Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I am in pop-up purgatory! [RESOLVED]

Started by mitcham , May 30 2007 02:34 PM

  • This topic is locked This topic is locked

#1
mitcham
Posted 30 May 2007 - 02:34 PM

mitcham

    Member

  • Member
  • PipPip
  • 10 posts
Help me! As I write this, I am being deluged with pop-ups (this IE window was the first opened; I'm now up to 7). I have tried most everything suggested in the "Click Here before posting a Hijack This log": I've installed & run both AVG Anti-Spyware and SuperAntiSpyware Free Edition, ActiveScan on Pandasoftware's web site, etc but despite finding/quaranteening lots'o stuff found, I still have probs.

I am posting my HiJackThis log below:

Logfile of HijackThis v1.99.1
Scan saved at 4:23:24 PM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\Wzqkpick.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inline.compaq.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq Computer Corporation
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.compaq.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\tmp3.tmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {ef5bbd36-b6cf-4980-b5eb-db55c3fe260e} - C:\WINDOWS\system32\shapnap.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe /start /minimize
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\yabxxu.dll",realset
O4 - HKCU\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe /start /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://libbyc.wins.compaq.com
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://ie.config.tandem.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)
O15 - Trusted Zone: http://libbyc.wins.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)
O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: shapnap - C:\WINDOWS\SYSTEM32\shapnap.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

ps. This pc was once used for work, hence the references to compaq & tandem. I've removed the info from IE (what I know of, anyway) so if there is something else I should do to remove this (presumably benign) info, feel free to post that as well.

Thanks!
  • 0

Advertisements

#2
Crustyoldbloke
Posted 30 May 2007 - 02:57 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello mitcham and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

ALL staff here at Geeks To Go are volunteers, please bear that in mind if I don’t answer your post as quickly as you’d like; I give what time I can.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.)

You have a mixture of malware with Trojans including the dreaded Virtumonde (Vundo) infection. Let’s see what we can do.

Download this file: combofix.exe to your Desktop

Do NOT run this tool in safe mode.

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Download and Install MVPS hosts file.

This replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

Please go to: MVPS Hosts file

If you scroll down the MVPS page, you will see an animated folder next to hosts.zip Download that file to your desktop and right click on it, choose EXTRACT ALL and a window will open containing the files, double click mvps.bat and a DOS screen will open inviting you to press any key to continue. That's all there is to it.

Please bookmark/add to favourite this site as the file is updated every 14 days, so you need to do this once a month. There is now a facility for you to register your email address with the site to be informed of updates. The link is towards the foot of the page.

From now on, whilst surfing, you will notice some sites not loading and you may see the word “advertisement” on some pages, this is because the IP address of either the site or advertiser is known as bad and it is being blocked.

Please reboot normally, rescan with HJT in normal mode and post the log.
  • 0

#3
mitcham
Posted 30 May 2007 - 03:49 PM

mitcham

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thank you for the quick response, Crustyoldbloke. Below is the latest HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 5:48:55 PM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\Wzqkpick.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inline.compaq.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.compaq.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe /start /minimize
O4 - HKCU\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe /start /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://libbyc.wins.compaq.com
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://ie.config.tandem.com
O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)
O15 - Trusted Zone: http://libbyc.wins.compaq.com (HKLM)
O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)
O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Edited by mitcham, 30 May 2007 - 03:54 PM.

  • 0

#4
Crustyoldbloke
Posted 30 May 2007 - 06:20 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

Thanks for the HJT log, however, the ComboFix log appears to be missing; please post it after this fix.

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards

Please post a fresh HJT log from normal mopde also.
  • 0

#5
mitcham
Posted 31 May 2007 - 12:00 AM

mitcham

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Apologies for omitting the ComboFix log. Please see below:


"Andrew" - 2007-05-30 17:28:32 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Downloads\spyware_cleanup\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\shapnap.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\DOCUME~1\BRITTA~2.WIN\APPLIC~1\Sskdmns.dll"
"C:\WINDOWS\system32\tmp3.tmp.dll"
"C:\WINDOWS\system32\tmp7.tmp.dll"
"C:\WINDOWS\system32\tmp2.tmp.dll"
"C:\WINDOWS\system32\tmp9.tmp.dll"
"C:\WINDOWS\system32\tmp1A.tmp.dll"
"C:\WINDOWS\system32\tmp1E.tmp.dll"
"C:\WINDOWS\system32\tmp8.tmp.dll"
"C:\WINDOWS\system32\tmp4C9.tmp.dll"
"C:\Program Files\Common Files\windows\AutoIt3.exe"
"C:\lswmv.ini"
"C:\WINDOWS\start.exe"
"C:\Program Files\Common Files\download"
"C:\Program Files\Common Files\inetget2"
"C:\Program Files\Common Files\windows"
"C:\Program Files\screensavers.com"
"C:\Program Files\Common Files\Uninstall Information"


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-30 ))))))))))))))))))))))))))))))))))


2007-05-30 16:27 106,526 --a------ C:\WINDOWS\qomkig.dll
2007-05-30 16:21 106,526 --a------ C:\WINDOWS\yabxxu.dll
2007-05-30 08:56 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-05-30 07:34 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-05-30 07:25 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-05-30 05:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-30 05:36 <DIR> d-------- C:\DOCUME~1\Andrew\APPLIC~1\SUPERAntiSpyware.com
2007-05-30 05:17 106,411 --a------ C:\WINDOWS\bywwvw.dll
2007-05-29 18:42 106,545 --a------ C:\WINDOWS\khiffg.dll
2007-05-29 17:43 106,493 --a------ C:\WINDOWS\dddefe.dll
2007-05-29 07:36 <DIR> d--hs---- C:\FOUND.000
2007-05-26 14:48 106,452 --a------ C:\WINDOWS\bywtqn.dll
2007-05-25 04:18 106,544 --a------ C:\WINDOWS\pmnlmj.dll
2007-05-23 04:20 34,759 --a------ C:\WINDOWS\SYSTEM32\iifef.exe
2007-05-23 04:17 8,436 --a------ C:\WINDOWS\SYSTEM32\wvuuuro.dll
2007-05-23 04:15 8,436 --a------ C:\WINDOWS\SYSTEM32\byxuust.dll
2007-05-22 03:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\URTTemp
2007-05-22 02:59 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-05-16 21:51 <DIR> d-------- C:\DOCUME~1\Brendon\APPLIC~1\Help
2007-05-15 16:38 <DIR> d-------- C:\Program Files\avijoin
2007-05-14 04:23 <DIR> d-------- C:\Documents and Settings\Andrew\Shared
2007-05-14 04:23 <DIR> d-------- C:\DOCUME~1\Andrew\Shared
2007-05-14 04:22 <DIR> d-------- C:\Documents and Settings\Andrew\Incomplete
2007-05-14 04:22 <DIR> d-------- C:\DOCUME~1\Andrew\Incomplete
2007-05-14 04:22 <DIR> d-------- C:\DOCUME~1\Andrew\APPLIC~1\LimeWire
2007-05-14 04:18 <DIR> d-------- C:\Program Files\LimeWire
2007-05-07 05:59 <DIR> d-------- C:\DOCUME~1\Andrew\APPLIC~1\Help
2007-05-07 05:55 68,096 --a------ C:\WINDOWS\SYSTEM32\wbtrv32.dll
2007-05-07 05:55 320,512 --a------ C:\WINDOWS\SYSTEM32\w32mkde.exe
2007-05-07 05:55 110,080 --a------ C:\WINDOWS\SYSTEM32\W32mkrc.dll
2007-05-07 05:55 <DIR> d-------- C:\Program Files\NEO Pro
2007-05-07 05:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-07 04:29 <DIR> d-------- C:\DOCUME~1\Andrew\APPLIC~1\SpamBayes
2007-05-07 04:28 <DIR> d-------- C:\Program Files\SpamBayes
2007-05-07 04:13 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-05-07 04:12 <DIR> d-------- C:\WINDOWS\ShellNew
2007-05-05 13:17 <DIR> d-------- C:\DOCUME~1\Brendon\APPLIC~1\Google
2007-05-02 02:47 <DIR> d-------- C:\DOCUME~1\Andrew\APPLIC~1\Google
2007-05-02 02:46 <DIR> d-------- C:\Program Files\Google
2007-05-01 03:45 3,876,956 --ah----- C:\WINDOWS\SYSTEM32\IRAS.sys
2007-05-01 03:38 <DIR> d-------- C:\IRAS


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:56 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:42 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:52 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:24 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-17 13:43:02 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL [2003-11-03 14:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2004-05-12 01:03]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2004-08-04 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]
"AIM Logger"="C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe" [2006-11-28 22:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM Logger"="C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe" [2006-11-28 22:27]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"=1 (0x1)
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"=0 (0x0)
"Btn_Forward"=0 (0x0)
"Btn_Stop"=0 (0x0)
"Btn_Refresh"=0 (0x0)
"Btn_Home"=0 (0x0)
"Btn_Search"=0 (0x0)
"Btn_History"=0 (0x0)
"Btn_Favorites"=0 (0x0)
"Btn_Folders"=0 (0x0)
"Btn_Fullscreen"=0 (0x0)
"Btn_Tools"=0 (0x0)
"Btn_MailNews"=0 (0x0)
"Btn_Size"=0 (0x0)
"Btn_Print"=0 (0x0)
"Btn_Edit"=0 (0x0)
"Btn_Discussions"=0 (0x0)
"Btn_Cut"=0 (0x0)
"Btn_Copy"=0 (0x0)
"Btn_Paste"=0 (0x0)
"Btn_Encoding"=0 (0x0)
"NoActiveDesktopChanges"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSetActiveDesktop"=0 (0x0)
"NoWindowsUpdate"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoLogoff"=0 (0x0)
"NoClose"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoViewContextMenu"=0 (0x0)
"EnforceShellExtensionSecurity"=0 (0x0)
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoPrinterTabs"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"SiS KHooker"=C:\WINDOWS\SYSTEM32\KHOOKER.EXE
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"CountrySelection"=pctptt.exe
"PTSNOOP"=ptsnoop.exe
"ICSDCLT"=C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\WINDOWS\SYSTEM32\ICSDCLT.DLL,ICSClient
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"avast! Web Scanner"=C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
"ashMaiSv"=C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-05-06 03:00:02 C:\WINDOWS\tasks\Tune-up Application Start.job
2007-05-27 16:30:20 C:\WINDOWS\tasks\Maintenance-Defragment programs.job
2007-05-01 16:00:02 C:\WINDOWS\tasks\Maintenance-Disk cleanup.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-30 17:42:04
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-30 17:43:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-30 17:42

--- E O F ---
  • 0

#6
mitcham
Posted 31 May 2007 - 12:05 AM

mitcham

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:03:30 AM, on 5/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\Wzqkpick.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inline.compaq.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.compaq.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe /start /minimize
O4 - HKCU\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe /start /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
  • 0

#7
Crustyoldbloke
Posted 31 May 2007 - 02:29 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

How many accounts are there on this PC?

Please download CWShredder, unzip it, and save it on the Desktop.

Please download cwsserviceemove.reg file and save it on the Desktop.

Please download CCleaner, and save it on the Desktop.

Please run CWShredder to fix your CWS problem.

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe /start /minimize
O4 - HKCU\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe /start /minimize
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Click on Fix Checked when finished and exit HijackThis.

Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Unzip cwsserviceemove.reg file to your desktop. While in safe mode, double click on it and grant it permission to add the registry items.

Please reboot normally.

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\qomkig.dll
    C:\WINDOWS\yabxxu.dll
    C:\WINDOWS\bywwvw.dll
    C:\WINDOWS\khiffg.dll
    C:\WINDOWS\dddefe.dll
    C:\FOUND.000
    C:\WINDOWS\bywtqn.dll
    C:\WINDOWS\pmnlmj.dll
    C:\WINDOWS\SYSTEM32\iifef.exe
    C:\WINDOWS\SYSTEM32\wvuuuro.dll
    C:\WINDOWS\SYSTEM32\byxuust.dll
    C:\DOCUME~1\Andrew\APPLIC~1\LimeWire
    C:\Program Files\LimeWire
    C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe
    C:\WINDOWS\SYSTEM\blank.htm

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt

    (If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.)

  • Click the red Moveit! button.
  • Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.
Click "Exit" to close OTMoveIt.


There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the Windows tab, and under the heading of Applications, Utilities uncheck AVGas Anti-Spyware then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Post back a fresh HijackThis log, from normal mode, and I will take another look.
  • 0

#8
mitcham
Posted 31 May 2007 - 06:31 PM

mitcham

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts

Hello again

How many accounts are there on this PC?


There are four accounts (me, wife, two children)

Please download CWShredder, unzip it, and save it on the Desktop.

Please download cwsserviceemove.reg file and save it on the Desktop.

Please download CCleaner, and save it on the Desktop.


Done!

Please run CWShredder to fix your CWS problem.


No CWS problems were found.

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe /start /minimize
O4 - HKCU\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe /start /minimize
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Click on Fix Checked when finished and exit HijackThis.


Done!

Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Unzip cwsserviceemove.reg file to your desktop. While in safe mode, double click on it and grant it permission to add the registry items.

Please reboot normally.


Done!

Please download the OTMoveIt by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\qomkig.dll
    C:\WINDOWS\yabxxu.dll
    C:\WINDOWS\bywwvw.dll
    C:\WINDOWS\khiffg.dll
    C:\WINDOWS\dddefe.dll
    C:\FOUND.000
    C:\WINDOWS\bywtqn.dll
    C:\WINDOWS\pmnlmj.dll
    C:\WINDOWS\SYSTEM32\iifef.exe
    C:\WINDOWS\SYSTEM32\wvuuuro.dll
    C:\WINDOWS\SYSTEM32\byxuust.dll
    C:\DOCUME~1\Andrew\APPLIC~1\LimeWire
    C:\Program Files\LimeWire
    C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe
    C:\WINDOWS\SYSTEM\blank.htm

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt

    (If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.)
  • Click the red Moveit! button.
  • Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.
Click "Exit" to close OTMoveIt.


See following reply.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the Windows tab, and under the heading of Applications, Utilities uncheck AVGas Anti-Spyware then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Post back a fresh HijackThis log, from normal mode, and I will take another look.


Done!
  • 0

#9
mitcham
Posted 31 May 2007 - 06:33 PM

mitcham

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
OTMoveIt.log:

DllUnregisterServer procedure not found in C:\WINDOWS\qomkig.dll
C:\WINDOWS\qomkig.dll NOT unregistered.
C:\WINDOWS\qomkig.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\yabxxu.dll
C:\WINDOWS\yabxxu.dll NOT unregistered.
C:\WINDOWS\yabxxu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\bywwvw.dll
C:\WINDOWS\bywwvw.dll NOT unregistered.
C:\WINDOWS\bywwvw.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\khiffg.dll
C:\WINDOWS\khiffg.dll NOT unregistered.
C:\WINDOWS\khiffg.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\dddefe.dll
C:\WINDOWS\dddefe.dll NOT unregistered.
C:\WINDOWS\dddefe.dll moved successfully.
C:\FOUND.000 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\bywtqn.dll
C:\WINDOWS\bywtqn.dll NOT unregistered.
C:\WINDOWS\bywtqn.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\pmnlmj.dll
C:\WINDOWS\pmnlmj.dll NOT unregistered.
C:\WINDOWS\pmnlmj.dll moved successfully.
C:\WINDOWS\SYSTEM32\iifef.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\wvuuuro.dll
C:\WINDOWS\SYSTEM32\wvuuuro.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\wvuuuro.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\byxuust.dll
C:\WINDOWS\SYSTEM32\byxuust.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\byxuust.dll moved successfully.
C:\DOCUME~1\Andrew\APPLIC~1\LimeWire\themes\windows_theme moved successfully.
C:\DOCUME~1\Andrew\APPLIC~1\LimeWire\themes\other_theme moved successfully.
C:\DOCUME~1\Andrew\APPLIC~1\LimeWire\themes\limewire_theme moved successfully.
C:\DOCUME~1\Andrew\APPLIC~1\LimeWire\themes\classic_theme moved successfully.
C:\DOCUME~1\Andrew\APPLIC~1\LimeWire\themes\black_theme moved successfully.
C:\DOCUME~1\Andrew\APPLIC~1\LimeWire\themes moved successfully.
C:\DOCUME~1\Andrew\APPLIC~1\LimeWire\xml\schemas moved successfully.
C:\DOCUME~1\Andrew\APPLIC~1\LimeWire\xml\misc moved successfully.
Folder move failed. C:\DOCUME~1\Andrew\APPLIC~1\LimeWire\xml\data\delete_me scheduled to be moved on reboot.
C:\DOCUME~1\Andrew\APPLIC~1\LimeWire\xml\data moved successfully.
C:\DOCUME~1\Andrew\APPLIC~1\LimeWire\xml moved successfully.
C:\DOCUME~1\Andrew\APPLIC~1\LimeWire moved successfully.
C:\Program Files\LimeWire\.NetworkShare moved successfully.
C:\Program Files\LimeWire\root\magnet10 moved successfully.
C:\Program Files\LimeWire\root moved successfully.
Folder move failed. C:\Program Files\LimeWire\hashes scheduled to be moved on reboot.
Folder move failed. C:\Program Files\LimeWire\SOURCE scheduled to be moved on reboot.
Folder move failed. C:\Program Files\LimeWire\COPYING scheduled to be moved on reboot.
C:\Program Files\LimeWire moved successfully.
C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe moved successfully.
File/Folder C:\WINDOWS\SYSTEM\blank.htm not found.

Created on 05/31/2007 20:07:34

HJT.log:

Logfile of HijackThis v1.99.1
Scan saved at 8:32:59 PM, on 5/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\WinZip\Wzqkpick.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inline.compaq.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.compaq.com:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
  • 0

#10
Crustyoldbloke
Posted 01 June 2007 - 01:50 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

It's looking good.

Now that the HijackThis log for the main account is clean, you have a choice to make.

You can either post into this thread a fresh HJT log for each of the other accounts, from normal mode and I will analyse them and give you instruction necessary for any fix (please name or number the logs to save any confusion).

Or you can go to User Accounts in the Control Panel and delete all the accounts other than the one I have been working on.

Windows by default will create a folder for each account and place it on the desktop with all the files and documents relative to that account in it, so nothing is lost.

If you then wish to have multiple accounts again, just reboot normally and create the account again from User Accounts (takes 5 minutes).

I have no preference since it is you doing all the work, for me it is just analysing and writing fixes.
  • 0

Advertisements

#11
mitcham
Posted 01 June 2007 - 02:59 AM

mitcham

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts

Windows by default will create a folder for each account and place it on the desktop with all the files and documents relative to that account in it, so nothing is lost


Hi, Crustyoldbloke. I started to follow the course of deleting the accounts, but it appears the 'My Documents' folder is the only thing that is kept. Quoting, it says "Windows cannot save {wife's} e-mail messages, Internet favorites, and other settings." With that in mind, I have opted to post individual HJT log files instead (see attachments).

I hope this isn't much a burden. Perhaps things will be clean for everyone else as well, although I did note when logging onto my son's account the following pop-up error message:

RUNDLL
Error loading C:\WINDOWS\dddefe.dll
The specified module could not be found.

Thanks so much for all of your assistance!

Attached Files


  • 0

#12
Crustyoldbloke
Posted 01 June 2007 - 04:11 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

Yes, you are quite correct; Windows only saves the documents and not the settings. I’ll wager it takes you longer to run the fixes than it did for me to write them.

Logon as Son

Son Fix:

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen).

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O4 - HKCU\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe /start /minimize
O4 - HKCU\..\Run: [setup] rundll32.exe "C:\WINDOWS\dddefe.dll",realset
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Click on Fix Checked when finished and exit HijackThis.

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe
    C:\WINDOWS\dddefe.dll

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt

    (If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.)

  • Click the red Moveit! button.
  • Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.
Click "Exit" to close OTMoveIt.

Switch user

Logon as Daughter

Daughter fix:

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen).

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O4 - HKCU\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe /start /minimize
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Click on Fix Checked when finished and exit HijackThis.

Switch User

Logon as Wife

Wife fix:

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen).

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O4 - HKCU\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe /start /minimize
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Click on Fix Checked when finished and exit HijackThis.

Please post fresh HJT logs from normal mode for Son, Daughter and Wife in addition to the MoveIt text.
  • 0

#13
mitcham
Posted 05 June 2007 - 02:26 AM

mitcham

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts

Yes, you are quite correct; Windows only saves the documents and not the settings. I’ll wager it takes you longer to run the fixes than it did for me to write them.

I would venture a guess that you probably had no idea how true that statement would be when you wrote it (I know I didn't).

I am terribly sorry for not following up with you on this topic. I encountered a problem and, as sometimes happens, life sent me a different direction. I hope now to stay on track and complete this task with your help...

As mentioned, I tried downloading/running http://www.greyknigh...lO15Domains.inf (which I had run once before in prior instructions) but had a problem. When run from any other account than my own, it complains with an 'Error' pop-up box:

Error
Installation failed

After working on this for a while I got side-tracked and am only now following up.

I could continue with the other suggested items, but before doing so I would prefer to know that it is acceptable to omit this step in the process (assuming there is a logical order to the steps you have provided). And obviously I would like to identify the reason for the error and take corrective action as well.

Thank you again for your assistance. Your patience is appreciated.
  • 0

#14
Crustyoldbloke
Posted 05 June 2007 - 02:38 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

That registry edit file merely changes the trusted zone in the registry and resets it. You can do this by ticking/checking the 015 entry in HJT.

It may be a permissions problem; I ought to check with the author, but for now, just continue.

For some unknown reason, I can't find the original HJT logs for your family, so I can't show you an example, but it will be the 015 entry in HJT that needs fixing.

EDIT - found

O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://libbyc.wins.compaq.com
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://ie.config.tandem.com

Edited by Crustyoldbloke, 05 June 2007 - 02:40 AM.
File attachments found

  • 0

#15
mitcham
Posted 06 June 2007 - 02:07 AM

mitcham

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here are the latest HJT logs

Thanks!

Son
Logfile of HijackThis v1.99.1
Scan saved at 4:04:30 AM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Downloads\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inline.compaq.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq Computer Corporation
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.compaq.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = inline.compaq.com;www.compaq.com;*.hou.compaq.com;*.wins.compaq.com;*.tandem.com;csnet.compaq.com;forum.compaq.com;pol*.vanguard.com;*.northam.compaq.com;*.dec.com;*.netacd.com;*.tandemonline.com;*.cpqcorp.net;www.microcom.com;127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Daughter
Logfile of HijackThis v1.99.1
Scan saved at 4:03:30 AM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vinproavs01.i.../query?mss=n200
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inline.compaq.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq Computer Corporation
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.compaq.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = inline.compaq.com;www.compaq.com;*.hou.compaq.com;*.wins.compaq.com;*.tandem.com;csnet.compaq.com;forum.compaq.com;pol*.vanguard.com;*.northam.compaq.com;*.dec.com;*.netacd.com;*.tandemonline.com;*.cpqcorp.net;www.microcom.com;127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Wife
Logfile of HijackThis v1.99.1
Scan saved at 4:05:07 AM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vinproavs01.i.../query?mss=n200
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inline.compaq.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inline.compaq.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq Computer Corporation
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://ie.config.im....om/settings.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.compaq.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = inline.compaq.com;www.compaq.com;*.hou.compaq.com;*.wins.compaq.com;*.tandem.com;csnet.compaq.com;forum.compaq.com;pol*.vanguard.com;*.northam.compaq.com;*.dec.com;*.netacd.com;*.tandemonline.com;*.cpqcorp.net;www.microcom.com;127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ie.config.asia.compaq.com
O15 - Trusted Zone: http://ie.config.eur.compaq.com
O15 - Trusted Zone: http://ie.config.im.hou.compaq.com
O15 - Trusted Zone: http://ie.config.jp.compaq.com
O15 - Trusted Zone: http://libbyc.wins.compaq.com
O15 - Trusted Zone: http://ie.config.ecom.dec.com
O15 - Trusted Zone: http://ie.config.tandem.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Son OTmoveIt

File/Folder C:\PROGRA~1\Nalsoft\AIMLOG~1\nalgr.exe not found.
File/Folder C:\WINDOWS\dddefe.dll not found.

Created on 06/06/2007 03:53:38

Edited by Crustyoldbloke, 06 June 2007 - 02:24 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP