Blocker

**************
I am running Windows XP, and
If it helps, this is the Trojan I can't seem to delete:

[EXISTS_REGKEY_HKLM]=\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASAUTO
[EXISTS_FILE]=%winsys%\groupenv32.dll

Removal info

[HKLM_KEY]=\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASAUTO
[FILE_DEL]=%winsys%\msxmls.bak
[FILE_DEL]=%winsys%\groupenv32.dll
JayneM
Regular Member
 
Posts: 28
Joined: July 10th, 2010, 11:25 pm
Advertisement
Register to Remove

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby km2357 » July 12th, 2010, 2:30 pm

Hello and welcome to Malware Removal.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


Step # 1 Download and run DDS

Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.



Step # 2: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.


In your next post/reply, I need to see the following:

1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log

Use multiple posts if you can't fit everything into one post
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby JayneM » July 12th, 2010, 8:20 pm

Thank you for such a prompt reply.

First of all, here is the DDS log


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 18:15:05.65 on Mon 07/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.114 [GMT -5:00]

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ps2.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = about:blank
uStart Page = hxxp://www.aol.com/
uDefault_Page_URL = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Page =
uSearch Bar =
mSearchAssistant =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: {C569327E-CD0C-4542-9E82-9A4E18C97992} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AOL Fast Start] "c:\program files\america online 9.0b\AOL.EXE" -b
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; YComp 5.0.0.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.freeaddictinggames.com/game/brake-less/"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [WCOLOREAL] "c:\program files\compaq\coloreal\coloreal.exe"
mRun: [USSShReg] c:\progra~1\uleads~1\uleadp~1\ssaver\Ussshreg.exe /r
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [StorageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [ProDsl.exe] ProDsl.exe
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [nwiz] nwiz.exe /installquiet /keeploaded
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mExplorerRun: [RTHDBPL] c:\documents and settings\owner\application data\systemproc\lsass.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: <NO NAME> =
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-11 64288]
R1 AutoSave;AutoSave;c:\windows\system32\drivers\AutoSave.sys [2009-8-10 30784]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-9-10 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-9-10 394952]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-6 1352832]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 DW;DW; [x]
S2 mrtRate;mrtRate; [x]
S3 msCMTSrvc;Content Monitoring Tool;c:\windows\system32\mscmtsrvc.exe --> c:\windows\system32\msCMTSrvc.exe [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?]
S3 PRO2100W;Intel(R) PRO/DSL 2100 Modem - PPP;c:\windows\system32\drivers\p21c2kW.sys [2003-5-11 219846]
S3 QCEmerald;Logitech QuickCam Web(PID_0850);c:\windows\system32\drivers\lvce.sys [2002-6-10 44544]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2010-2-9 10880]

=============== Created Last 30 ================

2010-07-11 15:48:09 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-11 15:47:46 1138 ---ha-w- C:\aaw7boot.cmd
2010-07-11 05:38:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-11 05:37:22 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-11 05:25:42 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-11 03:13:50 0 d-----w- c:\program files\Trend Micro
2010-07-10 11:26:48 0 d-----w- c:\windows\system32\NtmsData
2010-07-08 04:09:54 0 d-----w- c:\program files\Database

==================== Find3M ====================

2010-07-12 23:15:15 114855968 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-07-11 05:47:20 1341620 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-06-18 07:22:10 10646 -csha-w- c:\windows\system32\KGyGaAvL.sys
2010-05-21 19:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2009-05-02 00:39:37 7848712 -c--a-w- c:\program files\InstallWizard101.exe
2009-03-24 17:20:02 1470664 -c--a-w- c:\program files\WG-MVPN-SSL.exe
2009-01-11 22:35:38 45521704 -c--a-w- c:\program files\BCSETUP.EXE

============= FINISH: 18:16:16.70 ===============

When I ran the gmr program I got the blue screen of death, and boot disk error. When I rebooted the computer it said it had recovered from a serious system error and gave me the following :

BCC odp (or cdp): 10000050 BCP1: E3D27000 BCP2: 00000000 BCP3: ED0BBC3E BCP4: 00000001 OSVer: 5_1_2600 SP: 2_0 Product: 768_1

The technical data said:

C:\DOCUME~1\owner\LOCALS~1\Temp\\WER8899.dir00\Mini071210~01.dmp

C:/DOCUME~1/owner/LOCALS~1\Temp\WER8899.dir00\sysdata.xml

My partner here had put Adaware on the computer since I published my Hijack This log, without my knowledge, and swears they did nothing else to the computer. Should I post a new Hijack This log? (They promised NOT TO TOUCH IT AGAIN)
JayneM
Regular Member
 
Posts: 28
Joined: July 10th, 2010, 11:25 pm

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby km2357 » July 13th, 2010, 2:36 pm

No need to post a new HiJackThis Log. :)

I would like for you to run DDS again and post back the contents of Attach.txt. Just post in normally, no need to attach it.

Since GMER gave you troubles, I'll have you try another rootkit scanner in this post.


Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these vendors NOW:

1)Antivir PersonalEdition Classic
2)avast! Home Edition

Download and install only one!


Step # 1 Download and run SysProt

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items only:
      Process
      Kernel Modes
      SSDT
      Kernel Hooks
      Hidden Files
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.


In your next post/reply, I need to see the following:

1. The Attach.txt Log
2. The SysProt Log
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby JayneM » July 13th, 2010, 10:23 pm

DDS:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 5/11/2003 10:12:55 PM
System Uptime: 7/13/2010 7:33:50 PM (2 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-6577
Processor: Intel(R) Pentium(R) 4 CPU 2.53GHz | Socket 478 | 2532/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 108 GiB total, 66.382 GiB free.
D: is FIXED (FAT32) - 3 GiB total, 0.448 GiB free.
E: is CDROM ()
F: is CDROM (CDFS)
G: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E969-E325-11CE-BFC1-08002BE10318}
Description: Standard floppy disk controller
Device ID: ACPI\PNP0700\3&13C0B0C5&0
Manufacturer: (Standard floppy disk controllers)
Name: Standard floppy disk controller
PNP Device ID: ACPI\PNP0700\3&13C0B0C5&0
Service: fdc

Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Description: SCSI/RAID Host Controller
Device ID: ROOT\SMPLSCSI\0000
Manufacturer: Unknown Manufacturer
Name: SCSI/RAID Host Controller
PNP Device ID: ROOT\SMPLSCSI\0000
Service: SMPLSCSI

