Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Log File

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Log File

Unread postby Andy20 » July 12th, 2008, 12:07 pm

Hey guys, hope you can help me... I have had this annoying redirecting of my searches on google, what usually happens is it redirects me to a search that is called 'copy-book' and I have ran ad-aware and other spyware removers and they have removed trojans and other nasties but this search redirecting still remains! :x

Here is my log file...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:06:58, on 12/07/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\All Users\Application Data\dyfmvipo.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\SAGEM\SAGEM F@st800\DSLMON.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Microsoft Client] mshost.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [dyfmvipo.exe] C:\Documents and Settings\All Users\Application Data\dyfmvipo.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] scvhost.exe
O4 - HKLM\..\RunServices: [Microsoft Client] mshost.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Client] mshost.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunServices: [Microsoft Client] mshost.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Microsoft Support] sys32ms.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Microsoft Support] sys32ms.exe (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st800\DSLMON.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O16 - DPF: Yahoo! Pool 2 - http://origin.games.yahoo.net/games/cli ... poti_x.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} - http://208.98.1.71/talk.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\system32\service.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 5377 bytes
Andy20
Regular Member
 
Posts: 15
Joined: July 12th, 2008, 12:01 pm
Advertisement
Register to Remove

Re: Log File

Unread postby Shaba » July 15th, 2008, 3:20 am

Hi Andy20

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Log File

Unread postby Andy20 » July 15th, 2008, 9:19 am

Shaba wrote:Hi Andy20

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post


Thank You for that help :) I knew it might have put my personal data in danger but I never knew it was as bad as that! I'm glad you told me because since I have had this problem I haven't gone onto my internet banking. I felt a bit wary that it might have put me at risk so did not do it, I'm glad I didn't now!

I want help to clean the PC yes :) But I doubt I will go onto my Internet Banking even after it's cleaned so I will take your advice and be cautious.

Thanks again for your support, I hope you can help me to clean the PC.
Andy20
Regular Member
 
Posts: 15
Joined: July 12th, 2008, 12:01 pm

Re: Log File

Unread postby Shaba » July 15th, 2008, 9:30 am

Hi

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Log File

Unread postby Andy20 » July 15th, 2008, 2:28 pm

SDFix: Version 1.205
Run by Owner on 15/07/2008 at 18:37

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\BLING.EXE - Deleted
C:\WINDOWS\SYSTEM32\KERNEL32.EXE - Deleted
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe - Deleted
C:\WINDOWS\system32\TFTP1224 - Deleted
C:\WINDOWS\system32\TFTP2360 - Deleted
C:\WINDOWS\system32\TFTP3236 - Deleted
C:\WINDOWS\system32\TFTP6836 - Deleted
C:\WINDOWS\system32\bling.exe - Deleted
C:\WINDOWS\system32\Kernel32.exe - Deleted
C:\WINDOWS\system32\pac.txt - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 18:53:52
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\WINDOWS\\System32\\rslocysy.exe"="C:\\WINDOWS\\System32\\rsl"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 28 Jun 2005 15 A..H. --- "C:\WINDOWS\new.exe"
Tue 15 Jul 2008 1,505 A.SH. --- "C:\WINDOWS\SYSTEM32\mmf.sys"
Sun 1 Jul 2007 1,252,875 ..SH. --- "C:\WINDOWS\SYSTEM32\pqstv.bak1"
Mon 9 Jul 2007 1,272,629 ..SH. --- "C:\WINDOWS\SYSTEM32\pqstv.bak2"
Thu 21 Jul 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 25 Nov 1992 35,904 A..HR --- "C:\Games\roadrash\TEXT\BADLOC.DLL"
Wed 25 Nov 1992 34,456 A..HR --- "C:\Games\roadrash\TEXT\FUTB.DLL"
Wed 25 Nov 1992 35,184 A..HR --- "C:\Games\roadrash\TEXT\FUTD.DLL"
Wed 25 Nov 1992 37,784 A..HR --- "C:\Games\roadrash\TEXT\FUTR.DLL"
Mon 7 Jul 2008 1,505 A.SH. --- "C:\System Volume Information\_restore{B258A826-5527-4815-B22B-7BD9E483ADD8}\RP379\A0180495.sys"
Tue 8 Jul 2008 1,505 A.SH. --- "C:\System Volume Information\_restore{B258A826-5527-4815-B22B-7BD9E483ADD8}\RP379\A0181495.sys"
Wed 9 Jul 2008 1,505 A.SH. --- "C:\System Volume Information\_restore{B258A826-5527-4815-B22B-7BD9E483ADD8}\RP379\A0181525.sys"
Wed 9 Jul 2008 1,505 A.SH. --- "C:\System Volume Information\_restore{B258A826-5527-4815-B22B-7BD9E483ADD8}\RP380\A0181626.sys"
Thu 10 Jul 2008 1,505 A.SH. --- "C:\System Volume Information\_restore{B258A826-5527-4815-B22B-7BD9E483ADD8}\RP380\A0181643.sys"
Thu 10 Jul 2008 1,505 A.SH. --- "C:\System Volume Information\_restore{B258A826-5527-4815-B22B-7BD9E483ADD8}\RP380\A0181684.sys"
Thu 10 Jul 2008 1,505 A.SH. --- "C:\System Volume Information\_restore{B258A826-5527-4815-B22B-7BD9E483ADD8}\RP380\A0181759.sys"
Fri 11 Jul 2008 1,505 A.SH. --- "C:\System Volume Information\_restore{B258A826-5527-4815-B22B-7BD9E483ADD8}\RP380\A0182759.sys"
Fri 11 Jul 2008 1,505 A.SH. --- "C:\System Volume Information\_restore{B258A826-5527-4815-B22B-7BD9E483ADD8}\RP380\A0183760.sys"
Fri 11 Jul 2008 1,505 A.SH. --- "C:\System Volume Information\_restore{B258A826-5527-4815-B22B-7BD9E483ADD8}\RP380\A0183810.sys"
Fri 11 Jul 2008 1,505 A.SH. --- "C:\System Volume Information\_restore{B258A826-5527-4815-B22B-7BD9E483ADD8}\RP381\A0184118.sys"
Sat 12 Jul 2008 1,505 A.SH. --- "C:\System Volume Information\_restore{B258A826-5527-4815-B22B-7BD9E483ADD8}\RP381\A0184302.sys"
Sun 13 Jul 2008 1,505 A.SH. --- "C:\System Volume Information\_restore{B258A826-5527-4815-B22B-7BD9E483ADD8}\RP381\A0184520.sys"
Mon 14 Jul 2008 1,505 A.SH. --- "C:\System Volume Information\_restore{B258A826-5527-4815-B22B-7BD9E483ADD8}\RP381\A0184538.sys"
Mon 14 Jul 2008 1,505 A.SH. --- "C:\System Volume Information\_restore{B258A826-5527-4815-B22B-7BD9E483ADD8}\RP382\A0184695.sys"
Tue 15 Jul 2008 1,505 A.SH. --- "C:\System Volume Information\_restore{B258A826-5527-4815-B22B-7BD9E483ADD8}\RP382\A0184736.sys"
Tue 15 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5addd6f775e0368f244f62c739d66dd4\BIT4.tmp"
Mon 7 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\631bea423a2590540110f7e11fcbd692\BIT4.tmp"
Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\eb5ff0ae9fdaa24285c4924997a7aa90\BIT3.tmp"
Sun 21 Aug 2005 28,672 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Templates\~WRL0003.tmp"
Thu 21 Jul 2005 4,348 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Tue 26 Jun 2007 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Thu 21 Jul 2005 400 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

Thats the log from the scan :) My comp seems faster now and I haven't tried searching on google to see if it still redirects me but it said it deleted 10 trojan horses. Which shocked me :shock:

Thank you again for your help, you are a star! I will let you know if the search still redirects me or not.
Andy20
Regular Member
 
Posts: 15
Joined: July 12th, 2008, 12:01 pm

Re: Log File

Unread postby Shaba » July 15th, 2008, 2:47 pm

Hi

We are not done, please post also a fresh HijackThis log :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Log File

Unread postby Andy20 » July 15th, 2008, 3:00 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:59:00, on 15/07/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\All Users\Application Data\dyfmvipo.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SAGEM\SAGEM F@st800\DSLMON.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [dyfmvipo.exe] C:\Documents and Settings\All Users\Application Data\dyfmvipo.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Microsoft Support] sys32ms.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Microsoft Support] sys32ms.exe (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st800\DSLMON.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O16 - DPF: Yahoo! Pool 2 - http://origin.games.yahoo.net/games/cli ... poti_x.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} - http://208.98.1.71/talk.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B5D0846-148F-4BFD-BB40-B08FC4038CC6}: NameServer = 85.255.116.167 85.255.112.168
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B5D0846-148F-4BFD-BB40-B08FC4038CC6}: NameServer = 85.255.116.167 85.255.112.168
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\system32\service.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 5473 bytes

Just tried the Google search again... It redirects me still :shock: :(

How on earth does that get fixed lol, it's stubborn that's for sure!
Andy20
Regular Member
 
Posts: 15
Joined: July 12th, 2008, 12:01 pm

Re: Log File

Unread postby Shaba » July 15th, 2008, 3:18 pm

Hi

We didn't even attempt to fix that one yet, just removed bots and backdoors.

This is the next step:

We can definitely help you, but first you need to help us. You are quite behind on your Windows Updates and Patches!!

The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here to get WinXP SP1a: http://www.microsoft.com/downloads/details...&DisplayLang=en

Apply the update, reboot, then go to Windows Update and install all the Critical Updates (Note: Except for WinXP SP2)
Click here for Windows Update: http://www.windowsupdate.com/

After installing all the Patches and updates, reboot, then post a fresh Hijack This log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Log File

Unread postby Andy20 » July 15th, 2008, 4:21 pm

Hi Shaba, i'm not sure why but when I click download on the service pack page it takes me to another page that says "Page cannot be displayed" Not sure if the same happens for you?
Andy20
Regular Member
 
Posts: 15
Joined: July 12th, 2008, 12:01 pm

Re: Log File

Unread postby Shaba » July 16th, 2008, 3:15 am

Hi

Then try this
link, please.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Log File

Unread postby Andy20 » July 16th, 2008, 5:24 pm

Thanks for the reply, I went onto that link and the page loaded up fine but again when I clicked the Download icon it said page cannot be displayed :( But my friend downloaded it to his computer then sent it to me over MSN and I have installed that service pack :)

You have no idea how much I appreciate this support, Thank you!! I hope that eventually my computer will be back the reliable self it once was :D

Just tried the windows update site you recomended and again I got this error...

The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.
For self-help options:

Frequently Asked Questions

Find Solutions

Windows Update Newsgroup
For assisted support options:

Microsoft Online Assisted Support (no-cost for Windows Update issues)

Read more about steps you can take to resolve this problem (error number 0x80072EE7) yourself.


For some reason my browser doesen't like going onto windows or microsoft websites, part of the spyware/malware possibly?
Andy20
Regular Member
 
Posts: 15
Joined: July 12th, 2008, 12:01 pm

Re: Log File

Unread postby Andy20 » July 16th, 2008, 9:50 pm

Thankfully I turned my automatic updates on for my computer and it has just downloaded what I hope is all the updates my computer needs for Windows...

Here is the new HijackThis log file...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:48:10, on 17/07/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\All Users\Application Data\dyfmvipo.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\SAGEM\SAGEM F@st800\DSLMON.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [dyfmvipo.exe] C:\Documents and Settings\All Users\Application Data\dyfmvipo.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Microsoft Support] sys32ms.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Microsoft Support] sys32ms.exe (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st800\DSLMON.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O16 - DPF: Yahoo! Pool 2 - http://origin.games.yahoo.net/games/cli ... poti_x.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} - http://208.98.1.71/talk.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B5D0846-148F-4BFD-BB40-B08FC4038CC6}: NameServer = 85.255.116.167 85.255.112.168
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B5D0846-148F-4BFD-BB40-B08FC4038CC6}: NameServer = 85.255.116.167 85.255.112.168
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\system32\service.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 5473 bytes
Andy20
Regular Member
 
Posts: 15
Joined: July 12th, 2008, 12:01 pm

Re: Log File

Unread postby Shaba » July 17th, 2008, 2:26 am

Hi

Great :)

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/l ... areout.exe

  • Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer; please do so.
  • Your system may take longer than usual to load; this is normal.
  • Once the desktop loads, post the text that will open (report.txt) and a new Hijackthis log in the forum please.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Log File

Unread postby Andy20 » July 17th, 2008, 10:17 am

Done that :)

Heres the text for the FixWareout...

Username "Owner" - 17/07/2008 15:01:39 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{0B5D0846-148F-4BFD-BB40-B08FC4038CC6}
"nameserver"="85.255.116.167" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}C1C6605C0D0C-5F79-9F34-CAD1-E85295FC{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}845A09D47413-9ACB-EB24-689C-B098A1D3{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}09236B0D8E20-A529-DA94-40E8-7BB20EBF{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}44311D39345D-B50A-A3E4-CD30-9A2D33C5{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}9F9FF39B8A94-58FA-6C24-FDDD-7A5A9454{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}B561FAA5C94E-8EB8-30C4-5EB6-E02F2814{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}C4D3287591BA-D2F8-2FA4-4A20-843E8FEC{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}A0B83EBCF4F4-CF7A-DE74-4848-D1D981AC{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}72FA59B0471F-0928-7254-A1FF-D9C9285A{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}88F7E2D7892F-F91A-6B84-971B-F8844332{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}FA59D30CFDA5-02FB-0AE4-DEB1-D9ACACBA{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}07E1EC6A4932-36CB-0D64-9C5D-01B94E7E{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}F603654238DE-33EB-B294-D23E-AAF9141C{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}EC9D0E9C90C6-327A-7174-A61E-D8C09430{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}9AC2A91FDAF5-8459-3AE4-86F7-0E415664{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}BAD8EA2D086A-5EB8-FAD4-55DD-D4653EC2{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}A0A4B1CA476C-DE98-B6B4-2495-2749FDE2{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}4BF3975E7F7D-116A-31C4-4720-13E6BCC4{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}D218E9A1F166-8A48-4964-0258-9BA17CC8{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}A126754C3196-0F9B-2454-73A4-F27D676D{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}F03D3D31A527-9A28-87D4-69E1-FAD6F167{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}523589B682FE-F0EA-1004-454D-4795EF2E{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}B1136575971C-28F9-43C4-3FE4-58DEA3EE{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}03BD3545D581-204B-1584-5AA7-5C6564A5{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}13F6B49782C5-C488-05E4-428F-A68F3B37{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}038852E44417-C63B-9174-2A9C-0530C912{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}B4AB1F7FFEA6-B2EA-22E4-59B3-A601187B{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}F4C8A6D6588A-8F18-4B84-4360-D1EC2076{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}2942C96E27C3-9D4A-CFA4-3FA1-61631833{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}52F4CE045D97-A108-5214-1A70-BE79D2AF{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}BD83DE056D4C-EC09-71E4-DDCD-F0EB67F0{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}A94DCFA24BF2-DCEB-5F44-8C6E-732F5765{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}30F1B04EE79C-8CA8-CA34-15ED-AE367F2D{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}CE3E6B58F5E4-BAFA-3154-55C9-62E23803{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}C73480030659-FAAA-2984-C02D-63C7DC34{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}BDD2A330023C-0D5A-2314-0725-95FAE951{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}05C2F7BEFC03-84DB-8C44-73CF-B9E3CA38{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}28BB0068EE6E-A6FB-7CC4-A296-002065E2{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}2CC0206E7901-1D29-CF64-35C4-3DC2DF8D{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\_r "}82FDA0344788-C468-BD54-88FA-D585A396{" Deleted
....
~~~~~ Misc files.
C:\WINDOWS\SYSTEM32\{03490C8D-E16A-4717-A723-6C09C9E0D9CE}.exe Deleted
C:\WINDOWS\SYSTEM32\{159EAF59-5270-4132-A5D0-C320033A2DDB}.exe Deleted
C:\WINDOWS\SYSTEM32\{219C0350-C9A2-4719-B36C-71444E258830}.exe Deleted
C:\WINDOWS\SYSTEM32\{2334488F-B179-48B6-A19F-F2987D2E7F88}.exe Deleted
C:\WINDOWS\SYSTEM32\{2CE3564D-DD55-4DAF-8BE5-A680D2AE8DAB}.exe Deleted
C:\WINDOWS\SYSTEM32\{2E560200-692A-4CC7-BF6A-E6EE8600BB82}.exe Deleted
C:\WINDOWS\SYSTEM32\{30832E26-9C55-4513-AFAB-4E5F85B6E3EC}.exe Deleted
C:\WINDOWS\SYSTEM32\{3D1A890B-C986-42BE-BCA9-31474D90A548}.exe Deleted
C:\WINDOWS\SYSTEM32\{4182F20E-6BE5-4C03-8BE8-E49C5AAF165B}.exe Deleted
C:\WINDOWS\SYSTEM32\{4549A5A7-DDDF-42C6-AF85-49A8B93FF9F9}.exe Deleted
C:\WINDOWS\SYSTEM32\{4CCB6E31-0274-4C13-A611-D7F7E5793FB4}.exe Deleted
C:\WINDOWS\SYSTEM32\{5675F237-E6C8-44F5-BECD-2FB42AFCD49A}.exe Deleted
C:\WINDOWS\SYSTEM32\{5A4656C5-7AA5-4851-B402-185D5453DB30}.exe Deleted
C:\WINDOWS\SYSTEM32\{5C33D2A9-03DC-4E3A-A05B-D54393D11344}.exe Deleted
C:\WINDOWS\SYSTEM32\{6702CE1D-0634-48B4-81F8-A8856D6A8C4F}.exe Deleted
C:\WINDOWS\SYSTEM32\{693A585D-AF88-45DB-864C-8874430ADF28}.exe Deleted
C:\WINDOWS\SYSTEM32\{A5829C9D-FF1A-4527-8290-F1740B95AF27}.exe Deleted
C:\WINDOWS\SYSTEM32\{CA189D1D-8484-47ED-A7FC-4F4FCBE38B0A}.exe Deleted
C:\WINDOWS\SYSTEM32\{CEF8E348-02A4-4AF2-8F2D-AB1957823D4C}.exe Deleted
C:\WINDOWS\SYSTEM32\{CF59258E-1DAC-43F9-97F5-C0D0C5066C1C}.exe Deleted
C:\WINDOWS\SYSTEM32\{D676D72F-4A37-4542-B9F0-6913C457621A}.exe Deleted
C:\WINDOWS\SYSTEM32\{E2FE5974-D454-4001-AE0F-EF286B985325}.exe Deleted
C:\WINDOWS\SYSTEM32\{E7E49B10-D5C9-46D0-BC63-2394A6CE1E70}.exe Deleted
C:\WINDOWS\SYSTEM32\{FA2D97EB-07A1-4125-801A-79D540EC4F25}.exe Deleted
C:\WINDOWS\SYSTEM32\{FBE02BB7-8E04-49AD-925A-02E8D0B63290}.exe Deleted
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"LVCOMSX"="C:\\WINDOWS\\System32\\LVCOMSX.EXE"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"dyfmvipo.exe"="C:\\Documents and Settings\\All Users\\Application Data\\dyfmvipo.exe"
"USB Storage Toolbox"="C:\\Program Files\\USB Disk Win98 Driver\\Res.EXE"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Microsoft Works Update Detection"="\"C:\\Program Files\\Microsoft Works\\WkDetect.exe\""
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


Heres the HijackThis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:16:41, on 17/07/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\notepad.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\All Users\Application Data\dyfmvipo.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\SAGEM\SAGEM F@st800\DSLMON.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [dyfmvipo.exe] C:\Documents and Settings\All Users\Application Data\dyfmvipo.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Microsoft Works\WkDetect.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Microsoft Support] sys32ms.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Microsoft Support] sys32ms.exe (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st800\DSLMON.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O16 - DPF: Yahoo! Pool 2 - http://origin.games.yahoo.net/games/cli ... poti_x.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} - http://208.98.1.71/talk.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B5D0846-148F-4BFD-BB40-B08FC4038CC6}: NameServer = 85.255.116.167 85.255.112.168
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B5D0846-148F-4BFD-BB40-B08FC4038CC6}: NameServer = 85.255.116.167 85.255.112.168
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\system32\service.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 5539 bytes
Andy20
Regular Member
 
Posts: 15
Joined: July 12th, 2008, 12:01 pm

Re: Log File

Unread postby Shaba » July 17th, 2008, 10:20 am

Hi

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [dyfmvipo.exe] C:\Documents and Settings\All Users\Application Data\dyfmvipo.exe
O4 - HKUS\S-1-5-18\..\RunServices: [Microsoft Support] sys32ms.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunServices: [Microsoft Support] sys32ms.exe (User 'Default user')
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B5D0846-148F-4BFD-BB40-B08FC4038CC6}: NameServer = 85.255.116.167 85.255.112.168
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B5D0846-148F-4BFD-BB40-B08FC4038CC6}: NameServer = 85.255.116.167 85.255.112.168
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)


Close all windows including browser and press fix checked.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be available on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed

Reboot.

Post back a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 270 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware