Free Malware Removal Forum

[dumbcomputer2]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:09 AM, on 8/30/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\PC Tools Firewall Plus\PCTFW.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTools FW] C:\Program Files\PC Tools Firewall Plus\PCTFW.exe /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [A00F24129C9.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00F24129C9.exe
O4 - HKCU\..\Run: [A00F2AFA133.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00F2AFA133.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0729801723
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0731039329
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_ ... loader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/p ... der_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47F90953-3B2C-41BF-88A4-6DBA5C65B9C0}: NameServer = 85.255.116.132,85.255.112.180
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E1688C5-69F0-42D8-8FB0-01A555428BEE}: NameServer = 216.165.129.157,216.170.153.146
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.132 85.255.112.180
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.132 85.255.112.180
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.132 85.255.112.180
O20 - Winlogon Notify: __c00AC82E - C:\WINNT\system32\__c00AC82E.dat
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

--
End of file - 5175 bytes


as far as the problem sometimes when I open up the internet it will redirect me to a site that wants me to purchase things sometimes the problem lasts until I resart the cumputer, just got hijack this today, but I don't know how to read what any of this is, don't want to delete anything I'll need.

[Dakeyras]

Hi dumbcomputer2 and welcome to Malware Removal .

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of six things:

• I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!.
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Extra note: Please be aware as I am still in training all of my fixes/posts require prior checking by a Expert. So some delays may be inevitable, please be patient and I will reply again asap.

[Dakeyras]

Hi dumbcomputer2

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin;
follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Post back the contents of the logfile C:\fixwareout\report.txt.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be available on some systems.

Next:

Please re-open HiJackThis and select Scan. Check the boxes next to all the entries listed below (if present):

O4 - HKCU\..\Run: [A00F24129C9.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00F24129C9.exe
O4 - HKCU\..\Run: [A00F2AFA133.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00F2AFA133.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/p ... der_v6.cab
017 - HKLM\System\CCS\Services\Tcpip\..\{47F90953-3B2C-41BF-88A4-6DBA5C65B9C0}: NameServer = 85.255.116.132,85.255.112.180
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E1688C5-69F0-42D8-8FB0-01A555428BEE}: NameServer = 216.165.129.157,216.170.153.146
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.132 85.255.112.180
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.132 85.255.112.180
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.132 85.255.112.180
O20 - Winlogon Notify: __c00AC82E - C:\WINNT\system32\__c00AC82E.dat

Now click on Fix Checked. Close HiJackThis.

Next click Start >> Run and type cleanmgr in the box and press OK.

• Ensure the boxes for Temporary Files, Temporary Internet Files and Recycle Bin are checked.
• You can choose to check other boxes if you wish but they are not required.
• Click on OK then Yes.
• Now Reboot(restart) your computer.

Next:

1. Please download Malwarebytes' Anti-Malware and save it to a convenient location.
2. Double click on mbam-setup.exe to install it.
3. Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
   Update Malwarebytes' Anti-Malware
   Launch Malwarebytes' Anti-Malware
4. Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
5. Select the Scanner tab. Click on Perform full scan, then click on Scan.
6. Leave the default options as it is and click on Start Scan.
7. When done, you will be prompted. Click OK, then click on Show Results.
8. Checked (ticked) all items except items in the C:\System Volume Information folder and click on Remove Selected.
   
   
   
9. After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

Next:

I would like to view a list of currently installed software applications on you're PC. How to provide as follows:

Run HJT and click on Open the Misc Tools section.

• Click Open Uninstall Manager...
• Click Save list... and save it to your Desktop.
• Copy and paste the file uninstall_list.txt into your next reply.

When completed the above, please post back the following:

• Fixwareout Report.
• Malwarebytes Anti-malware Log.
• Uninstall list.
• A new HijackThis Log.

[Dakeyras]

Hi

Do you still require assistance?

[Shaba]

Due to Lack of Response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.