==== System Restore Points ===================

RP366: 4/15/2010 3:00:23 AM - Software Distribution Service 3.0
RP367: 4/15/2010 2:15:25 PM - Software Distribution Service 3.0
RP368: 4/16/2010 3:00:19 AM - Software Distribution Service 3.0
RP369: 4/17/2010 3:00:27 AM - Software Distribution Service 3.0
RP370: 4/18/2010 3:00:35 AM - Software Distribution Service 3.0
RP371: 4/19/2010 3:00:29 AM - Software Distribution Service 3.0
RP372: 4/19/2010 7:36:40 PM - Software Distribution Service 3.0
RP373: 4/20/2010 3:00:20 AM - Software Distribution Service 3.0
RP374: 4/21/2010 3:00:26 AM - Software Distribution Service 3.0
RP375: 4/22/2010 3:00:18 AM - Software Distribution Service 3.0
RP376: 4/22/2010 9:34:21 PM - Software Distribution Service 3.0
RP377: 4/23/2010 12:15:48 AM - Software Distribution Service 3.0
RP378: 4/23/2010 3:00:18 AM - Software Distribution Service 3.0
RP379: 4/24/2010 3:00:26 AM - Software Distribution Service 3.0
RP380: 4/24/2010 6:14:19 PM - Software Distribution Service 3.0
RP381: 4/25/2010 3:00:35 AM - Software Distribution Service 3.0
RP382: 4/26/2010 3:00:25 AM - Software Distribution Service 3.0
RP383: 4/26/2010 9:02:06 AM - Software Distribution Service 3.0
RP384: 4/27/2010 3:00:30 AM - Software Distribution Service 3.0
RP385: 4/28/2010 3:00:23 AM - Software Distribution Service 3.0
RP386: 4/29/2010 3:00:18 AM - Software Distribution Service 3.0
RP387: 4/29/2010 7:55:35 AM - Software Distribution Service 3.0
RP388: 4/30/2010 7:08:57 PM - Software Distribution Service 3.0
RP389: 5/1/2010 12:48:28 AM - Software Distribution Service 3.0
RP390: 5/2/2010 3:00:23 AM - Software Distribution Service 3.0
RP391: 5/3/2010 3:00:19 AM - Software Distribution Service 3.0
RP392: 5/3/2010 10:00:33 AM - Software Distribution Service 3.0
RP393: 5/3/2010 10:02:36 PM - Software Distribution Service 3.0
RP394: 5/4/2010 3:00:19 AM - Software Distribution Service 3.0
RP395: 5/5/2010 3:00:18 AM - Software Distribution Service 3.0
RP396: 5/6/2010 3:00:23 AM - Software Distribution Service 3.0
RP397: 5/6/2010 3:45:12 PM - Software Distribution Service 3.0
RP398: 5/7/2010 3:00:28 AM - Software Distribution Service 3.0
RP399: 5/8/2010 3:00:32 AM - Software Distribution Service 3.0
RP400: 5/9/2010 3:00:36 AM - Software Distribution Service 3.0
RP401: 5/10/2010 3:00:20 AM - Software Distribution Service 3.0
RP402: 5/10/2010 7:02:59 AM - Software Distribution Service 3.0
RP403: 5/11/2010 3:27:35 PM - Software Distribution Service 3.0
RP404: 5/12/2010 3:00:25 AM - Software Distribution Service 3.0
RP405: 5/13/2010 3:00:27 AM - Software Distribution Service 3.0
RP406: 5/13/2010 5:22:11 AM - Software Distribution Service 3.0
RP407: 5/13/2010 5:58:30 PM - Software Distribution Service 3.0
RP408: 5/14/2010 12:42:48 AM - Software Distribution Service 3.0
RP409: 5/14/2010 3:00:20 AM - Software Distribution Service 3.0
RP410: 5/15/2010 3:00:36 AM - Software Distribution Service 3.0
RP411: 5/16/2010 3:00:20 AM - Software Distribution Service 3.0
RP412: 5/17/2010 1:46:25 AM - Software Distribution Service 3.0
RP413: 5/17/2010 6:26:58 PM - Software Distribution Service 3.0
RP414: 5/18/2010 3:00:27 AM - Software Distribution Service 3.0
RP415: 5/19/2010 3:00:19 AM - Software Distribution Service 3.0
RP416: 5/19/2010 8:10:05 AM - Software Distribution Service 3.0
RP417: 5/20/2010 3:00:25 AM - Software Distribution Service 3.0
RP418: 5/20/2010 12:55:25 PM - Software Distribution Service 3.0
RP419: 5/21/2010 1:01:59 AM - Software Distribution Service 3.0
RP420: 5/22/2010 1:23:16 AM - System Checkpoint
RP421: 5/22/2010 3:00:30 AM - Software Distribution Service 3.0
RP422: 5/23/2010 2:57:03 AM - Software Distribution Service 3.0
RP423: 5/24/2010 3:00:28 AM - Software Distribution Service 3.0
RP424: 5/24/2010 12:40:12 PM - Software Distribution Service 3.0
RP425: 5/25/2010 3:00:21 AM - Software Distribution Service 3.0
RP426: 5/25/2010 8:29:55 PM - Software Distribution Service 3.0
RP427: 5/26/2010 3:00:24 AM - Software Distribution Service 3.0
RP428: 5/26/2010 8:08:41 AM - Software Distribution Service 3.0
RP429: 5/27/2010 3:00:24 AM - Software Distribution Service 3.0
RP430: 5/27/2010 6:23:56 PM - Software Distribution Service 3.0
RP431: 5/28/2010 3:00:25 AM - Software Distribution Service 3.0
RP432: 5/28/2010 7:36:15 AM - Software Distribution Service 3.0
RP433: 5/29/2010 3:00:22 AM - Software Distribution Service 3.0
RP434: 5/30/2010 3:00:35 AM - Software Distribution Service 3.0
RP435: 5/31/2010 3:00:27 AM - Software Distribution Service 3.0
RP436: 5/31/2010 9:50:38 AM - Software Distribution Service 3.0
RP437: 6/1/2010 3:00:30 AM - Software Distribution Service 3.0
RP438: 6/2/2010 3:00:35 AM - Software Distribution Service 3.0
RP439: 6/2/2010 8:06:06 AM - Software Distribution Service 3.0
RP440: 6/3/2010 3:00:22 AM - Software Distribution Service 3.0
RP441: 6/3/2010 1:54:39 PM - Software Distribution Service 3.0
RP442: 6/4/2010 3:00:19 AM - Software Distribution Service 3.0
RP443: 6/5/2010 3:00:28 AM - Software Distribution Service 3.0
RP444: 6/6/2010 3:00:21 AM - Software Distribution Service 3.0
RP445: 6/7/2010 3:00:19 AM - Software Distribution Service 3.0
RP446: 6/7/2010 8:09:14 AM - Software Distribution Service 3.0
RP447: 6/9/2010 1:42:35 AM - Software Distribution Service 3.0
RP448: 6/10/2010 2:00:08 AM - System Checkpoint
RP449: 6/11/2010 1:46:20 AM - Software Distribution Service 3.0
RP450: 6/12/2010 2:05:08 AM - System Checkpoint
RP451: 6/12/2010 3:00:34 AM - Software Distribution Service 3.0
RP452: 6/13/2010 3:00:23 AM - Software Distribution Service 3.0
RP453: 6/14/2010 3:00:23 AM - Software Distribution Service 3.0
RP454: 6/14/2010 8:36:45 PM - Software Distribution Service 3.0
RP455: 6/15/2010 3:00:26 AM - Software Distribution Service 3.0
RP456: 6/15/2010 8:13:38 AM - Software Distribution Service 3.0
RP457: 6/16/2010 3:00:24 AM - Software Distribution Service 3.0
RP458: 6/17/2010 3:00:25 AM - Software Distribution Service 3.0
RP459: 6/17/2010 11:38:06 AM - Software Distribution Service 3.0
RP460: 6/18/2010 2:54:48 AM - 6-18 before limewire
RP461: 6/18/2010 3:00:29 AM - Software Distribution Service 3.0
RP462: 6/19/2010 3:00:31 AM - Software Distribution Service 3.0
RP463: 6/20/2010 3:00:25 AM - Software Distribution Service 3.0
RP464: 6/21/2010 3:00:35 AM - Software Distribution Service 3.0
RP465: 6/21/2010 7:37:59 PM - Software Distribution Service 3.0
RP466: 6/22/2010 3:00:21 AM - Software Distribution Service 3.0
RP467: 6/23/2010 3:00:33 AM - Software Distribution Service 3.0
RP468: 6/23/2010 8:04:30 AM - Software Distribution Service 3.0
RP469: 6/24/2010 3:00:26 AM - Software Distribution Service 3.0
RP470: 6/24/2010 7:47:50 AM - Software Distribution Service 3.0
RP471: 6/24/2010 5:39:13 PM - Software Distribution Service 3.0
RP472: 6/25/2010 3:00:27 AM - Software Distribution Service 3.0
RP473: 6/26/2010 3:00:34 AM - Software Distribution Service 3.0
RP474: 6/27/2010 3:00:24 AM - Software Distribution Service 3.0
RP475: 6/28/2010 3:00:20 AM - Software Distribution Service 3.0
RP476: 6/28/2010 7:27:38 AM - Software Distribution Service 3.0
RP477: 6/28/2010 9:50:16 PM - Software Distribution Service 3.0
RP478: 6/29/2010 3:00:21 AM - Software Distribution Service 3.0
RP479: 6/29/2010 7:42:22 AM - Software Distribution Service 3.0
RP480: 6/30/2010 3:00:28 AM - Software Distribution Service 3.0
RP481: 7/1/2010 3:00:26 AM - Software Distribution Service 3.0
RP482: 7/1/2010 8:07:50 AM - Software Distribution Service 3.0
RP483: 7/1/2010 4:26:19 PM - Software Distribution Service 3.0
RP484: 7/1/2010 4:52:08 PM - Software Distribution Service 3.0
RP485: 7/2/2010 7:24:52 PM - System Checkpoint
RP486: 7/3/2010 3:00:19 AM - Software Distribution Service 3.0
RP487: 7/4/2010 3:00:19 AM - Software Distribution Service 3.0
RP488: 7/5/2010 3:00:24 AM - Software Distribution Service 3.0
RP489: 7/5/2010 4:45:55 PM - before open port download
RP490: 7/5/2010 9:59:07 PM - Software Distribution Service 3.0
RP491: 7/6/2010 2:43:18 AM - Software Distribution Service 3.0
RP492: 7/7/2010 3:00:29 AM - Software Distribution Service 3.0
RP493: 7/7/2010 11:19:33 PM - Software Distribution Service 3.0
RP494: 7/8/2010 12:00:48 AM - Software Distribution Service 3.0
RP495: 7/8/2010 3:00:22 AM - Software Distribution Service 3.0
RP496: 7/9/2010 1:52:55 AM - Software Distribution Service 3.0
RP497: 7/9/2010 3:00:22 AM - Software Distribution Service 3.0
RP498: 7/9/2010 8:20:47 AM - Software Distribution Service 3.0
RP499: 7/10/2010 3:00:34 AM - Software Distribution Service 3.0
RP500: 7/10/2010 10:13:49 PM - Installed HiJackThis
RP501: 7/11/2010 3:00:22 AM - Software Distribution Service 3.0
RP502: 7/12/2010 3:00:24 AM - Software Distribution Service 3.0
RP503: 7/12/2010 3:09:41 PM - Software Distribution Service 3.0
RP504: 7/13/2010 1:20:12 AM - Software Distribution Service 3.0

==== Installed Programs ======================


3DVIA player 4.1
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8
Adobe Shockwave Player 11.5
Amatrol Multimedia Content Manager
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
AutoSave
AutoUpdate
Avanquest update
Bookkeeper
CCleaner
Civilization III
Coloreal
CompuServe
Detto IntelliMover Demo
DivX
DivX Player
DjVu Browser Plug-in 4.1
easy Internet sign-up
Entriq MediaSphere 3.4.0.15
ExamView Pro
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
hp deskjet 950c series (Remove only)
Inactive HP Printer Drivers (Remove only)
Indeo® Software
Intel(R) Extreme Graphics Driver
Internet TRiLOGI (Educational)
InterVideo WinDVD 4
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java 2 Runtime Environment Standard Edition v1.3.1_09
Java 2 Runtime Environment, SE v1.4.0_01
Java 2 Runtime Environment, SE v1.4.2_11
Java Web Start
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Learn2 Player (Uninstall Only)
LimeWire 5.5.9
Malware Destroyer
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office 97, Standard Edition
Microsoft Office Excel Viewer 2003
Microsoft Office XP Small Business
Microsoft Silverlight
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Microtek ScanSuite 1.11
Microtek ScanWizard
Microtek ScanWizard for Windows NT V2.49
Move Networks Media Player for Internet Explorer
MPIO Manager 2
MPIO Plugins Pack
MSN
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
My Free Antivirus v2.2
Netscape (7.0)
NVIDIA Windows 2000/XP Display Drivers
PC-Doctor for Windows
PdfEdit995
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2003 New User Edition
Radio@Netscape
RealPlayer
RecordNow
RecordNow Update Manager
Registry Mechanic 5.2
S3Display
S3Gamma2
S3Info2
S3Overlay
ScanWizard 5
Secure Game Player
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Shockwave
ShowBiz
Simple Installer - Multilanguage Version
SmartDraw 6
SmartDraw Photo
Spybot - Search & Destroy
Spybot - Search & Destroy 1.2
TaxCut Deluxe 2005
TaxCut Premium 2006
TES Construction Set
TrojanHunter 5.2
Ulead PhotoImpact 4.0
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB955759)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WatchGuard Mobile VPN with SSL client 10
WebFldrs XP
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
WinZip
Yahoo! Login
ZoneAlarm
ZoneAlarm Spy Blocker

==== Event Viewer Messages From Past Week ========

7/13/2010 12:43:03 AM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
7/12/2010 7:07:21 PM, error: System Error [1003] - Error code 10000050, parameter1 e3d27000, parameter2 00000000, parameter3 ed9bbc3e, parameter4 00000001.
7/12/2010 10:32:52 PM, error: Dhcp [1002] - The IP address lease 192.168.113.3 for the Network Card with network address 00FFC8DCF993 has been denied by the DHCP server 192.168.113.254 (The DHCP Server sent a DHCPNACK message).
7/11/2010 3:33:21 AM, error: Dhcp [1002] - The IP address lease 192.168.113.2 for the Network Card with network address 00FFC8DCF993 has been denied by the DHCP server 192.168.113.254 (The DHCP Server sent a DHCPNACK message).
7/11/2010 3:00:48 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft XML Core Services 6.0 Service Pack 2 (KB954459).
7/11/2010 2:26:31 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SMPLSCSI
7/11/2010 2:26:23 AM, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
7/11/2010 2:26:23 AM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.
7/10/2010 6:06:59 PM, error: Dhcp [1002] - The IP address lease 207.191.200.153 for the Network Card with network address 0010DC8E975A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

Downloaded Avast. Will follow the rest of your instructions in my next post
JayneM
Regular Member
 
Posts: 28
Joined: July 10th, 2010, 11:25 pm

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby JayneM » July 13th, 2010, 10:37 pm

SysProt Log:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 764
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 852
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 876
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 920
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 932
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1084
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1132
Hidden: No
Window Visible: No

Name: C:\Program Files\Windows Defender\MsMpEng.exe
PID: 1224
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1264
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1380
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1508
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1880
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 2000
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
PID: 2036
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
PID: 128
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\cisvc.exe
PID: 156
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
PID: 188
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 292
Hidden: No
Window Visible: No

Name: C:\Program Files\Viewpoint\Common\ViewpointService.exe
PID: 452
Hidden: No
Window Visible: No

Name: C:\WINDOWS\wanmpsvc.exe
PID: 492
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 552
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\unsecapp.exe
PID: 1920
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 236
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 364
Hidden: No
Window Visible: No

Name: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PID: 2116
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\cidaemon.exe
PID: 2864
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 2084
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wuauclt.exe
PID: 3668
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PID: 1632
Hidden: No
Window Visible: No

Name: C:\Program Files\QuickTime\qttask.exe
PID: 328
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ps2.EXE
PID: 3448
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system\hpsysdrv.exe
PID: 2176
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
PID: 2096
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\hkcmd.exe
PID: 2204
Hidden: No
Window Visible: No

Name: C:\WINDOWS\ALCXMNTR.EXE
PID: 2196
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 1180
Hidden: No
Window Visible: No

Name: C:\Program Files\America Online 9.0b\waol.exe
PID: 612
Hidden: No
Window Visible: No

Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 2680
Hidden: No
Window Visible: No

Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 3064
Hidden: No
Window Visible: No

Name: C:\Program Files\America Online 9.0b\shellmon.exe
PID: 2516
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\notepad.exe
PID: 1816
Hidden: No
Window Visible: Yes

Name: C:\WINDOWS\system32\notepad.exe
PID: 2856
Hidden: No
Window Visible: Yes

Name: C:\WINDOWS\system32\msiexec.exe
PID: 3184
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PID: 3564
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PID: 580
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft Office\Office\WINWORD.EXE
PID: 1616
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft Money\System\urlmap.exe
PID: 3228
Hidden: No
Window Visible: No

Name: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
PID: 2920
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Owner\Desktop\SysProt\SysProt\SysProt.exe
PID: 3780
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Owner\Desktop\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: EEFA6000
Module End: EEFB1000
Hidden: No

Module Name: \WINDOWS\system32\ntoskrnl.exe
Service Name: ---
Module Base: 804D7000
Module End: 806FD000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806FD000
Module End: 8071DD00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F8981000
Module End: F8983000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F8891000
Module End: F8894000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F8432000
Module End: F8460000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F8983000
Module End: F8985000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F8421000
Module End: F8432000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F8481000
Module End: F848A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: F8985000
Module End: F8987000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F8701000
Module End: F8708000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F8491000
Module End: F849C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F8402000
Module End: F8421000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F8709000
Module End: F870E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F84A1000
Module End: F84AE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F83EA000
Module End: F8402000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\SMPLSCSI.SYS
Service Name: SMPLSCSI
Module Base: F84B1000
Module End: F84C0000
Hidden: No

Module Name: \WINDOWS\System32\drivers\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: F83D2000
Module End: F83EA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F84C1000
Module End: F84CA000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F84D1000
Module End: F84DE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F83B2000
Module End: F83D2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F83A0000
Module End: F83B2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Lbd.sys
Service Name: Lbd
Module Base: F84E1000
Module End: F84F0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: F8711000
Module End: F8716000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F8389000
Module End: F83A0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F82FC000
Module End: F8389000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F82CF000
Module End: F82FC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaagp1.sys
Service Name: viaagp1
Module Base: F8719000
Module End: F8720000
Hidden: No

Module Name: srescan.sys
Service Name: srescan
Module Base: F82BB000
Module End: F82CF000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\SISAGP.sys
Service Name: SISAGP
Module Base: F8721000
Module End: F8728000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: F84F1000
Module End: F8500000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: F8501000
Module End: F850E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F82A0000
Module End: F82BB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agp440.sys
Service Name: agp440
Module Base: F8511000
Module End: F851C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: F8541000
Module End: F8551000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F8561000
Module End: F856A000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ialmnt5.sys
Service Name: ialm
Module Base: F7A42000
Module End: F7AF7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F7A2E000
Module End: F7A42000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F8751000
Module End: F8756000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F7A0B000
Module End: F7A2E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F8759000
Module End: F8760000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys
Service Name: ltmodem5
Module Base: F7976000
Module End: F7A0B000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: F8761000
Module End: F8769000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RTL8139.SYS
Service Name: rtl8139
Module Base: F8769000
Module End: F876F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F8571000
Module End: F857C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pfc.sys
Service Name: pfc
Module Base: F896D000
Module End: F8970000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F8581000
Module End: F858E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F8591000
Module End: F85A0000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ks.sys
Service Name: ---
Module Base: F7953000
Module End: F7976000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Service Name: ALCXWDM
Module Base: F7726000
Module End: F7953000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: F7702000
Module End: F7726000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F85A1000
Module End: F85B0000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F85B1000
Module End: F85C1000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\serenum.sys
Service Name: Serenum
Module Base: F8979000
Module End: F897D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F76EE000
Module End: F7702000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F85C1000
Module End: F85CE000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F8771000
Module End: F8777000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\PS2.sys
Service Name: Ps2
Module Base: F8779000
Module End: F877F000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F8781000
Module End: F8787000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F8B1C000
Module End: F8B1D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F85D1000
Module End: F85DE000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F897D000
Module End: F8980000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F76D7000
Module End: F76EE000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F85E1000
Module End: F85EC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F85F1000
Module End: F85FD000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F8789000
Module End: F878E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F76C6000
Module End: F76D7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F8601000
Module End: F860A000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F8791000
Module End: F8796000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F8799000
Module End: F879E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\wanatw4.sys
Service Name: wanatw
Module Base: F87A1000
Module End: F87A7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tap0901.sys
Service Name: tap0901
Module Base: F87A9000
Module End: F87B0000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F8611000
Module End: F861B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F89B3000
Module End: F89B5000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\update.sys
Service Name: Update
Module Base: F766D000
Module End: F76C6000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F8270000
Module End: F8274000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F8621000
Module End: F862B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F8691000
Module End: F86A0000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F89CB000
Module End: F89CD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\klif.sys
Service Name: KLIF
Module Base: EF3B5000
Module End: EF3D8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F89D5000
Module End: F89D7000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F8BB1000
Module End: F8BB2000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F89D7000
Module End: F89D9000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F87F9000
Module End: F87FF000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F89D9000
Module End: F89DB000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F89DB000
Module End: F89DD000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\AutoSave.SYS
Service Name: AutoSave
Module Base: F8801000
Module End: F8808000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F8811000
Module End: F8819000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F894D000
Module End: F8950000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: EF282000
Module End: EF295000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: EF22A000
Module End: EF282000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: EF202000
Module End: EF22A000
Hidden: No

Module Name: C:\WINDOWS\System32\vsdatant.sys
Service Name: vsdatant
Module Base: EF1A2000
Module End: EF202000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: EF161000
Module End: EF182000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: EF13E000
Module End: EF161000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F86A1000
Module End: F86AA000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: EF11C000
Module End: EF13E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: F86B1000
Module End: F86C0000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F86C1000
Module End: F86CA000
Hidden: No

Module Name: \??\C:\WINDOWS\System32\Drivers\SbcpHid.sys
Service Name: SbcpHid
Module Base: F8821000
Module End: F8827000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: EF0C9000
Module End: EF0F4000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: EF014000
Module End: EF083000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Service Name: USBSTOR
Module Base: F8829000
Module End: F8830000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F7B87000
Module End: F7B90000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbprint.sys
Service Name: usbprint
Module Base: F8839000
Module End: F8840000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: EEF96000
Module End: EEFA6000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EE853000
Module End: EE86B000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F89D3000
Module End: F89D5000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: EEE55000
Module End: EEE58000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: EECC9000
Module End: EECCE000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F8AEE000
Module End: F8AEF000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: F890D000
Module End: F8911000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: EE4DF000
Module End: EE50B000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ASPI32.SYS
Service Name: ASPI32
Module Base: EE5F3000
Module End: EE5F6000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS
Service Name: CdaD10BA
Module Base: EE5EF000
Module End: EE5F2000
Hidden: No

Module Name: \??\C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS
Service Name: ONSIO
Module Base: EE3AF000
Module End: EE3EF000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\srv.sys
Service Name: Srv
Module Base: EE330000
Module End: EE387000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: EDDF3000
Module End: EDE08000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: EE170000
Module End: EE17F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: EDCC4000
Module End: EDD05000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Aavmker4.SYS
Service Name: Aavmker4
Module Base: F8889000
Module End: F888F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswMon2.SYS
Service Name: aswMon2
Module Base: ED75C000
Module End: ED773000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS
Service Name: aswSP
Module Base: ED735000
Module End: ED75C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswFsBlk.SYS
Service Name: aswFsBlk
Module Base: EDFAC000
Module End: EDFAF000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswRdr.SYS
Service Name: aswRdr
Module Base: F8851000
Module End: F8856000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Service Name: aswTdi
Module Base: EF4D9000
Module End: EF4E3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: ED692000
Module End: ED6BD000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: F89A7000
Module End: F89A9000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F8809000
Module End: F880E000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwClose
Address: ED73DCD2
Driver Base: ED735000
Driver End: ED75C000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwConnectPort
Address: EF1D5040
Driver Base: EF1A2000
Driver End: EF202000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateFile
Address: EF1D1930
Driver Base: EF1A2000
Driver End: EF202000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateKey
Address: ED73DB8E
Driver Base: ED735000
Driver End: ED75C000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwCreatePort
Address: EF1D5510
Driver Base: EF1A2000
Driver End: EF202000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateWaitablePort
Address: EF1D5600
Driver Base: EF1A2000
Driver End: EF202000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteFile
Address: EF1D1F20
Driver Base: EF1A2000
Driver End: EF202000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteKey
Address: ED73E142
Driver Base: ED735000
Driver End: ED75C000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDeleteValueKey
Address: ED73E06C
Driver Base: ED735000
Driver End: ED75C000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDuplicateObject
Address: ED73D764
Driver Base: ED735000
Driver End: ED75C000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwLoadKey
Address: EF1DD8B0
Driver Base: EF1A2000
Driver End: EF202000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenFile
Address: EF1D1D70
Driver Base: EF1A2000
Driver End: EF202000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenKey
Address: ED73DC68
Driver Base: ED735000
Driver End: ED75C000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenProcess
Address: ED73D6A4
Driver Base: ED735000
Driver End: ED75C000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenThread
Address: ED73D708
Driver Base: ED735000
Driver End: ED75C000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwQueryValueKey
Address: ED73DD88
Driver Base: ED735000
Driver End: ED75C000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwRenameKey
Address: ED73E210
Driver Base: ED735000
Driver End: ED75C000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwReplaceKey
Address: EF1DDCB0
Driver Base: EF1A2000
Driver End: EF202000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRequestWaitReplyPort
Address: EF1D4C00
Driver Base: EF1A2000
Driver End: EF202000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRestoreKey
Address: ED73DD48
Driver Base: ED735000
Driver End: ED75C000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwSetInformationFile
Address: EF1D2120
Driver Base: EF1A2000
Driver End: EF202000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetValueKey
Address: ED73DEC8
Driver Base: ED735000
Driver End: ED75C000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwLoadDriver
At Address: 805B9849
Jump To: ED74AAFE
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ZwCreateSection
At Address: 8056CE25
Jump To: ED74A9C4
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ZwCreateProcessEx
At Address: 8058AB6C
Jump To: ED74ABA0
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ObMakeTemporaryObject
At Address: 805A80B6
Jump To: ED7465B4
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ObInsertObject
At Address: 8056CBBF
Jump To: ED747F6C
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ObDereferenceSecurityDescriptor
At Address: 8056CBBF
Jump To: ED747F6C
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\catalog.wci
Status: Access denied

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}
Status: Access denied
JayneM
Regular Member
 
Posts: 28
Joined: July 10th, 2010, 11:25 pm

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby km2357 » July 14th, 2010, 2:42 pm

Since you've downloaded and installed Avast, please go to Add/Remove Programs and uninstall the following:

My Free Antivirus v2.2

Reboot your Computer.


IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

LimeWire 5.5.9

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Reboot your computer after you have uninstalled the programs above.

Please run DDS when finished and post the log back here.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby JayneM » July 14th, 2010, 7:04 pm

Ok, removed My Free Antivirus (is that one of the fake programs?) and Limewire (knew that was coming, but the instructions said not to change anything until you said to :)

Did a hard reboot.

New DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 17:53:32.40 on Wed 07/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.92 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ps2.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = about:blank
uStart Page = hxxp://www.aol.com/
uDefault_Page_URL = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Page =
uSearch Bar =
mSearchAssistant =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: {C569327E-CD0C-4542-9E82-9A4E18C97992} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; YComp 5.0.0.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.freeaddictinggames.com/game/brake-less/"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [WCOLOREAL] "c:\program files\compaq\coloreal\coloreal.exe"
mRun: [USSShReg] c:\progra~1\uleads~1\uleadp~1\ssaver\Ussshreg.exe /r
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [StorageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [ProDsl.exe] ProDsl.exe
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [nwiz] nwiz.exe /installquiet /keeploaded
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mExplorerRun: [RTHDBPL] c:\documents and settings\owner\application data\systemproc\lsass.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: <NO NAME> =
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-11 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-13 165456]
R1 AutoSave;AutoSave;c:\windows\system32\drivers\AutoSave.sys [2009-8-10 30784]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-9-10 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-9-10 394952]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-13 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-13 40384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-6 1352832]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-13 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-13 40384]
S1 DW;DW; [x]
S2 mrtRate;mrtRate; [x]
S3 msCMTSrvc;Content Monitoring Tool;c:\windows\system32\mscmtsrvc.exe --> c:\windows\system32\msCMTSrvc.exe [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?]
S3 PRO2100W;Intel(R) PRO/DSL 2100 Modem - PPP;c:\windows\system32\drivers\p21c2kW.sys [2003-5-11 219846]
S3 QCEmerald;Logitech QuickCam Web(PID_0850);c:\windows\system32\drivers\lvce.sys [2002-6-10 44544]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2010-2-9 10880]

=============== Created Last 30 ================

2010-07-14 02:20:00 38848 ----a-w- c:\windows\avastSS.scr
2010-07-14 02:19:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-07-11 15:48:09 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-11 05:38:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-11 05:37:22 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-11 05:25:42 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-11 03:13:50 0 d-----w- c:\program files\Trend Micro
2010-07-10 11:26:48 0 d-----w- c:\windows\system32\NtmsData
2010-07-08 04:09:54 0 d-----w- c:\program files\Database

==================== Find3M ====================

2010-07-14 22:43:12 1344500 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-07-14 22:43:12 114858016 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-06-18 07:22:10 10646 -csha-w- c:\windows\system32\KGyGaAvL.sys
2010-05-21 19:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2009-05-02 00:39:37 7848712 -c--a-w- c:\program files\InstallWizard101.exe
2009-03-24 17:20:02 1470664 -c--a-w- c:\program files\WG-MVPN-SSL.exe
2009-01-11 22:35:38 45521704 -c--a-w- c:\program files\BCSETUP.EXE

============= FINISH: 17:58:01.10 ===============
JayneM
Regular Member
 
Posts: 28
Joined: July 10th, 2010, 11:25 pm

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby km2357 » July 14th, 2010, 10:12 pm

Ok, removed My Free Antivirus (is that one of the fake programs?)


I've never heard of My Free AntiVirus before, did you knowingly download and install it on your computer? Whether it's good or bad (and if it is bad, its a good thing we removed it), we needed to uninstall it because you installed Avast on your computer and you don't need two AntiViruses running at the same time. Have two AVs at the same time can cause conflicts and crashes.


Please disable avast! Antivirus as it may interfere with the fixes. Remember to re-enable it back before posting the logs.

* Right click on avast! Antivirus icon near the clock and select Stop On-Access Protection.
* Right click on this icon again and select Program Settings.
* On the left, click on Troubleshooting.
* Uncheck (untick) this box - Disable avast! self-defense module.
* Click OK to apply the settings

If the above doesn't work, do the following:

Right click on the toolbar icon, then pull down "avast shield control" and click "Disable for 1 hour".


Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby JayneM » July 14th, 2010, 10:19 pm

Edited to add:
I stopped protection for Avast.
I did manage to unclick the self-defense module under Troubleshooting. Going to work on the rest of it now.
JayneM
Regular Member
 
Posts: 28
Joined: July 10th, 2010, 11:25 pm

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby JayneM » July 15th, 2010, 3:06 am

Whew, had a few problems with that, here is the Combofix.txt log

ComboFix 10-07-14.02 - Owner 07/15/2010 1:32.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.132 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\windows\patch.exe
c:\windows\system\olepro32.dll
c:\windows\system\VB40032.DLL
c:\windows\system32\_007089_.tmp.dll
c:\windows\system32\_007090_.tmp.dll
c:\windows\system32\_007091_.tmp.dll
c:\windows\system32\_007092_.tmp.dll
c:\windows\system32\_007099_.tmp.dll
c:\windows\system32\_007100_.tmp.dll
c:\windows\system32\_007101_.tmp.dll
c:\windows\system32\_007102_.tmp.dll
c:\windows\system32\_007104_.tmp.dll
c:\windows\system32\_007105_.tmp.dll
c:\windows\system32\_007108_.tmp.dll
c:\windows\system32\_007109_.tmp.dll
c:\windows\system32\_007111_.tmp.dll
c:\windows\system32\_007112_.tmp.dll
c:\windows\system32\_007113_.tmp.dll
c:\windows\system32\_007114_.tmp.dll
c:\windows\system32\_007115_.tmp.dll
c:\windows\system32\_007118_.tmp.dll
c:\windows\system32\_007119_.tmp.dll
c:\windows\system32\_007123_.tmp.dll
c:\windows\system32\_007124_.tmp.dll
c:\windows\system32\_007126_.tmp.dll
c:\windows\system32\_007129_.tmp.dll
c:\windows\system32\_007131_.tmp.dll
c:\windows\system32\_007132_.tmp.dll
c:\windows\system32\_007133_.tmp.dll
c:\windows\system32\_007134_.tmp.dll
c:\windows\system32\_007135_.tmp.dll
c:\windows\system32\_007138_.tmp.dll
c:\windows\system32\_007139_.tmp.dll
c:\windows\system32\_007140_.tmp.dll
c:\windows\system32\_007141_.tmp.dll
c:\windows\system32\_007142_.tmp.dll
c:\windows\system32\_007147_.tmp.dll
c:\windows\system32\_007149_.tmp.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\eventmgr.exe
c:\windows\system32\fonts\ACADEMY_.PFB
c:\windows\system32\fonts\ACADEMY_.PFM
c:\windows\system32\fonts\ACADEMY_.TTF
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\KGyGaAvL.sys
c:\windows\system32\o4Patch.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-06-15 to 2010-07-15 )))))))))))))))))))))))))))))))
.

2010-07-15 05:06 . 2010-07-15 05:14 -------- d-----w- C:\32788R22FWJFW.3.tmp
2010-07-15 05:04 . 2010-07-15 05:05 -------- d-----w- C:\32788R22FWJFW.2.tmp
2010-07-15 03:41 . 2010-07-15 03:42 -------- d-----w- C:\32788R22FWJFW.1.tmp
2010-07-14 02:20 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-14 02:20 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-14 02:20 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-14 02:20 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-14 02:20 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-14 02:20 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-14 02:20 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-14 02:20 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-14 02:19 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-14 02:19 . 2010-07-14 02:19 -------- d-----w- c:\program files\Alwil Software
2010-07-14 02:19 . 2010-07-14 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-11 15:48 . 2010-07-06 17:28 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-11 05:38 . 2010-07-06 17:28 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-11 05:38 . 2010-07-11 05:38 -------- dc----w- c:\windows\system32\DRVSTORE
2010-07-11 05:37 . 2010-07-11 05:37 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-11 05:27 . 2010-07-11 05:27 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sunbelt Software
2010-07-11 05:25 . 2010-07-11 05:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-11 05:23 . 2010-07-11 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-11 03:13 . 2010-07-11 03:32 -------- d-----w- c:\program files\Trend Micro
2010-07-10 11:26 . 2010-07-10 11:30 -------- d-----w- c:\windows\system32\NtmsData
2010-07-08 04:09 . 2010-07-08 04:10 -------- d-----w- c:\program files\Database

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-15 06:47 . 2008-09-11 05:07 115308576 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-07-15 06:14 . 2008-09-11 05:07 1351652 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-07-15 03:47 . 2003-06-12 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-14 22:40 . 2009-08-24 12:56 -------- d-----w- c:\program files\LimeWire
2010-07-11 15:47 . 2004-10-01 01:24 -------- d-----w- c:\program files\TrojanHunter 4.0
2010-07-11 05:23 . 2003-05-18 16:27 -------- d-----w- c:\program files\Lavasoft
2010-07-11 02:21 . 2006-05-04 00:47 -------- d-----w- c:\program files\CCleaner
2010-07-08 05:02 . 2008-08-22 15:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-19 10:15 . 2003-05-12 00:46 -------- d-----w- c:\program files\hp deskjet 950c series
2010-06-18 01:45 . 2002-10-29 21:48 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-10 02:53 . 2009-11-24 01:48 -------- d-----w- c:\program files\TrojanHunter 5.2
2010-05-21 19:14 . 2009-10-03 06:32 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 10:41 . 2004-08-24 01:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56 . 2010-02-10 01:02 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51 . 2002-11-14 06:41 285696 ----a-w- c:\windows\system32\atmfd.dll
2009-05-02 00:39 . 2009-05-02 00:39 7848712 -c--a-w- c:\program files\InstallWizard101.exe
2009-03-24 17:20 . 2009-03-24 17:19 1470664 -c--a-w- c:\program files\WG-MVPN-SSL.exe
2009-01-11 22:35 . 2009-01-11 22:17 45521704 -c--a-w- c:\program files\BCSETUP.EXE
2003-07-29 05:15 . 2007-10-23 17:54 307200 -c--a-w- c:\program files\internet explorer\plugins\djvu0407.dll
2003-07-29 05:15 . 2007-10-23 17:54 303104 -c--a-w- c:\program files\internet explorer\plugins\djvu0409.dll
2003-07-29 05:15 . 2007-10-23 17:54 311296 -c--a-w- c:\program files\internet explorer\plugins\djvu040c.dll
2003-07-29 05:15 . 2007-10-23 17:54 299008 -c--a-w- c:\program files\internet explorer\plugins\djvu0411.dll
2003-07-29 05:15 . 2007-10-23 17:54 299008 -c--a-w- c:\program files\internet explorer\plugins\djvu0412.dll
2003-07-29 05:15 . 2007-10-23 17:54 290816 -c--a-w- c:\program files\internet explorer\plugins\djvu0804.dll
2003-07-29 05:15 . 2007-10-23 17:54 122880 -c--a-w- c:\program files\internet explorer\plugins\DjVuCntl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2002-10-01 548933]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"WCOLOREAL"="c:\program files\COMPAQ\Coloreal\coloreal.exe" [2002-02-21 143360]
"USSShReg"="c:\progra~1\ULEADS~1\ULEADP~1\SSaver\Ussshreg.exe" [1997-11-23 20992]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-10-16 180269]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-03 98304]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"ProDsl.exe"="ProDsl.exe" [2003-05-12 118784]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-07 196608]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"nwiz"="nwiz.exe" [2002-10-01 372736]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-21 111376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2009-12-18 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2005-07-12 05:17 50776 -c--a-w- c:\program files\America Online 9.0b\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2008-06-24 18:34 41824 -c--a-w- c:\program files\Common Files\AOL\1127589096\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 05:42 212992 -c--a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 09:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
2009-10-12 17:22 1063072 ----a-w- c:\program files\TrojanHunter 5.2\THGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1127589096\\ee\\aolsoftware.exe"=
"c:\\Program Files\\America Online 9.0b\\waol.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/11/2010 12:38 AM 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/13/2010 9:20 PM 165456]
R1 AutoSave;AutoSave;c:\windows\system32\drivers\AutoSave.sys [8/10/2009 8:07 PM 30784]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/13/2010 9:20 PM 17744]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 11:14 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S1 DW;DW; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/6/2010 12:28 PM 1352832]
S2 mrtRate;mrtRate; [x]
S3 msCMTSrvc;Content Monitoring Tool;c:\windows\system32\msCMTSrvc.exe --> c:\windows\system32\msCMTSrvc.exe [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
S3 PRO2100W;Intel(R) PRO/DSL 2100 Modem - PPP;c:\windows\system32\drivers\p21c2kW.sys [5/11/2003 10:26 PM 219846]
S3 QCEmerald;Logitech QuickCam Web(PID_0850);c:\windows\system32\drivers\lvce.sys [6/10/2002 2:20 PM 44544]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2/9/2010 8:01 PM 10880]
.
Contents of the 'Scheduled Tasks' folder

2010-07-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 17:28]

2010-07-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uLocal Page = about:blank
uStart Page = hxxp://www.aol.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{C569327E-CD0C-4542-9E82-9A4E18C97992} - (no file)
HKLM-Explorer_Run-RTHDBPL - c:\documents and settings\Owner\Application Data\SystemProc\lsass.exe
MSConfigStartUp-ThreatFire - c:\program files\ThreatFire\TFTray.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-15 01:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = c:\documents and settings\Owner\Application Data\SystemProc\lsass.exe???????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3984)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-15 02:01:05
ComboFix-quarantined-files.txt 2010-07-15 07:01

Pre-Run: 70,829,318,144 bytes free
Post-Run: 70,777,905,152 bytes free

- - End Of File - - 4B24EA9B5E8EFFC487BA5C6D237D9A53
JayneM
Regular Member
 
Posts: 28
Joined: July 10th, 2010, 11:25 pm

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby km2357 » July 15th, 2010, 2:41 pm

Step # 1: Run CFScript

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    KILLALL::
    
    File::
    
    c:\documents and settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
    c:\windows\pss\LimeWire On Startup.lnk
    
    Folder::
    
    c:\program files\LimeWire
    
    Registry::
    
    [-HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    
    DDS::
    
    uLocal Page = about:blank
    uDefault_Page_URL = about:blank
    uSearch Page = 
    uSearch Bar = 
    mSearchAssistant = 
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
    EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File



  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.




    Image


    Note: This CFScript is for use on JayneM's computer only! Do not use it on your computer.


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 1 has been completed.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby JayneM » July 16th, 2010, 10:04 am

I'm sorry, I have to put this on hold a couple days. After my last post my hard drive crashed, and I have thus far been unable to regain an operating system. I've tried everything. I thought I finally had it, got a screen to let me restore from my last restore point, but every restore point I had put it was gone. The only one left is a restore point created AFTER the computer crash. I'm at work for a short time so I wanted to update you. IF I can manage to get my XP back I'll come back in and post. I'm trying to avoid reformatting the entire hard drive, and losing everything.
JayneM
Regular Member
 
Posts: 28
Joined: July 10th, 2010, 11:25 pm

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby JayneM » July 16th, 2010, 12:45 pm

Duke, you may have to start a new topic, this one is mine :)

Somehow, I have no idea how, I finally accomplished it, I got my operating system back. The anti-virus program has been de-activiated, so I have to load that again. I will be back with a new Hijack This log, and hopefully a new DDS log, since I believe the entire configuration of the computer may be different now.

My apoligies JayneM/km2357 I have removed the misplaced post into its own topic - Dakeyras.
JayneM
Regular Member
 
Posts: 28
Joined: July 10th, 2010, 11:25 pm

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby km2357 » July 16th, 2010, 3:01 pm

Nice work on getting your computer back up and running. :)

Go ahead and post a fresh DDS and Attach.txt logs when you get them.

After my last post my hard drive crashed, and I have thus far been unable to regain an operating system.


When your computer crashed, did it happen before you were able to do my last post (running the CFScript) or did it happen after you did that step?
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 62 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware