did hijack this log saved super anti log, saved to floppy came to other computer... 98 is all I have to get online without attacks and adware and re infection... darn floppy must not be compatible from xp argh
I have followed this forums past archives to find cleaning methods but this bugger must be new and copys burys itself
I want to post using my XP but the infection cramms my toolbar and then wipes whatever screen is up on the internet... I need pro help please I don't know computers to the point of getting code... great a crash course!
don't know XP but am at the point of wiping hard drive and trying to reinstall.
thanks dergrunerpunkt
Logfile of HijackThis v1.99.1
Scan saved at 11:35:31 PM, on 5/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\NetZero\exec.exe
C:\Documents and Settings\Marty\Desktop\HiJack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netzero.net/s/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netzero.net/s/sp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O1 - Hosts: 172.17.8.3 algomahardwoods.com
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FlashGet] "C:\Program Files\FlashGet\FlashGet.exe" /min
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RunOnce2Upd] "C:\Documents and Settings\Marty\Desktop\ieupd2.exe"
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Restore Operation] C:\DOCUME~1\Marty\LOCALS~1\Temp\svchots.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing)
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....lls/Coupons.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D36759A2-0575-493F-98B7-4B740D71553D}: NameServer = 67.15.202.9,67.15.202.9,72.21.36.74,75.126.60.131
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = algomahw.com
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: iccnst - iccnst.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
SUPERAntiSpyware Scan Log
Generated 05/19/2007 at 11:25 PM
Application Version : 3.6.1000
Core Rules Database Version : 3240
Trace Rules Database Version: 1251
Scan type : Complete Scan
Total Scan Time : 01:20:06
Memory items scanned : 492
Memory threats detected : 0
Registry items scanned : 5470
Registry threats detected : 23
File items scanned : 80439
File threats detected : 8
Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{0FC1EFF3-5715-467E-9C9F-7BF99AE11A71}
HKCR\CLSID\{0FC1EFF3-5715-467E-9C9F-7BF99AE11A71}
HKCR\CLSID\{0FC1EFF3-5715-467E-9C9F-7BF99AE11A71}\InprocServer32
HKCR\CLSID\{0FC1EFF3-5715-467E-9C9F-7BF99AE11A71}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTSQP.DLL
C:\WINDOWS\SYSTEM32\GEEDA.DLL
C:\WINDOWS\SYSTEM32\MLLJH.DLL
Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{5142FE17-20E6-4121-A925-A4C6385CDDAA}
HKCR\CLSID\{5142FE17-20E6-4121-A925-A4C6385CDDAA}
HKCR\CLSID\{5142FE17-20E6-4121-A925-A4C6385CDDAA}
HKCR\CLSID\{5142FE17-20E6-4121-A925-A4C6385CDDAA}\InprocServer32
HKCR\CLSID\{5142FE17-20E6-4121-A925-A4C6385CDDAA}\InprocServer32#ThreadingModel
HKCR\CLSID\{5142FE17-20E6-4121-A925-A4C6385CDDAA}\ProgID
HKCR\CLSID\{5142FE17-20E6-4121-A925-A4C6385CDDAA}\Programmable
HKCR\CLSID\{5142FE17-20E6-4121-A925-A4C6385CDDAA}\TypeLib
C:\WINDOWS\SYSTEM32\REM1.DLL
Trojan.Net-NanoKill
HKLM\Software\Classes\CLSID\{8D5849A2-93F3-429D-FF34-260A2068897C}
HKCR\CLSID\{8D5849A2-93F3-429D-FF34-260A2068897C}
HKCR\CLSID\{8D5849A2-93F3-429D-FF34-260A2068897C}
HKCR\CLSID\{8D5849A2-93F3-429D-FF34-260A2068897C}#ThreadingModel
HKCR\CLSID\{8D5849A2-93F3-429D-FF34-260A2068897C}\InProcServer32
HKCR\CLSID\{8D5849A2-93F3-429D-FF34-260A2068897C}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\FS6EHNF8JD.DLL
Trojan.Net-Partnership/WL
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\partnershipreg
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\partnershipreg#DllName
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\partnershipreg#Startup
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\partnershipreg#Impersonate
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\partnershipreg#Asynchronous
Trojan.WinFixer
C:\WINDOWS\SYSTEM32\GEEBA.DLL
Trojan.Downloader-Gen/WinUpd
C:\WINDOWS\SYSTEM32\WINUPD_KB55963079.EXE
Trace.Known Threat Sources
C:\Documents and Settings\nicholek\Local Settings\Temp\Temporary Internet Files\Content.IE5\29YN4VG5\ver2[1].htm
Attached Files
Edited by dergrunerpunkt, 20 May 2007 - 07:35 PM.