Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijack This Log - Trojan and Hijacker Problems

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby km2357 » July 19th, 2010, 2:34 pm

JayneM? Any update(s) regarding your situation?
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California
Advertisement
Register to Remove

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby JayneM » July 19th, 2010, 4:34 pm

Hey there! It's been a long week. I've never had a computer crash as badly as this one and been able to recover it. That's the good news, the bad news there is still a bad bug in it. I am unable to even get to THIS forum from the home computer, or any website even remotely related to security. I managed some workarounds and saved my Hijack This log and DDS log from the home computer:

These are the notes I put in another forum I COULD access, but never got a repsonse there -- I'll just have to respond to you during the day on this work computer, and try to implement your instructions in the evening.

*************
Running an old Windows XP Home Edition, 2003.

At the beginning of the week I was having problems with Trojans and redirects, which for the most part were fixed, with help from people at malwareremovalforum.com. Then, something caused my entire system to crash..no operating system, no restore...nothing. AFter 3 days of work I finally got my operating system back, the files were intact, but a lot of the original components of the system were there. I switched to Firefox because I was having problems getting internet explorer to run properly.

The lingering problem is that something is preventing Windows Update (this could be because my XP is old and they aren't available anymore?), but I am also blocked from most internet sites, including the malwareremoval forum I was working in, ZDnet, Symantec, Microsoft, TrendMicro, etc. etc, and while I was finally able to reload Malwarebytes removal and Avast, I cannot update them, and every scan tells me there is nothing wrong.

I'm attaching a Hijack This log, and a DDS log. You may notice ComboFix loaded on my computer. That was the next step the other forum was ready for, and I have not run it because I don't have the knowledge to run it.

Any help would be appreciated. i can't even locate the name of whatever virus or trojan is in the computer, because it seems anytime I get close the computer prevents it (kind of eerie). I'm actually afraid that once I sign out of here the computer will recognize this as an anti-virus site as well and I won't be able to get back in, but I could possible try it from a different computer on MOnday.

HIJACK THIS:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:37 PM, on 7/18/2010
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\qe31oah0.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - S-1-5-18 Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4729 bytes


DDS:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/16/2010 12:37:18 AM
System Uptime: 7/17/2010 9:06:40 PM (19 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-6577
Processor: Intel® Pentium® 4 CPU 2.53GHz | Socket 478 | 2533/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 108 GiB total, 31.501 GiB free.
D: is FIXED (FAT32) - 3 GiB total, 0.45 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 7/16/2010 5:37:26 AM - System Checkpoint
RP2: 7/16/2010 9:16:21 AM - Restore Operation
RP3: 7/16/2010 12:03:29 PM - after big restore
RP4: 7/16/2010 12:50:04 PM - avast! Free Antivirus Setup
RP5: 7/16/2010 11:58:45 AM - avast! Free Antivirus Setup
RP6: 7/16/2010 1:09:26 PM - avast! Free Antivirus Setup
RP7: 7/16/2010 1:17:34 PM - Removed Norton AntiVirus 2003
RP8: 7/17/2010 1:29:24 PM - System Checkpoint
RP9: 7/17/2010 6:59:16 PM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP10: 7/17/2010 8:38:34 PM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.

==== Installed Programs ======================


Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
America Online
avast! Free Antivirus
Coloreal
CompuServe
Detto IntelliMover Demo
easy Internet sign-up
HijackThis 2.0.2
Inactive HP Printer Drivers (Remove only)
Indeo® Software
Intel® 82845G Graphics Driver Software
InterVideo WinDVD 4
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java 2 Runtime Environment, SE v1.4.0_01
Java Web Start
KBD
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Microsoft .NET Framework (English) v1.0.3705
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works 7.0
Mozilla Firefox (3.6.6)
Netscape (7.0)
NVIDIA Windows 2000/XP Display Drivers
PC-Doctor for Windows
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2003 New User Edition
RealOne Player
RecordNow
RecordNow Update Manager
S3Display
S3Gamma2
S3Info2
S3Overlay
ShowBiz
Simple Installer - Multilanguage Version
Viewpoint Media Player (Remove Only)
WebFldrs XP
Windows XP Hotfix (SP2) [See q330638 for more information]
Windows XP Hotfix (SP2) [See Q331060 for more information]
Yahoo! Essentials
Yahoo! Internet Mail
Yahoo! Login
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

7/17/2010 4:17:35 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
7/17/2010 3:38:56 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
7/17/2010 3:37:36 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
7/17/2010 3:37:06 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the szserver service.
7/17/2010 3:16:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440 SISAGP viaagp1
7/17/2010 3:16:29 PM, error: Service Control Manager [7023] - The Shell Update service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
7/17/2010 3:16:29 PM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.
7/16/2010 6:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
7/16/2010 6:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.
7/16/2010 6:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.
7/16/2010 6:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the jmnozj service.
7/16/2010 6:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the helpsvc service.
7/16/2010 6:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the EventSystem service.
7/16/2010 6:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the CryptSvc service.
7/16/2010 6:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the AudioSrv service.
7/16/2010 6:59:56 AM, error: Service Control Manager [7001] - The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
7/16/2010 6:59:56 AM, error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The service has not been started.
7/16/2010 6:59:56 AM, error: Service Control Manager [7000] - The Windows Time service failed to start due to the following error: The service has not been started.
7/16/2010 6:59:56 AM, error: Service Control Manager [7000] - The Server service failed to start due to the following error: The service has not been started.
7/16/2010 6:59:56 AM, error: Service Control Manager [7000] - The Portable Media Serial Number service failed to start due to the following error: All pipe instances are busy.
7/16/2010 6:59:56 AM, error: Service Control Manager [7000] - The Messenger service failed to start due to the following error: All pipe instances are busy.
7/16/2010 6:59:56 AM, error: Service Control Manager [7000] - The Help and Support service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/16/2010 6:59:56 AM, error: Service Control Manager [7000] - The Cryptographic Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/16/2010 6:59:56 AM, error: Service Control Manager [7000] - The COM+ Event System service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/16/2010 4:23:25 AM, error: Dhcp [1002] - The IP address lease 207.191.200.153 for the Network Card with network address 0010DC8E975A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
7/16/2010 4:20:33 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
7/16/2010 4:20:32 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.
7/16/2010 4:20:32 AM, error: Service Control Manager [7000] - The Network Connections service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/16/2010 10:45:10 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E9376CC6-121A-447E-81CF-D8BCC200007C}

==== End Of File ===========================

One other note: I think those restore points are gone. The computer shut down last night (I think it overheated) and when I booted back up all the restore points were gone)

Oh, and as to your question: "When your computer crashed, did it happen before you were able to do my last post (running the CFScript) or did it happen after you did that step?" I think it was after I ran Combofix.... I had forgotten I even got to run Combofix at all.
I didn't complete all the steps you had listed though, I just ran the program.
JayneM
Regular Member
 
Posts: 28
Joined: July 10th, 2010, 11:25 pm

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby km2357 » July 19th, 2010, 7:55 pm

These are the notes I put in another forum I COULD access, but never got a repsonse there -- I'll just have to respond to you during the day on this work computer, and try to implement your instructions in the evening.


Since you can post here now, you should let this other forum know that you're being helped here, if you haven't already. :)

Since your computer is back to Windows XP SP1, do not use the computer for normal web surfing until we can get it upgraded to Windows XP SP3. Only use it when running scans/tools on it and use your work computer to post any logs I ask for, until we can get your computer at home to where it can post the logs in the thread by itself.

(I think it overheated)


Has your computer ever overheated before? And if it has, how frequently does it overheat?


The DDS Log you posted was just the Attach.txt log. I need to see the main DDS Log (DDS.txt). Go ahead and run DDS again and post the contents of DDS.txt in your next post/reply.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby JayneM » July 20th, 2010, 11:36 am

I will try to find the link (it is on the home computer). I will almost have to do SOME web browsing in order to e-mail myself the logs so the sooner I can get upgraded to at least SP2 the better. It is true that some of the older machines do not upgrade smoothly to SP3?

I will see if I can get home at lunchtime and run the DDS log, but I''m wondering if something is preventing me from running the whole thing. We shall see. I'll come right back and post it here.

Yes the computer overheats now and then, even though it is properly vented. Usually I don't leave it on as much as I have this week.
UPDATED TO ADD: I informed the other site, I still hadn't received a response at any rate.

Can I install Windows SP2 from an installation CD I downloaded from the microsoft site?
JayneM
Regular Member
 
Posts: 28
Joined: July 10th, 2010, 11:25 pm

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby km2357 » July 20th, 2010, 3:00 pm

It is true that some of the older machines do not upgrade smoothly to SP3?


Not sure, depends on how old the computer is. How old is your computer?


UPDATED TO ADD: I informed the other site, I still hadn't received a response at any rate.


Ok. :)

Can I install Windows SP2 from an installation CD I downloaded from the microsoft site?


It's best not to update your computer (to SP2 or 3) while there is malware/spyware on the computer. The malware can cause problems with the updating process and cause Windows not to sucessfully install the updates. Hold onto the SP2 CD for now, you can use it later to update to SP2, then go right from there to SP3.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby JayneM » July 20th, 2010, 4:23 pm

Thank you - this Compaque 6000 computer is...seriously...about 7 years old, but it was pretty state of the art when I got it and had a lot of extras. This is the first problem I've had with it.

I will hold off on installing the Windows Xp, and I will do my best to get a DDS log to post in the morning. I may try to get another Hijack This log too, just to see if anything has changed. If there is anything else and you are still around today, please let me know, since this process is going to be convoluted. Thanks for hanging with me!
JayneM
Regular Member
 
Posts: 28
Joined: July 10th, 2010, 11:25 pm

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby km2357 » July 20th, 2010, 7:56 pm

Having the same computer for 7 years is a pretty long time, but I don't think it should have any problems updating to SP3 when we get to it. You mentioned this being the first time you ever had a problem with it.

Thanks for hanging with me!


Thank you for sticking through this with me as well. :)

I will hold off on installing the Windows Xp, and I will do my best to get a DDS log to post in the morning. I may try to get another Hijack This log too, just to see if anything has changed.


Ok, go ahead and try to get the main DDS Log (DDS.txt) if you can. If you can't, I have another tool I can have you use to get a log to see what's going on with your computer.

Also, I'll be away from my computer most of the day tomorrow (Wednesday, July 21st). So, if I do need to reply to you, it'll be sometime Wednesday night.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby JayneM » July 21st, 2010, 9:42 am

I believe this is the new DDS info



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/15/2010 10:37:18 PM
System Uptime: 7/20/2010 4:23:33 PM (3 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-6577
Processor: Intel(R) Pentium(R) 4 CPU 2.53GHz | Socket 478 | 2532/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 108 GiB total, 32.108 GiB free.
D: is FIXED (FAT32) - 3 GiB total, 0.45 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
America Online
avast! Free Antivirus
Coloreal
CompuServe
Detto IntelliMover Demo
HijackThis 2.0.2
Inactive HP Printer Drivers (Remove only)
Indeo® Software
Intel(R) 82845G Graphics Driver Software
InterVideo WinDVD 4
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java 2 Runtime Environment, SE v1.4.0_01
Java Web Start
KBD
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Microsoft .NET Framework (English) v1.0.3705
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works 7.0
Mozilla Firefox (3.6.6)
Netscape (7.0)
NVIDIA Windows 2000/XP Display Drivers
PC-Doctor for Windows
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2003 New User Edition
RealOne Player
RecordNow
RecordNow Update Manager
S3Display
S3Gamma2
S3Info2
S3Overlay
ShowBiz
Simple Installer - Multilanguage Version
Viewpoint Media Player (Remove Only)
WebFldrs XP
Windows XP Hotfix (SP2) [See q330638 for more information]
Windows XP Hotfix (SP2) [See Q331060 for more information]
Yahoo! Login
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

7/18/2010 12:34:20 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.
7/17/2010 2:17:35 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
7/17/2010 1:38:57 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
7/17/2010 1:37:36 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
7/17/2010 1:37:06 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the szserver service.
7/17/2010 1:16:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440 SISAGP viaagp1
7/17/2010 1:16:29 PM, error: Service Control Manager [7023] - The Shell Update service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
7/17/2010 1:16:29 PM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.
7/16/2010 8:45:10 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E9376CC6-121A-447E-81CF-D8BCC200007C}
7/16/2010 4:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
7/16/2010 4:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.
7/16/2010 4:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.
7/16/2010 4:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the jmnozj service.
7/16/2010 4:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the helpsvc service.
7/16/2010 4:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the EventSystem service.
7/16/2010 4:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the CryptSvc service.
7/16/2010 4:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the AudioSrv service.
7/16/2010 4:59:56 AM, error: Service Control Manager [7001] - The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
7/16/2010 4:59:56 AM, error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The service has not been started.
7/16/2010 4:59:56 AM, error: Service Control Manager [7000] - The Windows Time service failed to start due to the following error: The service has not been started.
7/16/2010 4:59:56 AM, error: Service Control Manager [7000] - The Server service failed to start due to the following error: The service has not been started.
7/16/2010 4:59:56 AM, error: Service Control Manager [7000] - The Portable Media Serial Number service failed to start due to the following error: All pipe instances are busy.
7/16/2010 4:59:56 AM, error: Service Control Manager [7000] - The Messenger service failed to start due to the following error: All pipe instances are busy.
7/16/2010 4:59:56 AM, error: Service Control Manager [7000] - The Help and Support service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/16/2010 4:59:56 AM, error: Service Control Manager [7000] - The Cryptographic Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/16/2010 4:59:56 AM, error: Service Control Manager [7000] - The COM+ Event System service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/16/2010 2:23:25 AM, error: Dhcp [1002] - The IP address lease 207.191.200.153 for the Network Card with network address 0010DC8E975A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
7/16/2010 2:20:33 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
7/16/2010 2:20:32 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.
7/16/2010 2:20:32 AM, error: Service Control Manager [7000] - The Network Connections service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================



DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 19:27:27.15 on Tue 07/20/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.503.215 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [StorageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r
mRun: [TkBellExe] c:\program files\common files\real\update_ob\realsched.exe -osboot
mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"
mRun: [WCOLOREAL] "c:\program files\compaq\coloreal\coloreal.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [nwiz] nwiz.exe /installquiet /keeploaded
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\custom~1.lnk - c:\hp\region\customizeIe.wsf
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
mPolicies-explorer: <NO NAME> =
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
Trusted Zone: aol.com
Trusted Zone: malwareremoval.com\www
Trusted Zone: zdnet.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/aut ... 01-win.cab
DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3 ... 02-win.cab
DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... 01-win.cab
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\g0s5iph3.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox? ... S:official
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\g0s5iph3.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\java\j2re1.4.0\bin\NPJPI140_01.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-16 165456]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-16 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-16 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-16 40384]
S2 jmnozj;Shell Update;c:\windows\system32\svchost.exe -k netsvcs [2002-11-14 12800]
S2 mrtRate;mrtRate; [x]

=============== Created Last 30 ================

2010-07-18 01:21:19 704 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-18 00:36:49 16384 ---ha-w- C:\SZKGFS.dat
2010-07-18 00:01:25 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-07-17 23:59:42 0 d-----w- c:\program files\common files\iS3
2010-07-17 23:59:39 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-07-17 08:19:46 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-07-17 08:19:46 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-07-17 08:01:55 0 d-----w- c:\docume~1\owner\applic~1\Uniblue
2010-07-16 18:09:53 38848 ----a-w- c:\windows\avastSS.scr
2010-07-16 17:09:53 0 d-----w- c:\docume~1\owner\applic~1\Symantec
2010-07-16 17:09:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-07-16 17:09:42 0 d-----w- c:\program files\Symantec
2010-07-16 14:20:36 3144 -c--a-w- c:\windows\system32\dllcache\srgb.icm
2010-07-16 14:16:54 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-16 08:14:03 51072 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-07-16 08:14:03 23424 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-07-16 08:11:13 40960 ----a-w- c:\windows\SET5678.tmp
2010-07-16 08:11:04 0 d-----w- c:\program files\America Online 7.0
2010-07-16 02:48:38 0 ----a-w- c:\windows\system32\wmsoft70333.exe
2010-07-15 17:32:57 0 ----a-w- c:\windows\system32\wmsoft55153.exe
2010-07-15 17:32:53 82 ----a-w- c:\windows\system32\i
2010-07-15 15:38:01 24960 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-07-15 11:04:12 942604 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS
2010-07-15 11:04:12 1246208 ----a-w- c:\windows\system32\ALSNDMGR.CPL
2010-07-15 05:06:51 0 d-----w- C:\32788R22FWJFW.3.tmp
2010-07-15 05:04:10 0 d-----w- C:\32788R22FWJFW.2.tmp
2010-07-15 03:41:01 0 d-----w- C:\32788R22FWJFW.1.tmp
2010-07-15 02:41:31 0 d-sha-r- C:\cmdcons
2010-07-15 02:37:14 98816 ----a-w- c:\windows\sed.exe
2010-07-15 02:37:14 77312 ----a-w- c:\windows\MBR.exe
2010-07-15 02:37:14 256512 ----a-w- c:\windows\PEV.exe
2010-07-15 02:37:14 161792 ----a-w- c:\windows\SWREG.exe
2010-07-14 02:19:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-07-11 15:48:09 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-11 05:38:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-11 05:37:22 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-11 05:25:42 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-11 03:13:50 0 d-----w- c:\program files\Trend Micro
2010-07-10 11:26:48 0 d-----w- c:\windows\system32\NtmsData
2010-07-08 04:09:54 0 d-----w- c:\program files\Database

==================== Find3M ====================

2010-07-15 08:04:37 1352732 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-07-15 08:04:37 115341344 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-21 19:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2009-05-02 00:39:37 7848712 -c--a-w- c:\program files\InstallWizard101.exe
2009-03-24 17:20:02 1470664 -c--a-w- c:\program files\WG-MVPN-SSL.exe
2009-01-11 22:35:38 45521704 -c--a-w- c:\program files\BCSETUP.EXE
2002-08-29 12:00:00 164823 --sha-r- c:\windows\system32\wjnrtv.dll
2009-08-17 04:55:16 470 --sha-r- c:\windows\system32\config\systemprofile\my documents\c & j auto\x1\c\documents and settings\owner\local settings\application data\microsoft\feeds cache\index.dat
2009-09-07 15:35:20 470 --sha-r- c:\windows\system32\config\systemprofile\my documents\c & j auto\x2\c\documents and settings\owner\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 19:29:07.45 ===============

When the computer rebooted it attempt to install a Windows Service pack 2 update, but failed.
JayneM
Regular Member
 
Posts: 28
Joined: July 10th, 2010, 11:25 pm

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby JayneM » July 21st, 2010, 6:58 pm

Okay, ignore the previous DDS log please. My Avast did a boot scan, and seems to have removed a worm, plus it looks like SP 2 might have installed. I don't know if that means everything is fixed, but the fact that I"m posting here from my home computer is a good sign!

New DDS stuff:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/16/2010 4:37:18 AM
System Uptime: 7/20/2010 7:55:55 PM (10 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-6577
Processor: Intel(R) Pentium(R) 4 CPU 2.53GHz | Socket 478 | 2533/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 108 GiB total, 30.459 GiB free.
D: is FIXED (FAT32) - 3 GiB total, 0.45 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 7/20/2010 7:46:29 PM - System Checkpoint
RP2: 7/20/2010 8:24:26 PM - After trying automatic system restore
RP3: 7/20/2010 9:44:46 PM - before sp2
RP4: 7/20/2010 9:45:14 PM - restore 2
RP5: 7/20/2010 10:34:07 PM - 11:30 pm before cd
RP6: 7/20/2010 10:50:16 PM - Installed Windows XP Service Pack 2.
RP7: 7/20/2010 11:29:50 PM - Installed Windows XP KB873339.
RP8: 7/20/2010 1:05:52 PM - Installed Windows XP Service Pack 2.
RP9: 7/20/2010 1:16:13 PM - Installed Windows XP KB873339.
RP10: 7/20/2010 1:18:52 PM - Installed Windows XP KB885835.

==== Installed Programs ======================


Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
America Online
avast! Free Antivirus
Coloreal
CompuServe
Detto IntelliMover Demo
HijackThis 2.0.2
Inactive HP Printer Drivers (Remove only)
Indeo® Software
Intel(R) 82845G Graphics Driver Software
InterVideo WinDVD 4
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java 2 Runtime Environment, SE v1.4.0_01
Java Web Start
KBD
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Microsoft .NET Framework (English) v1.0.3705
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works 7.0
Mozilla Firefox (3.6.7)
Netscape (7.0)
NVIDIA Windows 2000/XP Display Drivers
PC-Doctor for Windows
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2003 New User Edition
RealOne Player
RecordNow
RecordNow Update Manager
S3Display
S3Gamma2
S3Info2
S3Overlay
ShowBiz
Simple Installer - Multilanguage Version
Viewpoint Media Player (Remove Only)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows XP Service Pack 2
Yahoo! Login
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

7/21/2010 5:35:26 AM, error: Service Control Manager [7023] - The Shell Update service terminated with the following error: The specified module could not be found.
7/18/2010 6:34:20 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.
7/17/2010 8:17:35 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
7/17/2010 7:38:58 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
7/17/2010 7:37:36 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
7/17/2010 7:37:06 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the szserver service.
7/17/2010 7:16:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440 SISAGP viaagp1
7/17/2010 7:16:29 PM, error: Service Control Manager [7023] - The Shell Update service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
7/17/2010 7:16:29 PM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.
7/16/2010 8:23:25 AM, error: Dhcp [1002] - The IP address lease 207.191.200.153 for the Network Card with network address 0010DC8E975A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
7/16/2010 8:20:33 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
7/16/2010 8:20:32 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.
7/16/2010 8:20:32 AM, error: Service Control Manager [7000] - The Network Connections service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/16/2010 2:45:10 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E9376CC6-121A-447E-81CF-D8BCC200007C}
7/16/2010 10:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
7/16/2010 10:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.
7/16/2010 10:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.
7/16/2010 10:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the jmnozj service.
7/16/2010 10:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the helpsvc service.
7/16/2010 10:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the EventSystem service.
7/16/2010 10:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the CryptSvc service.
7/16/2010 10:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the AudioSrv service.
7/16/2010 10:59:56 AM, error: Service Control Manager [7001] - The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
7/16/2010 10:59:56 AM, error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The service has not been started.
7/16/2010 10:59:56 AM, error: Service Control Manager [7000] - The Windows Time service failed to start due to the following error: The service has not been started.
7/16/2010 10:59:56 AM, error: Service Control Manager [7000] - The Server service failed to start due to the following error: The service has not been started.
7/16/2010 10:59:56 AM, error: Service Control Manager [7000] - The Portable Media Serial Number service failed to start due to the following error: All pipe instances are busy.
7/16/2010 10:59:56 AM, error: Service Control Manager [7000] - The Messenger service failed to start due to the following error: All pipe instances are busy.
7/16/2010 10:59:56 AM, error: Service Control Manager [7000] - The Help and Support service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/16/2010 10:59:56 AM, error: Service Control Manager [7000] - The Cryptographic Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/16/2010 10:59:56 AM, error: Service Control Manager [7000] - The COM+ Event System service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 5:52:13.60 on Wed 07/21/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.287 [GMT -6:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [StorageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r
mRun: [TkBellExe] c:\program files\common files\real\update_ob\realsched.exe -osboot
mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"
mRun: [WCOLOREAL] "c:\program files\compaq\coloreal\coloreal.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [nwiz] nwiz.exe /installquiet /keeploaded
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\custom~1.lnk - c:\hp\region\customizeIe.wsf
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
mPolicies-explorer: <NO NAME> =
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
Trusted Zone: aol.com
Trusted Zone: malwareremoval.com\www
Trusted Zone: malwareremovalforum.com\www
Trusted Zone: microsoft.com\www
Trusted Zone: zdnet.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 9682232875
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/aut ... 01-win.cab
DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3 ... 02-win.cab
DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... 01-win.cab
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\g0s5iph3.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox? ... S:official
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\g0s5iph3.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\java\j2re1.4.0\bin\NPJPI140_01.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-16 165456]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-16 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-16 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-16 40384]
S2 jmnozj;Shell Update;c:\windows\system32\svchost.exe -k netsvcs [2002-11-14 14336]
S2 mrtRate;mrtRate; [x]

=============== Created Last 30 ================

2010-07-21 05:03:45 81920 ------w- c:\windows\system32\ieencode.dll
2010-07-21 04:50:11 19528 ----a-w- c:\windows\002063_.tmp
2010-07-21 04:03:06 0 dc----w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-20 19:14:32 0 d-----w- c:\windows\LastGood.Tmp
2010-07-20 19:05:12 19528 ----a-w- c:\windows\000001_.tmp
2010-07-18 01:21:19 704 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-18 00:36:49 16384 ---ha-w- C:\SZKGFS.dat
2010-07-18 00:01:25 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-07-17 23:59:42 0 d-----w- c:\program files\common files\iS3
2010-07-17 23:59:39 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-07-17 08:19:46 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-07-17 08:19:46 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-07-17 08:01:55 0 d-----w- c:\docume~1\owner\applic~1\Uniblue
2010-07-16 18:09:53 38848 ----a-w- c:\windows\avastSS.scr
2010-07-16 17:09:53 0 d-----w- c:\docume~1\owner\applic~1\Symantec
2010-07-16 17:09:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-07-16 17:09:42 0 d-----w- c:\program files\Symantec
2010-07-16 14:20:36 3144 -c--a-w- c:\windows\system32\dllcache\srgb.icm
2010-07-16 14:16:54 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-16 08:14:03 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-07-16 08:14:03 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-07-16 08:11:13 40960 ----a-w- c:\windows\SET5678.tmp
2010-07-16 08:11:04 0 d-----w- c:\program files\America Online 7.0
2010-07-16 02:48:38 0 ----a-w- c:\windows\system32\wmsoft70333.exe
2010-07-15 17:32:57 0 ----a-w- c:\windows\system32\wmsoft55153.exe
2010-07-15 17:32:53 82 ----a-w- c:\windows\system32\i
2010-07-15 15:38:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-07-15 11:04:12 942604 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS
2010-07-15 11:04:12 1246208 ----a-w- c:\windows\system32\ALSNDMGR.CPL
2010-07-15 05:06:51 0 d-----w- C:\32788R22FWJFW.3.tmp
2010-07-15 05:04:10 0 d-----w- C:\32788R22FWJFW.2.tmp
2010-07-15 03:41:01 0 d-----w- C:\32788R22FWJFW.1.tmp
2010-07-15 02:41:31 0 d-sha-r- C:\cmdcons
2010-07-15 02:37:14 98816 ----a-w- c:\windows\sed.exe
2010-07-15 02:37:14 77312 ----a-w- c:\windows\MBR.exe
2010-07-15 02:37:14 256512 ----a-w- c:\windows\PEV.exe
2010-07-15 02:37:14 161792 ----a-w- c:\windows\SWREG.exe
2010-07-14 02:19:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-07-11 15:48:09 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-11 05:38:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-11 05:37:22 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-11 05:25:42 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-11 03:13:50 0 d-----w- c:\program files\Trend Micro
2010-07-10 11:26:48 0 d-----w- c:\windows\system32\NtmsData
2010-07-08 04:09:54 0 d-----w- c:\program files\Database

==================== Find3M ====================

2010-07-15 08:04:37 1352732 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-07-15 08:04:37 115341344 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-21 19:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2009-05-02 00:39:37 7848712 -c--a-w- c:\program files\InstallWizard101.exe
2009-03-24 17:20:02 1470664 -c--a-w- c:\program files\WG-MVPN-SSL.exe
2009-01-11 22:35:38 45521704 -c--a-w- c:\program files\BCSETUP.EXE
2009-08-17 04:55:16 470 --sha-r- c:\windows\system32\config\systemprofile\my documents\c & j auto\x1\c\documents and settings\owner\local settings\application data\microsoft\feeds cache\index.dat
2009-09-07 15:35:20 470 --sha-r- c:\windows\system32\config\systemprofile\my documents\c & j auto\x2\c\documents and settings\owner\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 5:53:51.84 ===============
JayneM
Regular Member
 
Posts: 28
Joined: July 10th, 2010, 11:25 pm

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby JayneM » July 21st, 2010, 7:01 pm

Oh, I might have gone a little crazy with the system restore points...
JayneM
Regular Member
 
Posts: 28
Joined: July 10th, 2010, 11:25 pm

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby km2357 » July 21st, 2010, 11:25 pm

It does indeed look like SP2 successfully installed. :) How did it get installed?

My Avast did a boot scan, and seems to have removed a worm


Do you remember the name/file location of the worm that Avast removed? If you can, open up Avast and get the log from that boot scan and post it in your next post/reply.

Also, earlier you mentioned:

The lingering problem is that something is preventing Windows Update (this could be because my XP is old and they aren't available anymore?), but I am also blocked from most internet sites, including the malwareremoval forum I was working in, ZDnet, Symantec, Microsoft, TrendMicro, etc. etc


Is this still happening?
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby JayneM » July 22nd, 2010, 9:43 am

When I get home I will see if I can post the Avast log. I know that the worm was in WIN32, but can't remember the rest of it.

In order to get to to anti-virus websites I stopped DNS caching, I attempted to install SP2 myself (sorry, got inpatient), but it stalled out, and didn't work. I rebooted and the Windows Security Center window came up, then later when I checked SP2 WAS installed. I think it's a miracle..that's what I'm going with. :)
JayneM
Regular Member
 
Posts: 28
Joined: July 10th, 2010, 11:25 pm

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby JayneM » July 22nd, 2010, 8:52 pm

This is the virus/worm my Avast deleted, thank you SO MUCH for suggesting Avast, couldn't have done it without it

*RAW:C/WINDOWS\system32\wjnrtv.dll Severity: High Threat: Win32:Confi [wrm] (deleted)

It found five other things on 7/18, but I can't figure out how to copy the log....4 other Win32:Confi worms, 1 lower risk killt.exe file.
JayneM
Regular Member
 
Posts: 28
Joined: July 10th, 2010, 11:25 pm

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby km2357 » July 23rd, 2010, 2:21 pm

Thanks for the Avast information. :)

I still need to know this:


The lingering problem is that something is preventing Windows Update (this could be because my XP is old and they aren't available anymore?), but I am also blocked from most internet sites, including the malwareremoval forum I was working in, ZDnet, Symantec, Microsoft, TrendMicro, etc. etc


Is this still happening?
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Hijack This Log - Trojan and Hijacker Problems

Unread postby JayneM » July 23rd, 2010, 6:25 pm

No, I can get to any site I need to, including this one, and I can update and register all my anti-virus programs.
JayneM
Regular Member
 
Posts: 28
Joined: July 10th, 2010, 11:25 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 42 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware