Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

This computer is tore up


  • Please log in to reply

#1
Kl0wN

Kl0wN

    Member

  • Member
  • PipPip
  • 27 posts
This computer has eveyrthing. It's not even giving me a full hijackthis log. (It isnt my computer, its my sisters)

This is what im getting from HJT:

Logfile of HijackThis v1.99.1
Scan saved at 5:56:08 PM, on 9/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Lauren2\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lauren2\Desktop\CleanUp.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: InfoDocReader Object - {295BA105-3506-4D25-B0DD-54346320BDC5} - C:\WINDOWS\system32\awvvs.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: awvvs - C:\WINDOWS\system32\awvvs.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

When I press ctrl+alt+del it shows Processes: 35..bu I only see like 4..
please help
I also see like Winantivirus pop up too. (I did vundofix in past..

Edit -- I see iexplore.exe and its not even open..

Edited by Kl0wN, 03 September 2006 - 04:05 PM.

  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :whistling:

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
  • 0

#3
Kl0wN

Kl0wN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Sam, thanks for answering :whistling:

Here is 2 scan logs -

I removed all the files except for awvvs.dll, rebooted, removed that, and now I think Vundo is gone, but I am not sure. Anyways here is the logs

C:\Vundofix.txt:



VundoFix V6.1.2

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.5

Scan started at 6:15:11 PM 9/3/2006

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\awvvs.dll
C:\WINDOWS\SYSTEM32\svvwa.ini
C:\WINDOWS\SYSTEM32\svvwa.bak1
C:\WINDOWS\SYSTEM32\svvwa.bak2
C:\WINDOWS\SYSTEM32\svvwa.ini2
C:\WINDOWS\SYSTEM32\svvwa.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\awvvs.dll
C:\WINDOWS\SYSTEM32\awvvs.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\svvwa.ini
C:\WINDOWS\SYSTEM32\svvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\svvwa.bak1
C:\WINDOWS\SYSTEM32\svvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\svvwa.bak2
C:\WINDOWS\SYSTEM32\svvwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\svvwa.ini2
C:\WINDOWS\SYSTEM32\svvwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\svvwa.tmp
C:\WINDOWS\SYSTEM32\svvwa.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.2

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.5

Scan started at 6:34:17 PM 9/3/2006

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\awvvs.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\awvvs.dll
C:\WINDOWS\SYSTEM32\awvvs.dll Has been deleted!

Performing Repairs to the registry.
Done!




here is HJT:

Logfile of HijackThis v1.99.1
Scan saved at 9:37:08 PM, on 9/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe



i still dont know why it isnt showing like a full HJt log or something..
Im noticing that the computer is getting a bit faster, was very slow before. :blink:

Edited by Kl0wN, 03 September 2006 - 07:44 PM.

  • 0

#4
Kl0wN

Kl0wN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
bump..
  • 0

#5
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
No need to bump. I work during the day and I respond to logs in the evening, so I respond as quickly as possible.

Let's get a look at a more detailed log and see what's really going on here.

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#6
Kl0wN

Kl0wN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Sorry Sam. :whistling:

The other computer's internet is out, and not working. It connects to my wireless router.

Here is the 2 logs --

Logfile of HijackThis v1.99.1
Scan saved at 2:57:01 PM, on 9/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PSHope] "C:\Program Files\PSHope\PSHope.exe"
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imageservr.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1157405387343
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe



and


Lauren - 06-09-06 14:51:37.78
ComboFix 06.08.30BT - Running from: C:\Documents and Settings\Lauren\Desktop

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Guest\Application Data\Sskcwrd.dll
C:\Documents and Settings\Guest\Application Data\Sskknwrd.dll
C:\Documents and Settings\Guest\Application Data\Sskuknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\cfg32.exe
C:\WINDOWS\system32\BattyRun.dll
C:\Program Files\Common Files\misc001
C:\Program Files\Common Files\simtest
C:\Program Files\Common Files\svchostsys


((((((((((((((((((((((((((((((( Files Created from 2006-08-03 to 2006-09-03 ))))))))))))))))))))))))))))))))))


2006-09-03 18:33 1,492 --a------ C:\WINDOWSvundofix.reg
2006-09-03 17:57 102,420 --a------ C:\WINDOWS\SYSTEM32\qmgtxqro.dll
2006-09-03 17:46 102,420 --a------ C:\WINDOWS\SYSTEM32\elvphnqu.dll
2006-09-02 19:30 102,420 --a------ C:\WINDOWS\SYSTEM32\exwsmkmi.dll
2006-09-02 02:12 102,420 --a------ C:\WINDOWS\SYSTEM32\vpmnkvxp.dll
2006-09-01 02:10 102,420 --a------ C:\WINDOWS\SYSTEM32\tdrqbfle.dll
2006-08-30 13:39 102,420 --a------ C:\WINDOWS\SYSTEM32\lmvleyee.dll
2006-08-29 13:38 13,844 --a------ C:\WINDOWS\SYSTEM32\ulsmsrum.exe
2006-08-29 13:38 102,420 --a------ C:\WINDOWS\SYSTEM32\fvkvxhub.dll
2006-08-28 13:36 13,844 --a------ C:\WINDOWS\SYSTEM32\wwbnkbhl.exe
2006-08-28 13:36 102,420 --a------ C:\WINDOWS\SYSTEM32\egigkmtv.dll
2006-08-27 02:31 13,844 --a------ C:\WINDOWS\SYSTEM32\jgxgkttp.exe
2006-08-27 02:31 102,420 --a------ C:\WINDOWS\SYSTEM32\iebwdybe.dll
2006-08-26 02:30 13,844 --a------ C:\WINDOWS\SYSTEM32\ciatiflt.exe
2006-08-26 02:30 102,420 --a------ C:\WINDOWS\SYSTEM32\uuavaugw.dll
2006-08-25 02:29 13,844 --a------ C:\WINDOWS\SYSTEM32\ggtsccmp.exe
2006-08-25 02:29 102,420 --a------ C:\WINDOWS\SYSTEM32\nrchpvht.dll
2006-08-23 07:23 13,844 --a------ C:\WINDOWS\SYSTEM32\wlulhufp.exe
2006-08-23 07:23 102,420 --a------ C:\WINDOWS\SYSTEM32\awsrvixg.dll
2006-08-22 07:20 13,844 --a------ C:\WINDOWS\SYSTEM32\wamqkqut.exe
2006-08-22 07:20 102,420 --a------ C:\WINDOWS\SYSTEM32\miwagxvv.dll
2006-08-21 07:19 102,420 --a------ C:\WINDOWS\SYSTEM32\ayqhttkb.dll
2006-08-20 11:32 102,420 --a------ C:\WINDOWS\SYSTEM32\fjkksbat.dll
2006-08-19 18:22 102,420 --a------ C:\WINDOWS\SYSTEM32\ickfxdkg.dll
2006-08-19 10:29 102,420 --a------ C:\WINDOWS\SYSTEM32\ygjgehah.dll
2006-08-19 10:19 102,420 --a------ C:\WINDOWS\SYSTEM32\mcnatcus.dll
2006-08-18 10:28 102,420 --a------ C:\WINDOWS\SYSTEM32\wlxdrttp.dll
2006-08-18 10:27 13,844 --a------ C:\WINDOWS\SYSTEM32\ijaagjxj.exe
2006-08-18 10:18 13,844 --a------ C:\WINDOWS\SYSTEM32\mktbjekc.exe
2006-08-18 10:18 102,420 --a------ C:\WINDOWS\SYSTEM32\ekmjrqlb.dll
2006-08-18 10:13 13,844 --a------ C:\WINDOWS\SYSTEM32\gmwyabgw.exe
2006-08-18 10:13 102,420 --a------ C:\WINDOWS\SYSTEM32\ofjwwjap.dll
2006-08-18 01:25 13,844 --a------ C:\WINDOWS\SYSTEM32\ffxaobxe.exe
2006-08-18 01:24 102,420 --a------ C:\WINDOWS\SYSTEM32\fwwdkrio.dll
2006-08-18 00:21 13,844 --a------ C:\WINDOWS\SYSTEM32\hijluupd.exe
2006-08-18 00:21 102,420 --a------ C:\WINDOWS\SYSTEM32\uxqkjkdq.dll
2006-08-16 18:03 12,820 --a------ C:\WINDOWS\SYSTEM32\ydgrbqfy.exe
2006-08-16 18:03 12,308 --a------ C:\WINDOWS\SYSTEM32\vrrbpdle.exe
2006-08-16 18:03 12,308 --a------ C:\WINDOWS\SYSTEM32\rgxxxtek.exe
2006-08-16 18:03 102,420 --a------ C:\WINDOWS\SYSTEM32\buufsshx.dll
2006-08-15 01:12 102,420 --a------ C:\WINDOWS\SYSTEM32\jtxhqcfn.dll
2006-08-14 10:59 102,420 --a------ C:\WINDOWS\SYSTEM32\bipqljva.dll
2006-08-14 10:57 102,420 --a------ C:\WINDOWS\SYSTEM32\demioawe.dll
2006-08-14 00:30 102,420 --a------ C:\WINDOWS\SYSTEM32\akdyutbj.dll
2006-08-13 13:48 102,420 --a------ C:\WINDOWS\SYSTEM32\ahcjpohn.dll
2006-08-13 12:07 102,420 --a------ C:\WINDOWS\SYSTEM32\vitjipey.dll
2006-08-13 00:09 102,420 --a------ C:\WINDOWS\SYSTEM32\drwfyfpy.dll
2006-08-12 22:59 102,420 --a------ C:\WINDOWS\SYSTEM32\swwmibhu.dll
2006-08-12 19:30 102,420 --a------ C:\WINDOWS\SYSTEM32\bmmillbb.dll
2006-08-12 17:04 102,420 --a------ C:\WINDOWS\SYSTEM32\frgsvvbi.dll
2006-08-11 15:00 274,432 --a------ C:\WINDOWS\SYSTEM32\imon.dll
2006-08-11 14:54 102,420 --a------ C:\WINDOWS\SYSTEM32\jystkxsd.dll
2006-08-11 08:21 102,420 --a------ C:\WINDOWS\SYSTEM32\xjxllfem.dll
2006-08-10 23:55 102,420 --a------ C:\WINDOWS\SYSTEM32\lhqwxjbf.dll
2006-08-10 08:19 102,420 --a------ C:\WINDOWS\SYSTEM32\okykreqf.dll
2006-08-09 22:03 102,420 --a------ C:\WINDOWS\SYSTEM32\vgkidxwm.dll
2006-08-09 02:15 102,420 --a------ C:\WINDOWS\SYSTEM32\mdmnnvnp.dll
2006-08-08 02:12 102,420 --a------ C:\WINDOWS\SYSTEM32\tmqbhmmi.dll
2006-08-06 13:09 102,420 --a------ C:\WINDOWS\SYSTEM32\ncxwaifu.dll
2006-08-05 10:59 102,420 --a------ C:\WINDOWS\SYSTEM32\xxlvnjti.dll
2006-08-03 01:03 102,420 --a------ C:\WINDOWS\SYSTEM32\efippnll.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-06 14:52 -------- d-------- C:\Program Files\Common Files
2006-09-06 14:50 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-05 00:37 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-09-04 19:21 -------- d-------- C:\Program Files\Skype
2006-09-04 17:44 -------- d-------- C:\Program Files\Internet Explorer
2006-09-04 17:41 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-09-03 21:48 -------- d-------- C:\Program Files\FrostWire
2006-09-03 21:47 -------- d-------- C:\Program Files\Hijackthis
2006-09-03 21:45 -------- d-------- C:\Program Files\TuneUp Utilities 2006
2006-09-03 17:56 -------- d-------- C:\Program Files\CleanUp!
2006-08-19 22:46 -------- d-------- C:\Documents and Settings\Lauren\Application Data\FrostWire
2006-08-17 21:11 -------- d-------- C:\Program Files\ESET
2006-08-11 14:59 502368 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\amon.sys
2006-08-11 14:33 -------- d-------- C:\Program Files\AIM
2006-08-11 14:28 -------- d-------- C:\Program Files\AOL
2006-08-11 14:21 -------- d-------- C:\Documents and Settings\Lauren\Application Data\Lavasoft
2006-08-07 04:28 -------- d-------- C:\Program Files\America Online 9.0
2006-08-05 22:46 -------- d-------- C:\Program Files\Common Files\32vegas
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-24 16:03 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-07-22 01:17 98324 --a------ C:\WINDOWS\SYSTEM32\jqpkuqlp.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll
2006-07-19 11:29 98324 --a------ C:\WINDOWS\SYSTEM32\pgeguomk.dll
2006-07-18 20:06 -------- d-------- C:\Program Files\MSN
2006-07-18 20:03 -------- d-------- C:\Program Files\Online Services
2006-07-14 01:18 98324 --a------ C:\WINDOWS\SYSTEM32\hmhbnljr.dll
2006-07-12 17:46 98324 --a------ C:\WINDOWS\SYSTEM32\shexbxpm.dll
2006-07-12 04:35 -------- d-------- C:\Program Files\Ventrilo
2006-07-12 04:35 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-07-12 00:56 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-07-11 03:14 -------- d-------- C:\Program Files\Opera
2006-07-06 11:39 -------- d-------- C:\Program Files\Batty
2006-06-30 19:23 679956 --a------ C:\WINDOWS\SYSTEM32\hnvdhumx.dll
2006-06-30 18:10 679956 --a------ C:\WINDOWS\SYSTEM32\auytkwbt.dll
2006-06-29 01:00 69632 --a------ C:\WINDOWS\SYSTEM32\mefbbomn.dll
2006-06-28 12:57 98324 --a------ C:\WINDOWS\SYSTEM32\yxwfhhvm.dll
2006-06-27 06:42 98324 --a------ C:\WINDOWS\SYSTEM32\jfhriiat.dll
2006-06-16 03:46 69632 --a------ C:\WINDOWS\SYSTEM32\fpnckfka.dll
2006-06-16 03:45 69632 --a------ C:\WINDOWS\SYSTEM32\gamcnbkh.dll
2006-06-03 23:45 69632 --a------ C:\WINDOWS\SYSTEM32\mocedcek.dll
2006-06-03 23:42 69632 --a------ C:\WINDOWS\SYSTEM32\kcofjkma.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"TuneUp MemOptimizer"="\"C:\\Program Files\\TuneUp Utilities 2006\\MemOptimizer.exe\" autostart"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PSHope"="\"C:\\Program Files\\PSHope\\PSHope.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{ADCD30FF-0119-4906-8A8B-D52D1EED044B}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk"
"backup"="C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item"="Digital Line Detect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLLaunch"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SysProtect]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="syp"
"hkey"="HKLM"
"command"="C:\\Program Files\\SysProtect\\syp.exe /scan"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"TUWinStylerThemeSvc"=dword:00000003
"SymWSC"=dword:00000002
"AOL ACS"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1134848851\\ee\\AOLSoftware.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: Wed 09/06/2006 14:54:54.06
ComboFix.txt



--
-Nate :blink:

Edited by Kl0wN, 06 September 2006 - 01:00 PM.

  • 0

#7
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Your Combofix log shows quite a bit more malware.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O4 - HKCU\..\Run: [PSHope] "C:\Program Files\PSHope\PSHope.exe"
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imageservr.com



============


Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SysProtect]
Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.


=============



Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close Ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  • Clean out your Temporary Internet files
    • Quit Internet Explorer and quit any instances of Windows Explorer.
    • Click Start -> Control Panel and then double-click Internet Options.
    • On the General tab, click Delete Files under Temporary Internet Files.
    • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
    • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
    • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
    • Click OK.

    IMPORTANT: Close all windows and do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning proccess:

  • Lauch Ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido and reboot your system back into Normal Mode and post the results of the Ewido scan report along with a new Combofix log.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP