Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Please help me with my Hijack log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Please help me with my Hijack log

Unread postby tetley » December 13th, 2007, 1:51 pm

Hello
Below please find my Hijackthis log. Any help you can give me would be greatly appreciated.
Thank you in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:00 AM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [d06b3244] rundll32.exe "C:\WINDOWS\system32\ywlqanvh.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0109965759
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EAC8563D-0D70-41E9-8D15-EB86979CDCA0}: NameServer = 204.83.142.2,204.83.142.4
O21 - SSODL: E404Helper - {83ac11eb-c27d-43f0-aa5f-a30d5b7b7632} - e404d.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 4340 bytes
tetley
Active Member
 
Posts: 6
Joined: December 13th, 2007, 12:43 pm
Top
Advertisement
Register to Remove

Re: Please help me with my Hijack log

Unread postby Simon V. » December 14th, 2007, 5:18 pm

Hi :)

In the future, please run HijackThis in Normal Mode.

Step 1

Please download ATF Cleaner. Double-click on ATF-Cleaner.exe to start the program.

  • Under the Main tab, put a check next to Select All.
    Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  • If you use the Firefox browser:
    Click on Firefox at the top and put a check next to Select All.
    If you would like to keep your saved passwords, click No at the prompt.
    Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  • If you use the Opera browser:
    Click on Opera at the top and put a check next to Select All.
    If you would like to keep your saved passwords, click No at the prompt.
    Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

Step 2

Please download Combofix:


Double-click on combofix.exe and follow the prompts.
When finished, it will produce a log for you. Save it to a convenient location.

Note: Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.

Step 3

Open HijackThis.

  • Click on the Config button.
  • Click on the Misc Tools button.
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and save the file to a convenient location. When you press Save, Notepad will open with the contents of that file.

Step 4

In your next reply, please post:

  • the Combofix log (C:\Combofix.txt)
  • the Uninstall List (uninstall_list.txt)
  • a new HijackThis log
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium
Top

Re: Please help me with my Hijack log

Unread postby tetley » December 14th, 2007, 11:17 pm

Hi

Thank you for getting back to me. Here's the info you've requested. However, I was not able to get the uninstall_list.txt for you. I followed your instructions but nothing happened with I clicked the save list button, the program seems to shut down. Notepad never came up at all. I did a control-alt-delete and nothing was running? Anything else I could try for that?

Here are the other results:

The Combofix.txt

Start Time= Fri 12/14/2007 21:03:32.43

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-12-14 20:56:20 80448 ( A.... ) "C:\WINDOWS\system32\dwnxylrm.dll"
2007-12-12 22:12:46 80448 ( A.... ) "C:\WINDOWS\system32\xiycujwt.dll"
2007-12-12 22:09:44 85568 ( A.... ) "C:\WINDOWS\system32\ywlqanvh.dll"
2007-12-11 20:03:24 80448 ( A.... ) "C:\WINDOWS\system32\ccsouljy.dll"
2007-12-11 19:54:16 ( .D... ) "C:\Program Files\Browser Hijack Recover"
2007-12-11 14:22:44 ( .D... ) "C:\Program Files\Trend Micro"
2007-12-10 20:56:48 ( .D... ) "C:\Documents and Settings\Isabelle\Application Data\DivX"
2007-12-10 20:03:24 80448 ( A.... ) "C:\WINDOWS\system32\tignfnhe.dll"
2007-12-10 20:00:36 85568 ( A.... ) "C:\WINDOWS\system32\rmfcmhym.dll"
2007-12-09 20:01:06 80448 ( A.... ) "C:\WINDOWS\system32\vsuqqvnp.dll"
2007-12-08 15:46:14 336992 ( A.... ) "C:\WINDOWS\system32\ssttr.dll"
2007-12-08 15:41:44 46592 ( A.... ) "C:\WINDOWS\system32\e404d.dll"
2007-12-08 15:41:30 ( .D... ) "C:\Program Files\Helper"
2007-12-08 15:41:18 54112 ( A.... ) "C:\WINDOWS\system32\xpdx.sys"
2007-12-08 15:41:18 54112 ( A.... ) "C:\WINDOWS\system32\xpdx.sys"
2007-12-08 15:41:16 57856 ( A.... ) "C:\pgdxf.exe"
2007-12-08 15:41:08 36352 ( A.... ) "C:\WINDOWS\system32\ljjkhfg.dll"
2007-12-04 07:04:28 837496 ( A.... ) "C:\WINDOWS\system32\aswBoot.exe"
2007-12-04 06:54:04 95608 ( A.... ) "C:\WINDOWS\system32\AVASTSS.scr"
2007-12-02 17:00:06 18684536 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2007-11-13 05:31:12 60416 ( ..... ) "C:\WINDOWS\system32\tzchange.exe"
2007-10-30 17:42:28 3590656 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2007-10-29 16:43:04 1287680 ( A.... ) "C:\WINDOWS\system32\quartz.dll"
2007-10-29 04:04:04 350720 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2007-10-27 17:39:20 230912 ( A.... ) "C:\WINDOWS\system32\wmasf.dll"
2007-10-27 17:37:38 2109440 ( A.... ) "C:\WINDOWS\system32\wmvcore.dll"
2007-10-25 21:34:02 8460288 ( A.... ) "C:\WINDOWS\system32\shell32.dll"
2007-10-11 14:12:48 1468968 ( A.... ) "C:\WINDOWS\system32\LegitCheckControl.dll"
2007-10-10 17:56:00 1159680 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
2007-10-10 17:56:00 824832 ( A.... ) "C:\WINDOWS\system32\wininet.dll"
2007-10-10 17:56:00 671232 ( ..... ) "C:\WINDOWS\system32\mstime.dll"
2007-10-10 17:56:00 232960 ( A.... ) "C:\WINDOWS\system32\webcheck.dll"
2007-10-10 17:56:00 105984 ( A.... ) "C:\WINDOWS\system32\url.dll"
2007-10-10 17:56:00 102400 ( ..... ) "C:\WINDOWS\system32\occache.dll"
2007-10-10 17:55:58 478208 ( A.... ) "C:\WINDOWS\system32\mshtmled.dll"
2007-10-10 17:55:58 193024 ( ..... ) "C:\WINDOWS\system32\msrating.dll"
2007-10-10 17:55:56 459264 ( A.... ) "C:\WINDOWS\system32\msfeeds.dll"
2007-10-10 17:55:56 267776 ( A.... ) "C:\WINDOWS\system32\iertutil.dll"
2007-10-10 17:55:56 52224 ( A.... ) "C:\WINDOWS\system32\msfeedsbs.dll"
2007-10-10 17:55:56 44544 ( ..... ) "C:\WINDOWS\system32\iernonce.dll"
2007-10-10 17:55:56 27648 ( ..... ) "C:\WINDOWS\system32\jsproxy.dll"
2007-10-10 17:55:54 6065664 ( A.... ) "C:\WINDOWS\system32\ieframe.dll"
2007-10-10 17:55:52 384512 ( ..... ) "C:\WINDOWS\system32\iedkcs32.dll"
2007-10-10 17:55:52 383488 ( A.... ) "C:\WINDOWS\system32\ieapfltr.dll"
2007-10-10 17:55:52 230400 ( ..... ) "C:\WINDOWS\system32\ieaksie.dll"
2007-10-10 17:55:52 214528 ( A.... ) "C:\WINDOWS\system32\dxtrans.dll"
2007-10-10 17:55:52 153088 ( ..... ) "C:\WINDOWS\system32\ieakeng.dll"
2007-10-10 17:55:52 132608 ( ..... ) "C:\WINDOWS\system32\extmgr.dll"
2007-10-10 17:55:52 124928 ( A.... ) "C:\WINDOWS\system32\advpack.dll"
2007-10-10 17:55:52 63488 ( A.... ) "C:\WINDOWS\system32\icardie.dll"
2007-10-10 04:59:40 70656 ( ..... ) "C:\WINDOWS\system32\ie4uinit.exe"
2007-10-10 04:59:40 13824 ( A.... ) "C:\WINDOWS\system32\ieudinit.exe"
2007-10-09 23:46:56 161792 ( ..... ) "C:\WINDOWS\system32\ieakui.dll"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=dword:00000000
"NoToolbarCustomize"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{7822058A-1C84-4A8A-979A-0B1189930CA6}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPHmon03"="C:\\WINDOWS\\system32\\hphmon03.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\HP Share-to-Web\\hpgs2wnd.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"AlcxMonitor"="ALCXMNTR.EXE"
"CXMon"="\"C:\\Program Files\\Hewlett-Packard\\PhotoSmart\\Photo Imaging\\Hpi_Monitor.exe\""


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: Fri 12/14/2007 21:04:42.56
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt



The newest Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:28 PM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0109965759
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EAC8563D-0D70-41E9-8D15-EB86979CDCA0}: NameServer = 204.83.142.2,204.83.142.4
O21 - SSODL: E404Helper - {83ac11eb-c27d-43f0-aa5f-a30d5b7b7632} - e404d.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 4607 bytes


Thank you again for your time in trying to help me. Very much appreciated!
tetley
Active Member
 
Posts: 6
Joined: December 13th, 2007, 12:43 pm
Top

Re: Please help me with my Hijack log

Unread postby Simon V. » December 15th, 2007, 7:28 am

Hi :)

You are running a very old copy of Combofix. Please delete the one you currently have and download the newest version:


... then run the program again (see my previous post for instructions).

For the Uninstall List, please do the following:

Dwnload and install CCleaner.

  • Open CCleaner. In the Left Pane, click Tools.
  • Verify that Uninstall is highlighted in color, or click on it.
  • In the lower right, click Save to Text File.
  • Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
  • You can leave the filename as install.txt.
  • Click Save.
  • Exit Ccleaner by clicking on the X button in the upper right of the CCleaner window.

In your next reply, please post:

  • the Combofix log (C:\Combofix.txt)
  • the CCleaner Uninstall List (install.txt)
  • a new HijackThis log
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium
Top

Re: Please help me with my Hijack log

Unread postby tetley » December 15th, 2007, 4:09 pm

Thank you again for the quick reply! Sorry about the version. The one I used for this scan seemed to be much more thorough. :-)

Here are the results you have now requested:

The ComboFix log:

ComboFix 07-12-15.5 - Isabelle 2007-12-15 13:51:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.723 [GMT -6:00]
Running from: C:\Documents and Settings\Isabelle\Desktop\combofix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Helper
C:\Program Files\Helper\superfinderusa.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ccsouljy.dll
C:\WINDOWS\system32\dwnxylrm.dll
C:\WINDOWS\system32\hvnaqlwy.ini
C:\WINDOWS\system32\ljjkhfg.dll
C:\WINDOWS\system32\myhmcfmr.ini
C:\WINDOWS\system32\rmfcmhym.dll
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.ini2
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\tignfnhe.dll
C:\WINDOWS\system32\vsuqqvnp.dll
C:\WINDOWS\system32\xiycujwt.dll
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\system32\ywlqanvh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\xpdx


((((((((((((((((((((((((( Files Created from 2007-11-15 to 2007-12-15 )))))))))))))))))))))))))))))))
.

2007-12-12 22:10 . 2007-12-12 22:10 <DIR> d-------- C:\VundoFix Backups
2007-12-11 20:06 . 2007-12-12 22:06 354 --ahs---- C:\WINDOWS\system32\cbmorhjm.ini
2007-12-11 19:54 . 2007-12-11 19:54 <DIR> d-------- C:\Program Files\Browser Hijack Recover
2007-12-11 19:54 . 2007-12-11 19:54 0 --a------ C:\WINDOWS\system32\8104297.jun
2007-12-11 14:22 . 2007-12-11 14:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-10 23:03 . 2007-12-10 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-10 20:56 . 2007-12-10 20:56 <DIR> d-------- C:\Documents and Settings\Isabelle\Application Data\DivX
2007-12-10 11:51 . 2007-12-10 11:53 <DIR> d-------- C:\Documents and Settings\Isabelle\.housecall6.6
2007-12-10 11:51 . 2007-12-10 11:51 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-09 20:04 . 2007-12-10 19:58 834,170 --ahs---- C:\WINDOWS\system32\yaoahibw.ini
2007-12-08 16:04 . 2007-12-08 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-08 15:41 . 2007-12-08 15:41 57,856 --a------ C:\pgdxf.exe
2007-12-08 15:41 . 2007-12-08 15:41 46,592 --a------ C:\WINDOWS\system32\e404d.dll
2007-12-08 15:41 . 2007-12-08 15:41 2 --a------ C:\-798280981
2007-11-26 20:27 . 2007-10-10 17:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-26 20:27 . 2007-04-17 03:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-26 20:27 . 2007-03-07 23:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-26 20:27 . 2007-10-10 17:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-26 20:27 . 2007-10-10 17:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-26 20:27 . 2007-10-10 17:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-26 20:27 . 2007-10-10 17:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-26 20:27 . 2007-10-10 17:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-26 20:27 . 2007-10-10 04:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 06:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-11 05:04 --------- d-----w C:\Program Files\Lavasoft
2007-12-11 05:04 --------- d-----w C:\Documents and Settings\Isabelle\Application Data\Lavasoft
2007-12-11 05:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2005-10-25 02:10 17,144 ----a-w C:\Documents and Settings\Isabelle\Application Data\GDIPFONTCACHEV1.DAT
2001-08-23 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-03 22:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-03 22:56 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-03 22:56 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-03 22:56 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-03 22:56 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-03 22:56 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-03 22:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 16:56 C:\WINDOWS\system32\rundll32.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"E404Helper"= {83ac11eb-c27d-43f0-aa5f-a30d5b7b7632} - e404d.dll [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPHmon03"=C:\WINDOWS\system32\hphmon03.exe
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
"Share-to-Web Namespace Daemon"=C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"AlcxMonitor"=ALCXMNTR.EXE
"CXMon"="C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\system32\DRIVERS\hphid409.sys
R3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\system32\DRIVERS\hphipr09.sys
R3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\system32\Drivers\hphs2k09.sys
R3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 23:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 13:57:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-15 13:58:55 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-14 21:04
.
2007-12-11 20:41:21 --- E O F ---



The CCleaner Uninstall List:
AC3Filter (remove only)
ACDSee
Ad-Aware 2007
Ad-aware 6 Personal
Adobe Flash Player ActiveX
Adobe Reader 7.0
avast! Antivirus
Browser Hijack Recover(BHR) 3.0
CCleaner (remove only)
CloneDVD 2.0
CoffeeCup Free FTP
CuteFTP 5.0 XP
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Copy Plus
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD X Rescue
dvdSanta 3.45
DVDXCopy Platinum 3.2.1
DVDXCopy Xpress 3.2.1
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
HP Photo Imaging Software
HP Photo Printing Software
hp photosmart printer series (Remove only)
HP Share-to-Web
InterActual Player
InterVideo WinDVD 5
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
LimeWire 4.9.29
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Data Access Components KB870669
Microsoft Office XP Media Content
Microsoft Office XP Professional
MSN Messenger 7.0
Nero 6 Ultra Edition
NVIDIA Audio Driver
NVIDIA Drivers
NVIDIA Gart Driver
NVIDIA nForce Drivers
NVIDIA Windows 2000/XP Display Drivers
PartitionMagic Pro 6.0
Realtek AC'97 Audio
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.3
The Da Vinci Code
TuneUp Utilities 2006
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VideoLAN VLC media player 0.7.1
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Diagnostic Tool
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086


The newest HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:02:22 PM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0109965759
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EAC8563D-0D70-41E9-8D15-EB86979CDCA0}: NameServer = 204.83.142.2,204.83.142.4
O21 - SSODL: E404Helper - {83ac11eb-c27d-43f0-aa5f-a30d5b7b7632} - e404d.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 4887 bytes


Thank you again!

I'll wait for your next post!
tetley
Active Member
 
Posts: 6
Joined: December 13th, 2007, 12:43 pm
Top

Re: Please help me with my Hijack log

Unread postby Simon V. » December 15th, 2007, 5:00 pm

Hi :)

I understand that downloading music and other files may be important to you; however, the Peer-to-Peer programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection all over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

Here is some information that looks at the rates of infection:

http://www.benedelman.org/spyware/p2p/

With that being said, I recommend that you remove the following Peer-to-Peer program(s):

LimeWire 4.9.29

Step 1

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

Code: Select all
File::

C:\WINDOWS\system32\cbmorhjm.ini
C:\WINDOWS\system32\yaoahibw.ini
C:\pgdxf.exe
C:\WINDOWS\system32\e404d.dll
C:\-798280981

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"E404Helper"=-


Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 2

Click on Start, then Control Panel. Double click on Add or Remove Programs.

Please remove the following program(s):

  • J2SE Runtime Environment 5.0
  • J2SE Runtime Environment 5.0 Update 1
  • J2SE Runtime Environment 5.0 Update 10
  • J2SE Runtime Environment 5.0 Update 3
  • J2SE Runtime Environment 5.0 Update 4
  • J2SE Runtime Environment 5.0 Update 6
  • Java(TM) 6 Update 2

Then download and install Java Runtime Environment (JRE) 6 Update 3.

Step 3

Please do an online scan with Kaspersky WebScanner.

Click on Kaspersky Online Scanner. On the welcome screen, click Accept.

You will be promted to install an ActiveX component from Kaspersky, click Install.

  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:

  • Scan using the following Anti-Virus database:

    Extended (if available, otherwise Standard)

  • Scan Options:

    Scan Archives
    Scan Mail Bases

  • Click OK.
  • Now under Select a Target to Scan:

    Select My Computer.

  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button and save the file to your desktop.

Step 4

In your next reply, please post:

  • the Combofix log (C:\Combofix.txt)
  • the Kaspersky Online Scan report
  • a new HijackThis log
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium
Top

Re: Please help me with my Hijack log

Unread postby tetley » December 15th, 2007, 9:15 pm

Hello Again.

Thank you again for all your assistance.

Limewire has been removed. This computer belonged to someone else before I got it. I have never used Limewire, but it has now been deleted.

I have followed all of your latest instructions and here are the logs you have now requested.

The Combofix log:


ComboFix 07-12-15.5 - Isabelle 2007-12-15 17:07:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.730 [GMT -6:00]
Running from: C:\Documents and Settings\Isabelle\Desktop\combofix.exe
Command switches used :: C:\Documents and Settings\Isabelle\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\-798280981
C:\pgdxf.exe
C:\WINDOWS\system32\cbmorhjm.ini
C:\WINDOWS\system32\e404d.dll
C:\WINDOWS\system32\yaoahibw.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-798280981
C:\pgdxf.exe
C:\WINDOWS\system32\cbmorhjm.ini
C:\WINDOWS\system32\e404d.dll
C:\WINDOWS\system32\yaoahibw.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-15 to 2007-12-15 )))))))))))))))))))))))))))))))
.

2007-12-15 14:00 . 2007-12-15 14:00 <DIR> d-------- C:\Program Files\CCleaner
2007-12-12 22:10 . 2007-12-12 22:10 <DIR> d-------- C:\VundoFix Backups
2007-12-11 19:54 . 2007-12-11 19:54 <DIR> d-------- C:\Program Files\Browser Hijack Recover
2007-12-11 19:54 . 2007-12-11 19:54 0 --a------ C:\WINDOWS\system32\8104297.jun
2007-12-11 14:22 . 2007-12-11 14:22 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-10 23:03 . 2007-12-10 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-10 20:56 . 2007-12-10 20:56 <DIR> d-------- C:\Documents and Settings\Isabelle\Application Data\DivX
2007-12-10 11:51 . 2007-12-10 11:53 <DIR> d-------- C:\Documents and Settings\Isabelle\.housecall6.6
2007-12-10 11:51 . 2007-12-10 11:51 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-08 16:04 . 2007-12-08 16:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-11-26 20:27 . 2007-10-10 17:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-26 20:27 . 2007-04-17 03:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-26 20:27 . 2007-03-07 23:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-26 20:27 . 2007-10-10 17:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-26 20:27 . 2007-10-10 17:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-26 20:27 . 2007-10-10 17:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-26 20:27 . 2007-10-10 17:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-26 20:27 . 2007-10-10 17:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-26 20:27 . 2007-10-10 04:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 06:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-11 05:04 --------- d-----w C:\Program Files\Lavasoft
2007-12-11 05:04 --------- d-----w C:\Documents and Settings\Isabelle\Application Data\Lavasoft
2007-12-11 05:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2005-10-25 02:10 17,144 ----a-w C:\Documents and Settings\Isabelle\Application Data\GDIPFONTCACHEV1.DAT
2001-08-23 12:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-03 22:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-03 22:56 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-03 22:56 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-03 22:56 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-03 22:56 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-03 22:56 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-03 22:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-15_13.58.17.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-15 19:57:16 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_48c.dat
+ 2007-12-15 23:03:35 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_48c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 16:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 16:56 C:\WINDOWS\system32\rundll32.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HPHmon03"=C:\WINDOWS\system32\hphmon03.exe
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
"Share-to-Web Namespace Daemon"=C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"AlcxMonitor"=ALCXMNTR.EXE
"CXMon"="C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 Dot4 HPH09;Dot4 HPH09;C:\WINDOWS\system32\DRIVERS\hphid409.sys
R3 Dot4Print HPH09;Print Class Driver for IEEE-1284.4 HPH09;C:\WINDOWS\system32\DRIVERS\hphipr09.sys
R3 Dot4Storage HPH09;Storage Class Driver for IEEE-1284.4 (HPH09);C:\WINDOWS\system32\Drivers\hphs2k09.sys
R3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 23:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 17:08:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-15 17:09:23
C:\ComboFix2.txt ... 2007-12-15 13:58
C:\ComboFix3.txt ... 2007-12-14 21:04
.
2007-12-11 20:41:21 --- E O F ---


The Kaspersky Online Scan Report:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, December 15, 2007 7:09:15 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/12/2007
Kaspersky Anti-Virus database records: 483501
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
N:\

Scan Statistics:
Total number of scanned objects: 38941
Number of viruses found: 11
Number of infected objects: 36
Number of suspicious objects: 0
Duration of the scan process: 00:31:56

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Cathy\Shared\The Pacifier 1of2.avi Object is locked skipped
C:\Documents and Settings\Cathy\Shared\The Pacifier 2of2.avi Object is locked skipped
C:\Documents and Settings\Isabelle\.housecall6.6\Quarantine\2[1].htm.bac_a01800 Infected: Trojan-Downloader.Win32.Agent.fsj skipped
C:\Documents and Settings\Isabelle\.housecall6.6\Quarantine\upd32_v14[1].bac_a01800 Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Documents and Settings\Isabelle\.housecall6.6\Quarantine\WPatcherP5575987.zip.bac_a01800/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Isabelle\.housecall6.6\Quarantine\WPatcherP5575987.zip.bac_a01800/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Isabelle\.housecall6.6\Quarantine\WPatcherP5575987.zip.bac_a01800/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Isabelle\.housecall6.6\Quarantine\WPatcherP5575987.zip.bac_a01800 ZIP: infected - 3 skipped
C:\Documents and Settings\Isabelle\.housecall6.6\Quarantine\WPatcherP5575987.zip.bac_a01800 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\Isabelle\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Isabelle\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Isabelle\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Isabelle\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Isabelle\Local Settings\History\History.IE5\MSHist012007121520071216\index.dat Object is locked skipped
C:\Documents and Settings\Isabelle\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Isabelle\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Isabelle\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\qoobox\Quarantine\C\pgdxf.exe.vir Infected: Trojan.Win32.Agent.dgt skipped
C:\qoobox\Quarantine\C\Program Files\Helper\superfinderusa.dll.vir Infected: Trojan.Win32.BHO.adh skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ccsouljy.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\dwnxylrm.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\e404d.dll.vir Infected: Trojan-Downloader.Win32.Agent.fsi skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\rmfcmhym.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\tignfnhe.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\vsuqqvnp.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\xiycujwt.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ywlqanvh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\qoobox\Quarantine\catchme2007-12-15_135724.73.zip/xpdx.sys Infected: Backdoor.Win32.Agent.dbu skipped
C:\qoobox\Quarantine\catchme2007-12-15_135724.73.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4635E27B-B975-463C-9AE8-FFE9D5441BAD}\RP387\A0037057.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{4635E27B-B975-463C-9AE8-FFE9D5441BAD}\RP391\A0037340.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{4635E27B-B975-463C-9AE8-FFE9D5441BAD}\RP391\A0038357.exe Infected: Trojan.Win32.Inject.nr skipped
C:\System Volume Information\_restore{4635E27B-B975-463C-9AE8-FFE9D5441BAD}\RP391\A0038359.exe/data.rar/patch.exe Infected: Trojan.Win32.Inject.nr skipped
C:\System Volume Information\_restore{4635E27B-B975-463C-9AE8-FFE9D5441BAD}\RP391\A0038359.exe/data.rar/crack.exe Infected: Trojan.Win32.Inject.ks skipped
C:\System Volume Information\_restore{4635E27B-B975-463C-9AE8-FFE9D5441BAD}\RP391\A0038359.exe/data.rar Infected: Trojan.Win32.Inject.ks skipped
C:\System Volume Information\_restore{4635E27B-B975-463C-9AE8-FFE9D5441BAD}\RP391\A0038359.exe RarSFX: infected - 3 skipped
C:\System Volume Information\_restore{4635E27B-B975-463C-9AE8-FFE9D5441BAD}\RP393\A0038387.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{4635E27B-B975-463C-9AE8-FFE9D5441BAD}\RP393\A0038388.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{4635E27B-B975-463C-9AE8-FFE9D5441BAD}\RP393\A0038389.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{4635E27B-B975-463C-9AE8-FFE9D5441BAD}\RP393\A0038390.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{4635E27B-B975-463C-9AE8-FFE9D5441BAD}\RP393\A0038391.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{4635E27B-B975-463C-9AE8-FFE9D5441BAD}\RP393\A0038392.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{4635E27B-B975-463C-9AE8-FFE9D5441BAD}\RP393\A0038393.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{4635E27B-B975-463C-9AE8-FFE9D5441BAD}\RP393\A0038396.dll Infected: Trojan.Win32.BHO.adh skipped
C:\System Volume Information\_restore{4635E27B-B975-463C-9AE8-FFE9D5441BAD}\RP394\A0038456.exe Infected: Trojan.Win32.Agent.dgt skipped
C:\System Volume Information\_restore{4635E27B-B975-463C-9AE8-FFE9D5441BAD}\RP394\A0038458.dll Infected: Trojan-Downloader.Win32.Agent.fsi skipped
C:\System Volume Information\_restore{4635E27B-B975-463C-9AE8-FFE9D5441BAD}\RP402\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{01549C58-0A84-4E99-ACB7-59344B8B5795}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_47c.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


And the newest HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:10:04 PM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0109965759
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EAC8563D-0D70-41E9-8D15-EB86979CDCA0}: NameServer = 204.83.142.2,204.83.142.4
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 5090 bytes


I'll wait for your next reply.

Thank you again!
tetley
Active Member
 
Posts: 6
Joined: December 13th, 2007, 12:43 pm
Top

Re: Please help me with my Hijack log

Unread postby Simon V. » December 16th, 2007, 6:44 am

Hi :)

Step 1

Open HijackThis, perform a scan and put a check next to the following items:

Note: Only fix the following items if you, your system administrator, or Spybot Search and Destroy haven't set these restrictions.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close all programs except HijackThis and click on Fix checked.

Step 2

Navigate to the following files/folders using Windows Explorer and delete them when found:

C:\Documents and Settings\Isabelle\.housecall6.6\Quarantine\ <-- Delete everything inside of this folder, not the folder itself!

Step 3

Click Start then Run....

  • Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there)

    Image

  • When shown the disclaimer, select 2.

In your next reply, let me know how your computer is running.
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium
Top

Re: Please help me with my Hijack log

Unread postby tetley » December 16th, 2007, 3:24 pm

Hello again!

All I can say is WOW! What a difference. That computer has never been so fast!

I can tell you however that when I did the Combofix /u, I never did get a select, it just came up and said Combofix had been uninstalled.

Also, my main reason for contacting you was my ISP provider had put a block on my modem as I was sending spam over the world. Also, whever I went into Internet Explorer, I was constantly getting pop-ups and being redirected to some uninviting websites. I have had the computer "off-line" while I have been communicating with you, however I did put it online to run the Kaspersky online scanner. I have now left the computer online and will monitor it today as I'm sure my ISP will be doing as well.

Are you saying the computer is now "clean" and virus free? I am concerned about the viruses found in the Kaspersky log.

How can I ever thank you for all your help? You have been a life saver and I can't thank you enough! Also, what can I do in the future so this doesn't happen again?

Again, thank you!

Your help has been much appreciated!
tetley
Active Member
 
Posts: 6
Joined: December 13th, 2007, 12:43 pm
Top

Re: Please help me with my Hijack log

Unread postby Simon V. » December 16th, 2007, 4:15 pm

Hi :)

You're very welcome, I'm glad to hear your computer is running OK again :D

Are you saying the computer is now "clean" and virus free? I am concerned about the viruses found in the Kaspersky log.

Yes, your logs look clean. The virusses found by Kaspersky were either in the backups folder of Combofix (which we removed by uninstalling it) or in the quarantine folder of Housecall. Nothing to worry about ;)

How can I ever thank you for all your help? You have been a life saver and I can't thank you enough!

This isn't obligatory of course, as the service we provide is still free, but you can always donate to keep this site alive.

Also, what can I do in the future so this doesn't happen again?

Follow these simple steps to keep your computer clean in the future:

Disable and Enable System Restore - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

Step 1: Turn off System Restore:

  • On the desktop, right-click My Computer
  • Click Properties
  • Click the System Restore tab
  • Check Turn off System Restore
  • Click Apply, and then click OK

Step 2: Reboot your computer.

Step 3: Turn on System Restore:

  • On the desktop, right-click My Computer
  • Click Properties
  • Click the System Restore tab
  • Uncheck Turn off System Restore
  • Click Apply, and then click OK

Note: Only do this once, NOT on a regular basis!

Make your Internet Explorer More Secure

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.

    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.

  • Next press the Apply button and then the OK to exit the Internet Properties page.

Update your Anti-Virus Software - It is very imprtant that you update your anti-virus software at least once a week (even more if you wish). If you do not update your anti-virus software then it will not be able to catch any of the new variants that will come out.

Use a Firewall - Without a firewall your computer is susceptible to being hacked and taken over. The Windows firewall isn't sufficient as it only monitors incoming connections.

Here are a few (free) firewalls, please download and install one of them:


Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Stand Up and Be Counted! - Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. You have to be registered to post. After registering just find your country room and register your complaint. The infection you had was Vundo (Virtumundo).
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium
Top

Re: Please help me with my Hijack log

Unread postby tetley » December 16th, 2007, 8:38 pm

Well thank you again for all your help and patience with me.

I have made a small donation. I only wish it could be more.

You do good work.

Thank you!

:D
tetley
Active Member
 
Posts: 6
Joined: December 13th, 2007, 12:43 pm
Top

Re: Please help me with my Hijack log

Unread postby silver » December 17th, 2007, 3:45 am

Glad we could be of assistance and on behalf of the site thank you for the donation :)



This topic is now closed. If you wish it reopened, please send an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7
Top
Advertisement
Register to Remove
Topic locked

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 118 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index