Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

HijackThis log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

HijackThis log

Unread postby dsteel » August 2nd, 2009, 11:56 am

About two days ago my niece and her friends came over to my house for a sleep-over with her cousins. They were on the computer all night doing god-knows-what (guessing the usual myspace, facebook, craigslist and ebay type of sites.) and now my computer is doing all sorts of wierd stuff. Ive been getting redirected to previously visited websites, getting numerous popups for virus and malware removal program downloads, inability to visit many of the sites that I normaly visit (windows says it cannot display this page) and when I am able to get to it it offten redirects me to one of several search engines that ive never been to before. Its simply getting annoying, Im surprised I was able to even get to this forum in the first place. Thanks for your help :)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:53 AM, on 8/2/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Circle\VirtualCD\HvcdUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Adobe Media Player\Adobe Media Player.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {54ebf3b9-70bc-4240-806f-dfa42ce39758} - C:\Windows\system32\yaladebe.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CircleVirtualCD] C:\Program Files\Circle\VirtualCD\HvcdUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HekkoVirtualCD] C:\Program Files\Circle\VirtualCD\HvcdUI.exe
O4 - HKLM\..\Run: [Turbine Download Manager Tray Icon] "C:\Program Files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe"
O4 - HKLM\..\Run: [wilitomazu] Rundll32.exe "C:\Windows\system32\hesujimi.dll",s
O4 - HKLM\..\Run: [CPMcdcad693] Rundll32.exe "c:\windows\system32\niwirove.dll",a
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'Default user')
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... .0.1.1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\Windows\system32\gafobolo.dll c:\windows\system32\niwirove.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\niwirove.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\niwirove.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe
O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 8206 bytes
dsteel
Active Member
 
Posts: 4
Joined: August 2nd, 2009, 11:38 am
Top
Advertisement
Register to Remove

Re: HijackThis log

Unread postby Sharagoz » August 4th, 2009, 5:38 pm

Hello dsteel, welcome to MWR
Please take note of the following before we begin the cleaning process:
  • The whole process will usually take at least a week complete, sometimes several weeks depending on the severity of the infection and how promptly you and me are able to reply, so please stay patient
  • Hang in there until I give you the 'All clean'. If you leave prematurely because your computer seems to be back to its old self, the risk of re-infection will be very high
  • Perform all actions in the order given
  • The instructions I give expect that you're using an account with administrator privileges and that the language of your operating system is English.
  • Dont be afraid to ask questions if something is unclear or you run into issues during cleaning steps
  • I recommend you read through each set of instructions before you actually perform them

The first thing you should do is to subscribe to this topic.
In the top left corner of your opening post there is a link called Subscribe topic. If you click it you will be subscribed to this thread and will receive instant email notification of new replies. Most find that this works better than periodically checking back here to see if there's any new posts.

The second thing you should do is to take a backup of everything you have on the computer that's important not to lose.
I will do my best to ensure a safe removal procedure, but it does happen on rare occations that computers does not make it through disinfection and must be reinstalled.

1) Download and run DDS by sUBs
  • Download DDS from one of the links below and save it to your desktop
    Link1 | Link2 | Link3
  • Double-click the file to run the tool
  • A black window will stay open while the tool runs
  • Wait for the scan to finish (this will only take a couple of minutes), and two logs to open in separate notepad documents
  • Include both these logs in your next reply

2) Get a new HiJackThis log
  • Launch Hijackthis
  • Click on the Do a system scan and save a logfile button
  • HJT will run a scan and a log will open in Notepad
  • Include this log in your next reply
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway
Top

Re: HijackThis log

Unread postby dsteel » August 5th, 2009, 3:33 pm

Hello Shargoz, thanks for replying. here are the requested scan logs



DDS (Ver_09-07-30.01) - NTFSx86
Run by Shane at 12:26:44.10 on Wed 08/05/2009
Internet Explorer: 8.0.6001.18813
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.1943 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Circle\VirtualCD\HvcdUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Adobe Media Player\Adobe Media Player.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Shane\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [AGEIA PhysX SysTray] c:\program files\ageia technologies\TrayIcon.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LVCOMSX] "c:\program files\common files\logishrd\lcommgr\LVComSX.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CircleVirtualCD] c:\program files\circle\virtualcd\HvcdUI.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HekkoVirtualCD] c:\program files\circle\virtualcd\HvcdUI.exe
mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager\TurbineDownloadManagerIcon.exe"
dRunOnce: [DefaultP17MIDI] MIDIDEF.EXE
dRunOnce: [DefaultP17] P17Def.Exe
StartupFolder: c:\users\shane\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobem~1.lnk - c:\program files\adobe media player\Adobe Media Player.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/200 ... oader5.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocach ... .0.1.1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-29 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-29 108552]
S1 HekkoVirtualCD;Hekko Virtual CD Driver;c:\windows\system32\drivers\hvcd.sys [2009-5-14 13184]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-8-28 10664]

=============== Created Last 30 ================

2009-08-02 08:24 <DIR> --d----- c:\program files\Trend Micro
2009-07-31 19:09 <DIR> --d----- c:\programdata\Yahoo! Companion
2009-07-31 19:09 <DIR> --d----- c:\program files\Yahoo!
2009-07-27 14:30 <DIR> --d----- c:\programdata\Turbine
2009-07-27 14:30 <DIR> --d----- c:\progra~2\Turbine
2009-07-27 14:30 <DIR> --d----- c:\program files\Turbine
2009-07-27 14:28 <DIR> --d----- c:\windows\system32\URTTEMP
2009-07-27 14:24 204 a------- C:\Plugins
2009-07-27 14:24 <DIR> --d----- c:\programdata\PMB Files
2009-07-27 14:24 <DIR> --d----- c:\progra~2\PMB Files
2009-07-27 14:24 <DIR> --d----- c:\program files\Pando Networks
2009-07-15 00:47 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-15 00:47 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-15 00:47 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-15 00:47 23,552 a------- c:\windows\system32\lpk.dll
2009-07-15 00:47 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-11 09:06 <DIR> --d----- c:\windows\system32\eu-ES
2009-07-11 09:06 <DIR> --d----- c:\windows\system32\ca-ES
2009-07-11 09:06 <DIR> --d----- c:\windows\system32\vi-VN
2009-07-11 09:05 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-07-11 08:55 218,624 a------- c:\windows\system32\wdscore.dll
2009-07-11 08:55 130,560 a------- c:\windows\system32\PkgMgr.exe
2009-07-11 08:55 247,808 a------- c:\windows\system32\drvstore.dll

==================== Find3M ====================

2009-07-21 14:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 14:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 14:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 13:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-18 09:45 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-11 09:12 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-11 09:12 86,016 a------- c:\windows\inf\infstor.dat
2009-07-11 09:12 51,200 a------- c:\windows\inf\infpub.dat
2009-07-11 09:06 665,600 a------- c:\windows\inf\drvindex.dat
2009-07-01 09:22 11,952 a------- c:\windows\system32\avgrsstx.dll
2008-12-19 17:14 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 12:27:39.49 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 8/8/2007 1:19:08 PM
System Uptime: 8/5/2009 12:12:30 AM (12 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | P35-DS3L
Processor: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz | Socket 775 | 2400/266mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 465 GiB total, 347.846 GiB free.
D: is CDROM (UDF)
E: is Removable
F: is Removable
G: is Removable
H: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4d36e965-e325-11ce-bfc1-08002be10318}
Description: Hekko Virtual CD
Device ID: ROOT\HEKKOVIRTUALCD\0000
Manufacturer:
Name: Hekko Virtual CD
PNP Device ID: ROOT\HEKKOVIRTUALCD\0000
Service: HekkoVirtualCD

==== System Restore Points ===================

RP560: 7/27/2009 2:28:21 PM - Installed Microsoft .NET Framework 1.1
RP562: 7/27/2009 2:56:48 PM - Installed DirectX
RP563: 7/29/2009 12:00:03 AM - Scheduled Checkpoint
RP564: 7/29/2009 3:00:10 AM - Windows Update
RP565: 7/29/2009 6:18:39 PM - Scheduled Checkpoint
RP566: 7/30/2009 3:00:09 AM - Windows Update
RP567: 7/30/2009 3:10:41 PM - Scheduled Checkpoint
RP568: 7/31/2009 6:05:10 AM - Windows Update
RP569: 8/1/2009 5:45:49 AM - Scheduled Checkpoint
RP570: 8/2/2009 12:00:03 AM - Scheduled Checkpoint
RP571: 8/2/2009 4:44:25 PM - Restore Operation
RP572: 8/2/2009 4:58:15 PM - Windows Update
RP573: 8/2/2009 5:13:26 PM - Windows Update
RP574: 8/3/2009 2:23:57 PM - Windows Update
RP576: 8/4/2009 6:49:00 AM - Windows Defender Checkpoint
RP577: 8/4/2009 6:52:34 PM - Scheduled Checkpoint
RP578: 8/5/2009 8:42:51 AM - Scheduled Checkpoint

==== Installed Programs ======================

7-Zip 4.65
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Media Player
Adobe Reader 7.0.8
AGEIA PhysX v2.3.3
AVG 8.5
CCleaner (remove only)
CCScore
CDDRV_Installer
Cheat Engine 5.4
DAOC-Charplan
Digimax Master
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
essvatgt
GearBunny 1.98
Ghost Recon Advanced Warfighter
Google Toolbar for Internet Explorer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java(TM) 6 Update 13
Java(TM) 6 Update 2
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
KhalInstallWrapper
Kodak EasyShare software
KSU
Logitech Communications Manager
Logitech SetPoint
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft .NET Framework 3.5 SP1
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
MSXML 4.0 SP2 (KB954430)
netbrdg
Notifier
NVIDIA Drivers
Oblivion
Oblivion - Construction Set
Oblivion mod manager 1.1.12
OfotoXMI
Pando Media Booster
PCDADDIN
PCDHELP
PowerDVD
QuickTime
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek High Definition Audio Driver
Samsung USB Driver
SFR
SHASTA
SKIN0001
SKINXSDK
Smart Defrag 1.20
staticcr
The Lord of the Rings Online(TM): Shadows of Angmar(TM) - Live
tooltips
Turbine Download Manager - Live
UnPacker 1,5,0,1909
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VirtualCD
VPRINTOL
WIRELESS

==== Event Viewer Messages From Past Week ========

8/5/2009 7:46:35 AM, Error: Service Control Manager [7034] - The Turbine Network Service - Live service terminated unexpectedly. It has done this 1 time(s).
8/5/2009 12:27:15 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the avg8wd service.
8/4/2009 6:49:22 AM, Error: Microsoft-Windows-Windows Defender [3006] - Windows Defender Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid= ... atid=14904 Scan ID: {2176A8CE-03C4-4788-AB13-A1FE85DDB0C8} User: Shane-PC\Shane Name: Adware:Win32/ZangoSearchAssistant ID: 14904 Severity ID: 2 Category ID: 1 Path: Alert Type: Spyware or other potentially unwanted software Action: Remove Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer.
8/4/2009 3:54:51 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: HekkoVirtualCD i8042prt
8/4/2009 3:53:23 PM, Error: EventLog [6008] - The previous system shutdown at 3:51:10 PM on 8/4/2009 was unexpected.
8/4/2009 1:55:28 PM, Error: EventLog [6008] - The previous system shutdown at 1:53:32 PM on 8/4/2009 was unexpected.
8/4/2009 1:53:05 PM, Error: nvlddmkm [14] -
8/2/2009 4:55:38 PM, Error: Microsoft-Windows-Windows Defender [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.63.422.0 Loading engine version: 1.1.4903.0
7/30/2009 1:26:25 PM, Error: EventLog [6008] - The previous system shutdown at 1:24:26 PM on 7/30/2009 was unexpected.
7/29/2009 4:09:47 PM, Error: EventLog [6008] - The previous system shutdown at 4:07:46 PM on 7/29/2009 was unexpected.

==== End Of File ===========================






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:49 PM, on 8/5/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Circle\VirtualCD\HvcdUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Adobe Media Player\Adobe Media Player.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CircleVirtualCD] C:\Program Files\Circle\VirtualCD\HvcdUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HekkoVirtualCD] C:\Program Files\Circle\VirtualCD\HvcdUI.exe
O4 - HKLM\..\Run: [Turbine Download Manager Tray Icon] "C:\Program Files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'Default user')
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... .0.1.1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe
O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 7691 bytes
dsteel
Active Member
 
Posts: 4
Joined: August 2nd, 2009, 11:38 am
Top

Re: HijackThis log

Unread postby Sharagoz » August 5th, 2009, 4:40 pm

We need to temporarily disable Windows Defender and User Account Control while we clean your computer, as these programs will interfere with the removal tools we use. We'll enable them again when your computer is clean.

1) Disable Windows Defender
  • Open Windows Defender
  • Select Tools and then General Settings
  • Scroll down, and under Real Time Protection Options uncheck Turn on real-time protection
  • Select Save

2) Temporarily disable UAC
You need to temporarily disable Vistas User Account Control, as it may interfere with some of the tools we use
  • Click the Start button and then Control Panel
  • In the control panels lefthand pane, make sure Control Panel Home is selected
  • In the righthand pane, click User Accounts and Family Safety
  • Click User Accounts
  • Click Turn User Account Control on or off
  • If Use UAC to protect your computer doesn't have a checkmark, skip to the next step
  • If it does, remove the checkmark, press OK and then restart your computer

You need to temporarily disable AVGs Resident Shield before the next step
  • Open the AVG interface
  • Click Components and then Resident Shield
  • Uncheck Resident Shield Active and click Save Changes

3) Download and run GMER
  • Download gmer.zip by GMER from here and extract it to a folder on your desktop
  • Double click on gmer.exe to launch the program
  • If asked, allow the gmer.sys driver to load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning, click the Rootkit/Malware tab and then Scan
    (The scan typically takes around 30 minutes to complete)
  • Once the scan has finished, click copy
    (There is no message displayed when the scan is finished, it will simply stop going through files)
  • A log will now be copied to the clip board
  • Paste this log into your next reply

4) Download and run RootRepeal
  • Download RootRepeal from here
  • Extract RootRepeal.exe from the RAR file, and save it to your desktop
  • Run RootRepeal.exe
  • Click the Report tab at the bottom of the window
  • Click the Scan button, and in the Select Scan dialog, put a checkmark next everything
  • Click the OK button and in the Select Drives dialog, put a checkmark next to every drive
  • Click OK to start the scan
  • RootRepeal will start scanning. Wait for it to finish. It can take awhile depending on how many drives, how many files, how many folders...etc. Be patient.
  • When it finishes, click Save Report and save it somewhere you can easily find it, and then include this report in your next reply

Enable AVG's resident shield again, using similar steps as when you disabled it.

5) Get a new HiJackThis log
  • Launch Hijackthis
  • Click on the Do a system scan and save a logfile button
  • HJT will run a scan and a log will open in Notepad
  • Include this log in your next reply

Logs I need:
GMER log
RootRepeal log
New HJT log
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway
Top

Re: HijackThis log

Unread postby dsteel » August 5th, 2009, 7:04 pm

I can give you the gmer and HijackThis logs, but the RootRepeal program doesnt seem to work. It gives me the following error: FOPS - DeviceIoControlError! Error Code = 0xc0000001
when I try to run the scan it simply shuts down.


GMER 1.0.15.15011 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-05 15:56:22
Windows 6.0.6002 Service Pack 2


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1516] USER32.dll!SetWindowsHookExW 76C287AD 5 Bytes JMP 70929521 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1516] USER32.dll!CallNextHookEx 76C28E3B 5 Bytes JMP 7091CB69 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1516] USER32.dll!UnhookWindowsHookEx 76C298DB 5 Bytes JMP 708943F6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1516] USER32.dll!CreateWindowExW 76C31305 5 Bytes JMP 7092D3AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1516] USER32.dll!DialogBoxParamW 76C510B0 5 Bytes JMP 708551FD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1516] USER32.dll!DialogBoxIndirectParamW 76C52EF5 5 Bytes JMP 70A23C10 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1516] USER32.dll!DialogBoxParamA 76C68152 5 Bytes JMP 70A23BAD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1516] USER32.dll!DialogBoxIndirectParamA 76C6847D 5 Bytes JMP 70A23C73 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1516] USER32.dll!MessageBoxIndirectA 76C7D4D9 5 Bytes JMP 70A23B42 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1516] USER32.dll!MessageBoxIndirectW 76C7D5D3 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[1516] USER32.dll!MessageBoxIndirectW 76C7D5D3 5 Bytes JMP 70A23AD7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1516] USER32.dll!MessageBoxExA 76C7D639 5 Bytes JMP 70A23A75 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1516] USER32.dll!MessageBoxExW 76C7D65D 5 Bytes JMP 70A23A13 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1516] ole32.dll!OleLoadFromStream 776B1E12 5 Bytes JMP 70A23F78 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1516] ole32.dll!CoCreateInstance 776E9EA6 5 Bytes JMP 7092D408 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!SetWindowsHookExW 76C287AD 5 Bytes JMP 70929521 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!CallNextHookEx 76C28E3B 5 Bytes JMP 7091CB69 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!UnhookWindowsHookEx 76C298DB 5 Bytes JMP 708943F6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!CreateWindowExW 76C31305 5 Bytes JMP 7092D3AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!DialogBoxParamW 76C510B0 5 Bytes JMP 708551FD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!DialogBoxIndirectParamW 76C52EF5 5 Bytes JMP 70A23C10 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!DialogBoxParamA 76C68152 5 Bytes JMP 70A23BAD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!DialogBoxIndirectParamA 76C6847D 5 Bytes JMP 70A23C73 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!MessageBoxIndirectA 76C7D4D9 5 Bytes JMP 70A23B42 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!MessageBoxIndirectW 76C7D5D3 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!MessageBoxIndirectW 76C7D5D3 5 Bytes JMP 70A23AD7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!MessageBoxExA 76C7D639 5 Bytes JMP 70A23A75 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] USER32.dll!MessageBoxExW 76C7D65D 5 Bytes JMP 70A23A13 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] ole32.dll!OleLoadFromStream 776B1E12 5 Bytes JMP 70A23F78 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2560] ole32.dll!CoCreateInstance 776E9EA6 5 Bytes JMP 7092D408 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!CreateWindowExW 76C31305 5 Bytes JMP 7092D3AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!DialogBoxParamW 76C510B0 5 Bytes JMP 708551FD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!DialogBoxIndirectParamW 76C52EF5 5 Bytes JMP 70A23C10 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!DialogBoxParamA 76C68152 5 Bytes JMP 70A23BAD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!DialogBoxIndirectParamA 76C6847D 5 Bytes JMP 70A23C73 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!MessageBoxIndirectA 76C7D4D9 5 Bytes JMP 70A23B42 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!MessageBoxIndirectW 76C7D5D3 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!MessageBoxIndirectW 76C7D5D3 5 Bytes JMP 70A23AD7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!MessageBoxExA 76C7D639 5 Bytes JMP 70A23A75 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5644] USER32.dll!MessageBoxExW 76C7D65D 5 Bytes JMP 70A23A13 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\rootrepeal \Device\RootRepeal A6F60202

AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:08 PM, on 8/5/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Circle\VirtualCD\HvcdUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Adobe Media Player\Adobe Media Player.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Users\Shane\Desktop\RootRepeal.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CircleVirtualCD] C:\Program Files\Circle\VirtualCD\HvcdUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HekkoVirtualCD] C:\Program Files\Circle\VirtualCD\HvcdUI.exe
O4 - HKLM\..\Run: [Turbine Download Manager Tray Icon] "C:\Program Files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [DefaultP17MIDI] MIDIDEF.EXE (User 'Default user')
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... .0.1.1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe
O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 7652 bytes
dsteel
Active Member
 
Posts: 4
Joined: August 2nd, 2009, 11:38 am
Top

Re: HijackThis log

Unread postby dsteel » August 5th, 2009, 11:14 pm

got it to work


ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/08/05 20:12
Program Version: Version 1.3.3.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: abmxaamy.sys
Image Path: C:\Users\Shane\AppData\Local\Temp\abmxaamy.sys
Address: 0xA6F4A000 Size: 82432 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0x90E75000 Size: 32768 File Visible: No Signed: -
Status: -

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x90E6A000 Size: 45056 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA6F77000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings
Status: Locked to the Windows API!

Path: C:\ProgramData\Application Data
Status: Locked to the Windows API!

Path: C:\ProgramData\Desktop
Status: Locked to the Windows API!

Path: C:\ProgramData\Documents
Status: Locked to the Windows API!

Path: C:\ProgramData\Favorites
Status: Locked to the Windows API!

Path: C:\ProgramData\Start Menu
Status: Locked to the Windows API!

Path: C:\ProgramData\Templates
Status: Locked to the Windows API!

Path: C:\System Volume Information\{18347068-7f7b-11de-88d8-001a4d9335c5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{260672bf-7d47-11de-8718-001a4d9335c5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{30350836-7fbf-11de-b895-001a4d9335c5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{303508cd-7fbf-11de-b895-001a4d9335c5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{4cfc2a2a-8015-11de-9b56-001a4d9335c5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{4cfc2a3b-8015-11de-9b56-001a4d9335c5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{8c26d4e4-8149-11de-a900-001a4d9335c5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{8c26d4e9-8149-11de-a900-001a4d9335c5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{8caa1edc-7d89-11de-8726-001a4d9335c5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{8caa291b-7d89-11de-8726-001a4d9335c5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{8caa2932-7d89-11de-8726-001a4d9335c5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c0e81264-7568-11de-bf59-001a4d9335c5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c0e8129c-7568-11de-bf59-001a4d9335c5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c0e812cc-7568-11de-bf59-001a4d9335c5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c0e812d6-7568-11de-bf59-001a4d9335c5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{cbacda95-7c94-11de-932d-001a4d9335c5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{cbacdaac-7c94-11de-932d-001a4d9335c5}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Users\All Users
Status: Locked to the Windows API!

Path: C:\Users\Default User
Status: Locked to the Windows API!

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1252 Status: Locked to the Windows API!

Hidden Services
-------------------
Service Name: rootrepeal
Image Path: C:\Windows\system32\drivers\rootrepeal.sys

==EOF==
dsteel
Active Member
 
Posts: 4
Joined: August 2nd, 2009, 11:38 am
Top

Re: HijackThis log

Unread postby Sharagoz » August 6th, 2009, 3:38 pm

1) Fix bad entries using HiJackThis
  • Launch HiJackThis
  • Click the Do a system scan only button
  • Put a checkmark next to the below line (if it is still listed)

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocach ... .0.1.1.cab

  • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  • Click the Fix checked button and close HiJackThis

Disable AVG's resident shield before the next step.

2) Download and Run ComboFix
  • Visit this webpage for download links and and instructions on how to properly run ComboFix:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
    Make sure you install the recovery consol as instructed beforehand
    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time and can be a lifesaver later.
    Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • Run ComboFix as instructed by the tutorial. Normal scan time is 10-20 minutes. When ComboFix is finished running, a log will be opened. Include this log in your next reply.

Enable AVG's resident shield again.

3) Get a new HiJackThis log
  • Launch Hijackthis
  • Click on the Do a system scan and save a logfile button
  • HJT will run a scan and a log will open in Notepad
  • Include this log in your next reply

Logs I need:
ComboFix log
New HJT log
User avatar
Sharagoz
Retired Graduate
 
Posts: 985
Joined: February 22nd, 2008, 4:31 pm
Location: Norway
Top

Re: HijackThis log

Unread postby NonSuch » August 13th, 2009, 1:59 am

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Top
Advertisement
Register to Remove
Topic locked

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 430 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index