Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware highjack report.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware highjack report.

Unread postby spanishfroggy » January 29th, 2011, 2:32 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:19 AM, on 1/29/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18999)
Boot mode: Normal

Running processes:
F:\Windows\system32\taskeng.exe
F:\Windows\system32\taskeng.exe
F:\Program Files\IObit\Game Booster\gbtray.exe
F:\Windows\system32\Dwm.exe
F:\Windows\Explorer.EXE
F:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
F:\Program Files\Synaptics\SynTP\SynTPEnh.exe
F:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
F:\Program Files\Lexmark X5400 Series\lxdvmon.exe
F:\Program Files\Lexmark X5400 Series\lxdvamon.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\AVG\AVG10\avgtray.exe
F:\Program Files\Windows Media Player\wmpnscfg.exe
F:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
F:\Program Files\Synaptics\SynTP\SynTPHelper.exe
F:\Program Files\Lexmark X5400 Series\FRun.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
F:\Program Files\Mozilla Firefox\plugin-container.exe
F:\Users\The Boss\Downloads\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://search.mywebsearch.com/mywebsearch/default.jhtml?

ptnrS=ZJfox000&ptb=4vsEgJZP3ykqnCOG1okVfA
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = http=127.0.0.1:27811
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-

784B7D6BE0B3} - F:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-

4E65E497C8C0} - F:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -

F:\Program Files\Microsoft\Search Enhancement Pack\Search

Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E}

- F:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-

5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows

Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-

9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] F:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GrooveMonitor] "F:\Program Files\Microsoft

Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [UCam_Menu] "F:\Program

Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "F:\Program

Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [lxdvmon.exe] "F:\Program Files\Lexmark X5400

Series\lxdvmon.exe"
O4 - HKLM\..\Run: [lxdvamon] "F:\Program Files\Lexmark X5400

Series\lxdvamon.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "F:\Program

Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program

Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG_TRAY] F:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows

Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe

oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows

Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: @F:\Program Files\Windows

Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7

-D9FCDDC9D600} - F:\Program Files\Windows

Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @F:\Program Files\Windows

Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7

-D9FCDDC9D600} - F:\Program Files\Windows

Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: f:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: f:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -

F:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -

F:\Program Files\AVG\AVG10\avgpp.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - F:\Program

Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common

Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - F:\Program

Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. -

F:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - F:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: lxct_device - - F:\Windows\system32\lxctcoms.exe
O23 - Service: lxdvCATSCustConnectService - Lexmark International, Inc. -

F:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdvserv.exe
O23 - Service: lxdv_device - - F:\Windows\system32\lxdvcoms.exe
O23 - Service: MotoConnect Service - Unknown owner - F:\Program

Files\Motorola\MotoConnectService\MotoConnectService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - F:\Windows\system32

\DRIVERS\xaudio.exe

--
End of file - 7203 bytes

My laptop continually crashes in Internet Explorer and Firefox. Slow speed also. No error messages or codes. Also, I am unable to download or run the trendmicro hijackthis 2.0.4
spanishfroggy
Active Member
 
Posts: 1
Joined: January 29th, 2011, 1:25 pm
Advertisement
Register to Remove

Re: Malware highjack report.

Unread postby askey127 » February 1st, 2011, 4:19 pm

Hi spanishfroggy,
Open Notepad. (Start, Programs, Accessories, Notepad)
Click on the Format Menu at the top, then click once on Word Wrap. If you click on the Format Menu again, it should show Word Wrap Unchecked.
We need all unwrapped lines to analyze logs.
I notice Windows is on the F: drive. Please tell me what else is on the machine. Other systems?
-----------------------------------------------------------
Now a question:
Tell me whether you set up this proxy server yourself:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:27811

MyWebSearch.com is a site of dubious repute, to be gracious. It's on lists of sites needing to be blocked. I would avoid it. I will remove it as your start page.
It's rated as a high risk malware site here: http://hosts-file.net/default.asp?s=mywebsearch.com
(Classification of EMD)
-----------------------------------------------------------
Remove Registry items with HijackThis. Start HijackThis. (Right-click and "Run as administrator")
Click Do System Scan Only. When the Scan is complete, Check the following entry:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =http://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=4vsEgJZP3ykqnCOG1okVfA

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
-----------------------------------------------------------
Post a New HiJackThis Log
Start HijackThis (right-click and "Run as administrator")
Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl +A), copy (Ctrl+C) and paste (Ctrl+V) the log contents into a reply.
-----------------------------------------------------------
Retrieve the List of Installed programs Using HJT
Open HijackThis, click Open The Misc Tools Section. Then scroll down the list if you need to, click Open Uninstall Manager and Save List...
The List of installed programs will automatically be saved as uninstall_list.txt in your HiJackThis folder.
In addition, the list opens in Notepad so you can also save as another name in another location if you wish.
Please paste the contents into your next reply.

Use separate replies if you prefer.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Malware highjack report.

Unread postby askey127 » February 4th, 2011, 8:17 pm

Due to Lack of Response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware