Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

my HIJACKTHIS file

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: my HIJACKTHIS file

Unread postby DFW » December 11th, 2007, 3:21 am

Hi Jerry


I am basing this warning on the Jotti results, as several scans show spoolc.exe as Backdoor.Win32.Agent.cxf, but At this stage, we are unable to be 100% sure exactly what danger spoolc.exe presents,
But it's better to be safe than sorry.


Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information,
please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted.
Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK
Advertisement
Register to Remove

Re: my HIJACKTHIS file

Unread postby jerry » December 11th, 2007, 1:05 pm

Hmm, well that sucks. If I redo my OS will my computer then be totally secure? If so I dont think I have the disks for an OS anymore. I am not sure I ever has them. Would you walk me through that as well?
jerry
Regular Member
 
Posts: 22
Joined: December 7th, 2007, 3:25 pm

Re: my HIJACKTHIS file

Unread postby DFW » December 11th, 2007, 1:24 pm

jerry wrote:Hmm, well that sucks. If I redo my OS will my computer then be totally secure? If so I dont think I have the disks for an OS anymore. I am not sure I ever has them. Would you walk me through that as well?


Yes I will, just let me know what you want to do.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: my HIJACKTHIS file

Unread postby jerry » December 11th, 2007, 3:10 pm

Will the computer be secure if I reinstall the operating system? Can the operating system be reinstalled if I don't have the disks?
jerry
Regular Member
 
Posts: 22
Joined: December 7th, 2007, 3:25 pm

Re: my HIJACKTHIS file

Unread postby DFW » December 12th, 2007, 7:49 am

Hi jerry

Dont forget we are basing that warning on the Jotti results, as several scans show spoolc.exe as Backdoor.Win32.Agent.cxf,
but At this stage, we are unable to be 100% sure exactly what danger spoolc.exe presents,


If you reinstall the system it will be safe, however to do this you will need a copy of your operating system,
that could be a Windows XP install disk or a Recovery Partition on your Hard drive, Please let me know if you have either of these.


What is the make and model of your system??


It's up to you but if you want to have a go at cleaning thats fine, or I will help you with the reinstall.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: my HIJACKTHIS file

Unread postby jerry » December 12th, 2007, 11:53 am

I think I would like to do the cleaning first and see what kind of results we get with that. Where do we start?
jerry
Regular Member
 
Posts: 22
Joined: December 7th, 2007, 3:25 pm

Re: my HIJACKTHIS file

Unread postby DFW » December 12th, 2007, 5:26 pm

Hi Jerry, here we go then


Reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.





Open up Hijackthis
Click on do a system scan only.
Place a checkmark next to these lines(if still present)

O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\system32\spoolc.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\sol1040.txt


Then close all windows except Hijackthis and click Fix Checked





We Now Need To Boot Into Safemode Now

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc (BOOT SCREEEN).
At this point you should gently tap the F8 key repeatedly until you are presented with a Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.



Once in safe mode delete suspect files
Using Windows Explorer, browse for the following files and delete as instructed
NB Some files may have already been deleted by earlier actions so don't worry if you do not see them:



C:\WINDOWS\system32\spoolc.exe
C:\WINDOWS\system32\sol1040.txt




Restart into normal mode and run a online scan



Kaspersky Online Scanner .

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence,
click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Go Here http://www.kaspersky.com/virusscanner

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.



Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: my HIJACKTHIS file

Unread postby jerry » December 12th, 2007, 9:14 pm

here it is
------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 12, 2007 5:11:11 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/12/2007
Kaspersky Anti-Virus database records: 481147
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 44359
Number of viruses found: 10
Number of infected objects: 59
Number of suspicious objects: 2
Duration of the scan process: 00:59:30

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodeceMedia.zip/uninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodeceMedia.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Jerry\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jerry\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Jerry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jerry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jerry\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jerry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jerry\My Documents\My Received Files\MsnMsgr.txt Object is locked skipped
C:\Documents and Settings\Jerry\ntuser.dat Object is locked skipped
C:\Documents and Settings\Jerry\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\DAEMON Tools\SetupDTSB.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Program Files\TELUS eCare\log\mpbtn.log Object is locked skipped
C:\Program Files\TELUS eCare\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\TELUS eCare\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\TELUS eCare\SmartBridge\SmartBridge.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0076776.exe Infected: Trojan-Dropper.Win32.Agent.cuv skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0076781.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0076791.exe Infected: Trojan-Dropper.Win32.Agent.cuv skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0076797.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0076798.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0076799.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0076811.exe Infected: Trojan-Dropper.Win32.Agent.cuv skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0076817.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0076818.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0076819.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0076977.exe Infected: Trojan-Dropper.Win32.Agent.cuv skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0076985.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0076986.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077209.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077212.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077213.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077226.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077227.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077228.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077243.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077244.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077245.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077265.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077266.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077267.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077282.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077283.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077284.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077301.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077302.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077303.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077336.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077337.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077338.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077364.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077365.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077366.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077381.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077384.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077385.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077412.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077413.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077414.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077429.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077430.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077431.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077442.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077443.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077444.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077445.dll Infected: Trojan.Win32.Qhost.aav skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0077446.exe Infected: not-virus:Hoax.Win32.Renos.adt skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP503\A0078485.exe Infected: Trojan-Downloader.Win32.Wixud.j skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP506\A0078656.exe Infected: Backdoor.Win32.Agent.cxf skipped
C:\System Volume Information\_restore{DD272055-3780-4F8A-90BC-9A69E6EE69F7}\RP506\change.log Object is locked skipped
C:\WINDOWS\bagvdg.exe Infected: Trojan-Spy.Win32.BZub.bvu skipped
C:\WINDOWS\bagzdg.exe Infected: Trojan-Spy.Win32.BZub.bvu skipped
C:\WINDOWS\ddexxz.exe Infected: Trojan-Downloader.Win32.Wixud.j skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\ORGANIZA-0A936E.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\sol1040.txt Infected: Backdoor.Win32.Small.cmy skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_550.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT0068c.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT00699.TMP Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
jerry
Regular Member
 
Posts: 22
Joined: December 7th, 2007, 3:25 pm

Re: my HIJACKTHIS file

Unread postby DFW » December 13th, 2007, 4:17 am

Hi Jerry

Did you have some trouble finding one of the files to delete, if so don't worry we will use this tool now.



1 Please download >>ComboFix<< by sUBs:
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Please post a new HJT log along with the Combofix log
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: my HIJACKTHIS file

Unread postby jerry » December 13th, 2007, 1:08 pm

ComboFix 07-12-12.3 - Jerry 2007-12-13 8:55:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.201 [GMT -8:00]
Running from: C:\Documents and Settings\Jerry\Local Settings\Temporary Internet Files\Content.IE5\OLIR4HU7\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-12 15:17 . 2007-12-12 15:17 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-12 15:17 . 2007-12-12 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-10 10:43 . 2007-12-10 10:43 16,384 --a------ C:\WINDOWS\ddexxz.exe
2007-12-09 16:16 . 2007-12-09 16:16 159,408 --a------ C:\WINDOWS\bagvdg.exe
2007-12-09 16:09 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-09 16:09 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-09 16:09 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-09 16:09 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-09 16:09 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-09 15:53 . 2007-12-09 15:53 <DIR> d-------- C:\Documents and Settings\Jerry\Application Data\Grisoft
2007-12-09 15:52 . 2007-12-09 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-09 15:52 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-09 11:25 . 2007-12-10 08:44 2,530 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-09 11:07 . 2007-12-09 11:07 59,392 --a------ C:\WINDOWS\derc32xz.exe
2007-12-07 16:19 . 2007-12-07 16:19 159,408 --a------ C:\WINDOWS\bagzdg.exe
2007-12-07 14:05 . 2007-12-07 14:05 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-12-07 12:27 . 2007-12-07 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 12:14 . 2007-12-07 12:14 <DIR> d-------- C:\Documents and Settings\Jerry\Application Data\TrojanHunter
2007-12-07 11:41 . 2007-12-07 11:42 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-12-07 11:11 . 2007-12-07 11:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-06 12:49 . 2007-12-06 12:49 198,279 --a------ C:\WINDOWS\ddubbv.exe
2007-12-06 10:19 . 2007-12-13 09:03 1,415,200 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-06 10:19 . 2007-12-13 09:02 17,612 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-06 10:17 . 2007-12-06 10:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-06 09:02 . 2007-12-06 09:02 291,328 --a------ C:\WINDOWS\system32\libcurl.dll
2007-12-06 09:02 . 2007-12-06 09:02 138,240 --a------ C:\WINDOWS\xnnnav.exe
2007-12-04 09:52 . 2007-12-06 09:00 18,432 --a------ C:\Documents and Settings\Jerry\nax.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-06 19:23 --------- d-----w C:\Program Files\DaemonTools_WhenUSave_Installer
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-07-19 20:46 8,764,420 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-06-08 13:36 5,592,532 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_06_08_06_35_41_full.dmp.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 10:37]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 14:29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-07-12 11:17 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 16:14]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 08:50]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-03-18 15:17]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00]
"Motive SmartBridge"="C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe" [2006-11-17 06:52]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
IEEE 802.11g USB Wireless LAN Utility.lnk - C:\Program Files\Wireless LAN\WlanUtil.exe [2005-10-30 12:56:16]
TELUS eCare.lnk - C:\Program Files\TELUS eCare\bin\matcli.exe [2006-10-09 17:50:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS
S3 ZDPNDIS5;ZDPNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\ZDPNDIS5.SYS

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 09:04:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-13 9:05:52 - machine was rebooted
jerry
Regular Member
 
Posts: 22
Joined: December 7th, 2007, 3:25 pm

Re: my HIJACKTHIS file

Unread postby jerry » December 13th, 2007, 1:09 pm

I thought I had found them both and deleted them both. Is one or both still showing.
jerry
Regular Member
 
Posts: 22
Joined: December 7th, 2007, 3:25 pm

Re: my HIJACKTHIS file

Unread postby DFW » December 14th, 2007, 2:22 am

Hi jerry

Thanks for the comboxfix log, however at the moment you are running combofix from here,
C:\Documents and Settings\Jerry\Local Settings\Temporary Internet Files\Content.IE5\OLIR4HU7\ComboFix[1].exe

we need it on your Desktop

Please delete this one and download a new copy and save it to your desktop,.








Please download >>ComboFix<< by sUBs:

Do not click run, click save as, then browse for your desktop, then save

NOTE: In the event you already have ComboFix, Please delete it, this is a new version that I need you to download.

  • Important: Save ComboFix.exe to your Desktop

  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    C:\WINDOWS\ddexxz.exe
    C:\WINDOWS\bagvdg.exe
    C:\WINDOWS\system32\dumphive.exe
    C:\WINDOWS\derc32xz.exe
    C:\WINDOWS\bagzdg.exe
    C:\WINDOWS\ddubbv.exe
    C:\WINDOWS\xnnnav.exe
    C:\Documents and Settings\Jerry\nax.exe
    C:\WINDOWS\system32\sol1040.txt
    C:\Program Files\DAEMON Tools\SetupDTSB.exe  
    
    
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


When Combofix has finished run Highjackthis and post a new log, along with the Combofix log

'
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Re: my HIJACKTHIS file

Unread postby jerry » December 14th, 2007, 1:23 pm

I will do the HIGHJACKTHIS LOG right now as well
I hope this is the right one.


ComboFix 07-12-15.1 - Jerry 2007-12-15 9:18:12.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.190 [GMT -8:00]
Running from: C:\Documents and Settings\Jerry\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jerry\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-15 to 2007-12-15 )))))))))))))))))))))))))))))))
.

2007-12-12 15:17 . 2007-12-12 15:17 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-12 15:17 . 2007-12-12 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-10 10:43 . 2007-12-10 10:43 16,384 --a------ C:\WINDOWS\ddexxz.exe
2007-12-09 16:16 . 2007-12-09 16:16 159,408 --a------ C:\WINDOWS\bagvdg.exe
2007-12-09 16:09 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-09 16:09 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-09 16:09 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-09 16:09 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-09 16:09 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-09 15:53 . 2007-12-09 15:53 <DIR> d-------- C:\Documents and Settings\Jerry\Application Data\Grisoft
2007-12-09 15:52 . 2007-12-09 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-09 15:52 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-09 11:25 . 2007-12-10 08:44 2,530 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-09 11:07 . 2007-12-09 11:07 59,392 --a------ C:\WINDOWS\derc32xz.exe
2007-12-07 16:19 . 2007-12-07 16:19 159,408 --a------ C:\WINDOWS\bagzdg.exe
2007-12-07 14:05 . 2007-12-07 14:05 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-12-07 12:27 . 2007-12-07 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 12:14 . 2007-12-07 12:14 <DIR> d-------- C:\Documents and Settings\Jerry\Application Data\TrojanHunter
2007-12-07 11:41 . 2007-12-07 11:42 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-12-07 11:11 . 2007-12-07 11:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-06 12:49 . 2007-12-06 12:49 198,279 --a------ C:\WINDOWS\ddubbv.exe
2007-12-06 10:19 . 2007-12-15 09:20 1,636,384 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-06 10:19 . 2007-12-15 09:05 19,964 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-06 10:17 . 2007-12-06 10:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-06 09:02 . 2007-12-06 09:02 291,328 --a------ C:\WINDOWS\system32\libcurl.dll
2007-12-06 09:02 . 2007-12-06 09:02 138,240 --a------ C:\WINDOWS\xnnnav.exe
2007-12-04 09:52 . 2007-12-06 09:00 18,432 --a------ C:\Documents and Settings\Jerry\nax.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-15 17:06 11,058,205 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-06 19:23 --------- d-----w C:\Program Files\DaemonTools_WhenUSave_Installer
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-06-08 13:36 5,592,532 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_06_08_06_35_41_full.dmp.zip
.

((((((((((((((((((((((((((((( snapshot@2007-12-13_ 9.04.53.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-23 02:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-12-14 05:26:50 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-12-15 17:06:46 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_550.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 10:37]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 14:29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-07-12 11:17 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 16:14]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 08:50]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2005-03-18 15:17]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00]
"Motive SmartBridge"="C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe" [2006-11-17 06:52]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 22:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
IEEE 802.11g USB Wireless LAN Utility.lnk - C:\Program Files\Wireless LAN\WlanUtil.exe [2005-10-30 12:56:16]
TELUS eCare.lnk - C:\Program Files\TELUS eCare\bin\matcli.exe [2006-10-09 17:50:02]

R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS
R3 ZDPNDIS5;ZDPNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\ZDPNDIS5.SYS

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 09:20:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-15 9:21:16
C:\ComboFix2.txt ... 2007-12-15 09:13
C:\ComboFix3.txt ... 2007-12-15 08:50
jerry
Regular Member
 
Posts: 22
Joined: December 7th, 2007, 3:25 pm

Re: my HIJACKTHIS file

Unread postby jerry » December 14th, 2007, 1:24 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:43 AM, on 15/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Wireless LAN\WlanUtil.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://email.jerrymarkham.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: IEEE 802.11g USB Wireless LAN Utility.lnk = C:\Program Files\Wireless LAN\WlanUtil.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/acti ... .0.0.9.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/acti ... 0.0.10.cab?
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6784 bytes
jerry
Regular Member
 
Posts: 22
Joined: December 7th, 2007, 3:25 pm

Re: my HIJACKTHIS file

Unread postby DFW » December 14th, 2007, 3:53 pm

make sure real time protection is still stopped, to stop it causing problems as we clean your system



Disable Spybot's TeaTimer. This is a two step process.


First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.



Disable Trojan Hunter Guard until the computer is clean
Go to TrojanHunter Guard icon in the lower right corner of your screen.
It is a light blue icon with a magnifying glass that can be difficult to see, but the handle is red. Right click it and select settings. Uncheck "Load at startup" and "Enabled".

Don't forget to re-enable them, when your computer is clean.



Disable/Check AVG Anti-Spyware

Please disable AVG Anti-Spyware until the computer is clean.
  • Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an 'S' in the system tray.
  • In the 'Resident Shield' section, toggle the AVG Anti-Spyware active protection 'off' by clicking 'Change state' which will then change the protection status to 'inactive'.
  • If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to "Restart the Resident Shield".
  • Reply 'no' and set it to 'inactive' for the duration of your cleanup.








please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code: Select all
File::
C:\WINDOWS\ddexxz.exe
C:\WINDOWS\bagvdg.exe
C:\WINDOWS\derc32xz.exe
C:\WINDOWS\bagzdg.exe
C:\WINDOWS\ddubbv.exe
C:\WINDOWS\xnnnav.exe
C:\Documents and Settings\Jerry\nax.exe 




Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. [/list]

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.






Run ATF Cleaner
Double click the AFT Cleaner icon
Click the Empty Selected button.
NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




PANDA ONLINE SCAN


Click HERE to Run ActiveScan online virus scan:

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your Country.
Enter your State/Province.
Enter your e-mail address and click send.
Select either Home User or Company.
Click the big Scan Now button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.



Post the contents of the ActiveScan, a new HJT log, along with the Combofix log


.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 357 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware