Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

More Win anti-virus/outerinfo removal


  • Please log in to reply

#1
crusader01

crusader01

    New Member

  • Member
  • Pip
  • 8 posts
Win antivirus has infected me along with some other things that I am not familiar with..Here is my Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 23:01, on 2007-06-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\cfg32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\cfg32a.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\pwinmndt.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

Please, lead me into salvation. Thanks for any help!

Edited by crusader01, 25 June 2007 - 02:02 PM.

  • 0

Advertisements


#2
MoNsTeReNeRgY22

MoNsTeReNeRgY22

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,539 posts
Hello and Welcome to Geeks to Go. :whistling:

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Please give me some time to analyze your log, and I will post back with instructions ASAP.
  • 0

#3
crusader01

crusader01

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Take your time, all-knowing knight of technology. I also have a Combo Fix log on hand if needed.

Edited by crusader01, 24 June 2007 - 10:11 PM.

  • 0

#4
MoNsTeReNeRgY22

MoNsTeReNeRgY22

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,539 posts
How long ago did you run ComboFix?
  • 0

#5
crusader01

crusader01

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Like, a minute ago.
  • 0

#6
MoNsTeReNeRgY22

MoNsTeReNeRgY22

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,539 posts
Go ahead and post the log then please.
  • 0

#7
crusader01

crusader01

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the log:

ComboFix 07-06-18.2
"Owner" - 2007-06-24 23:00:56 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\LX9GYYD7\www.broadcaster.com
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\LX9GYYD7\www.broadcaster.com\played_list.sol
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\#SharedObjects\LX9GYYD7\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Owner\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\Owner\Desktop.\internet explorer.lnk
C:\Program Files\MSN\xuwueriga.html
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\cfg32.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\cfg32o.dll
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\cfg32s.dll
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\dls0523pmw.exe
C:\WINDOWS\itpb_3.exe
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\retadpu2000219.exe
C:\WINDOWS\stub_mma2.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\Net Agent
-------\Windows Overlay Components


((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 )))))))))))))))))))))))))))))))


2007-06-24 22:58 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-24 21:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-24 21:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-24 21:34 6,369 ---hs---- C:\WINDOWS\system32\nqstv.bak1
2007-06-24 21:34 266,336 --a------ C:\WINDOWS\system32\vtsqn.dll
2007-06-24 21:25 <DIR> d-------- C:\VundoFix Backups
2007-06-24 12:42 4,672 --a------ C:\WINDOWS\system32\nrphshva.exe
2007-06-24 12:42 122,944 --a------ C:\WINDOWS\system32\sdrgiwon.exe
2007-06-24 12:22 930 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-06-24 12:20 49,161 --a------ C:\WINDOWS\system32\mldsrego.exe
2007-06-24 00:31 49,152 --a------ C:\WINDOWS\itpb_11.exe
2007-06-24 00:31 192,622 --a------ C:\WINDOWS\system32\pwinmndt.exe
2007-06-22 15:55 46,592 --a------ C:\WINDOWS\miroyda.exe
2007-06-22 15:55 1,081,920 -r-hs---- C:\WINDOWS\miroydaA.exe
2007-06-22 15:54 31,254 --a------ C:\WINDOWS\system32\mljjjkl.dll
2007-06-22 15:54 <DIR> d-------- C:\WINDOWS\system32\win
2007-06-22 15:54 <DIR> d-------- C:\WINDOWS\system32\o02PrEz
2007-06-22 15:54 <DIR> d-------- C:\WINDOWS\system32\F5
2007-06-22 15:54 <DIR> d-------- C:\WINDOWS\system32\F4
2007-06-22 15:54 <DIR> d-------- C:\WINDOWS\system32\F3
2007-06-22 15:54 <DIR> d-------- C:\WINDOWS\system32\F2
2007-06-22 15:54 <DIR> d-------- C:\WINDOWS\system32\F1
2007-06-22 15:54 <DIR> d-------- C:\TEMP\iee
2007-06-15 12:06 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\My Games
2007-06-15 12:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-06-15 11:57 <DIR> d-------- C:\Program Files\Firaxis Games
2007-06-15 11:56 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\InstallShield
2007-06-15 11:24 <DIR> d-------- C:\Program Files\Download Manager
2007-06-15 11:23 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\IGN_DLM
2007-06-12 12:33 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2007-06-12 12:33 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\teamspeak2
2007-06-10 18:28 <DIR> d-------- C:\Program Files\Logs
2007-06-10 11:02 <DIR> d-------- C:\Program Files\America's Army Server Manager
2007-06-10 10:58 <DIR> d-------- C:\Program Files\America's Army
2007-06-07 14:32 <DIR> d-------- C:\Program Files\Microsoft Games
2007-06-06 21:28 39,036 --a------ C:\WINDOWS\system32\drivers\lgusbmodem.sys
2007-06-06 21:28 38,144 --a------ C:\WINDOWS\system32\drivers\lgusbdiag.sys
2007-06-06 21:28 21,344 --a------ C:\WINDOWS\system32\drivers\lgusbbus.sys
2007-06-06 21:28 <DIR> d-------- C:\Program Files\LG Drivers
2007-06-06 00:29 <DIR> d-------- C:\Program Files\iTunes
2007-06-06 00:29 <DIR> d-------- C:\Program Files\iPod
2007-06-01 23:18 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Viewpoint
2007-05-31 16:26 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-05-31 16:26 35,304 --a------ C:\WINDOWS\DIIUnin.dat
2007-05-31 16:26 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2007-05-27 23:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-05-27 23:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-05-25 13:59 <DIR> d-------- C:\Program Files\MTV Networks
2007-05-24 10:54 <DIR> d-------- C:\Program Files\Windows Media Connect 2


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-22 20:55:02 -------- d-----w C:\Program Files\Messenger
2007-06-15 16:57:02 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-15 16:52:33 -------- d-----w C:\Program Files\Starcraft
2007-06-14 02:46:56 22,584 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-06-14 02:46:51 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-06-13 03:01:57 -------- d-----w C:\Program Files\Diablo II
2007-06-13 03:01:31 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-10 14:08:15 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-06-07 19:25:32 -------- d-----w C:\Program Files\BigFix
2007-06-07 19:22:32 -------- d-----w C:\Program Files\Google
2007-06-07 19:21:33 -------- d-----w C:\Program Files\Common Files\AOL
2007-06-06 05:15:03 -------- d-----w C:\Program Files\Apple Software Update
2007-05-31 21:44:50 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2007-05-31 21:44:50 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2007-05-31 21:44:50 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2007-05-28 23:17:46 -------- d-----w C:\Program Files\QuickTime
2007-05-21 01:58:27 -------- d-----w C:\Program Files\LimeWire
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-13 00:19:11 35,382 ----a-w C:\WINDOWS\scunin.dat
2007-05-13 00:19:10 967 ----a-w C:\WINDOWS\ScUnin.pif
2007-05-13 00:19:10 94,208 ----a-w C:\WINDOWS\ScUnin.exe
2007-05-13 00:13:29 284 ----a-w C:\WINDOWS\EReg077.dat
2007-05-13 00:10:44 -------- d-----w C:\Program Files\INTRPLAY
2007-05-06 03:57:12 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Leadertech
2007-05-06 03:52:13 -------- d-----w C:\Program Files\Atari
2007-05-02 07:02:43 -------- d-----w C:\Program Files\Monolith Productions
2007-05-02 06:43:37 -------- d-----w C:\Program Files\Image-Line
2007-05-02 06:35:43 -------- d-----w C:\Program Files\BitLord
2007-04-30 17:15:01 -------- d-----w C:\Program Files\Yahoo!
2007-04-27 03:03:55 63,040 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-19 21:12:07 2,933 ----a-w C:\WINDOWS\mozver.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 09:47]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{77E9E4AF-2249-4972-AC33-2D5482AC028D}=C:\WINDOWS\system32\geede.dll []
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-05-31 20:48]
{BBC00395-CBF7-439B-916E-3D8AD3CA051F}=C:\Program Files\Messenger\qucoka43855.dll [2007-06-14 06:54]
{D69DD40C-E88E-495E-A4D8-13360E62B13D}=C:\Program Files\Messenger\qucoka83122.dll [2007-06-18 13:59]
{DC192567-65F9-4AB6-ADB7-E13575F81726}=C:\WINDOWS\system32\mljjjkl.dll [2007-06-22 15:54]
{DC241C2C-8321-4C47-826B-BC614F3AE971}=C:\WINDOWS\system32\vtsqn.dll [2007-06-24 21:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04]
"@"="" []
"CHotkey"="zHotkey.exe" [2004-05-17 21:30 C:\WINDOWS\zHotkey.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 22:42]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 20:45 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"Mixersel"="C:\Program Files\Realtek\InstallShield\mixersel.exe" [2003-11-10 19:23]
"SoundMan"="SOUNDMAN.EXE" [2004-10-21 16:20 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-21 19:44 C:\WINDOWS\ALCWZRD.EXE]
"Alcmtr"="ALCMTR.EXE" [2004-10-13 18:00 C:\WINDOWS\ALCMTR.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2006-12-12 15:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-01-19 12:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 20:48]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 14:49]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-03-28 17:10]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN\xuwueriga.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{DC192567-65F9-4AB6-ADB7-E13575F81726}"="C:\WINDOWS\system32\mljjjkl.dll" [2007-06-22 15:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjjkl]
mljjjkl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqn]
C:\WINDOWS\system32\vtsqn.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06f0dddc-d3ee-11db-83a7-001320389f05}]
AutoRun\command- M:\setupSNK.exe


Contents of the 'Scheduled Tasks' folder
2007-06-22 14:05:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-24 23:06:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\TEMP

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-06-24 23:09:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-24 23:09

--- E O F ---
  • 0

#8
MoNsTeReNeRgY22

MoNsTeReNeRgY22

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,539 posts
I see that you ran VundoFix earlier, did it find anything?
  • 0

#9
crusader01

crusader01

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is a list of the files it found:

C:\windows\system32\dckmrskx.dll
C:\WINDOWS\system32\ebcwjrxk.dll
C:\WINDOWS\system32\edeeg.bak1
C:\WINDOWS\system32\edeeg.bak2
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\geede.dll
C:\windows\system32\sjcrppjv.exe
C:\windows\system32\xksrmkcd.ini

Edited by crusader01, 24 June 2007 - 10:28 PM.

  • 0

#10
MoNsTeReNeRgY22

MoNsTeReNeRgY22

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,539 posts
Hey crusader01,

1)I see you have Limewire installed.
Using programs such as these (P2P) you run a possibility of getting infected.
See HERE for details on P2P file sharing programs.
I reccomend uninstalling it, but this program is optional for you if you choose to want to keep it.

2)Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:
Posted Image

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/MediaGateway.BFU

Make sure all IE windows are closed.

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.gee...structions.html


3)Posted ImagePlease download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

4)First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
Please post back the AVG report and a fresh HJT Log.
Also let me know how things are running and if you are recieving any more pop ups?
  • 0

Advertisements


#11
crusader01

crusader01

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:22:53 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\xvlscaju.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

AVG Report here:


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:06:02 PM 6/25/2007

+ Scan result:



C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054453.dll -> Adware.Agent : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\offun.exe.vir -> Adware.Bagon : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054508.exe -> Adware.Bagon : Ignored.
C:\WINDOWS\system32\ascbalon.dll -> Adware.Balloon : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\cfg32.exe.vir -> Adware.BookedSpace : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\cfg32a.exe.vir -> Adware.BookedSpace : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\cfg32o.dll.vir -> Adware.BookedSpace : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\cfg32r.dll.vir -> Adware.BookedSpace : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\cfg32s.dll.vir -> Adware.BookedSpace : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\stub_mma2.exe.vir -> Adware.BookedSpace : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054500.exe -> Adware.BookedSpace : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054501.exe -> Adware.BookedSpace : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054505.exe -> Adware.BookedSpace : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054510.dll -> Adware.BookedSpace : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054511.dll -> Adware.BookedSpace : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054512.dll -> Adware.BookedSpace : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP169\A0054246.DLL -> Adware.FunWeb : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B} -> Adware.Generic : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{aed6f6a3-183c-488d-9f90-23db99f56e7f} -> Adware.Generic : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall6_38.exe.vir -> Adware.NewDotNet : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054502.exe -> Adware.NewDotNet : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\itpb_3.exe.vir -> Adware.Relevant : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054513.exe -> Adware.Relevant : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054387.exe -> Adware.RK : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054344.exe -> Adware.Rond : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir -> Adware.Softomate : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054509.exe -> Adware.Softomate : Ignored.
C:\Program Files\Messenger\__delete_on_reboot__q_u_c_o_k_a_4_3_8_5_5_._d_l_l_ -> Adware.TTC : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0055564.dll -> Adware.TTC : Ignored.
C:\WINDOWS\system32\mljjjkl.dll -> Adware.Virtumonde : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\system32\dwdsregt.exe.vir -> Adware.ZenoSearch : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054507.exe -> Adware.ZenoSearch : Ignored.
C:\WINDOWS\itpb_11.exe -> Adware.ZenoSearch : Ignored.
C:\WINDOWS\system32\mldsrego.exe -> Adware.ZenoSearch : Ignored.
C:\WINDOWS\system32\pwinmndt.exe -> Adware.ZenoSearch : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\retadpu1000106.exe.vir -> Downloader.Agent.bls : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\retadpu2000219.exe.vir -> Downloader.Agent.bls : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054503.exe -> Downloader.Agent.bls : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054504.exe -> Downloader.Agent.bls : Ignored.
C:\WINDOWS\system32\F3\wr620.exe -> Downloader.Agent.bls : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054340.exe -> Downloader.PurityScan : Ignored.
C:\WINDOWS\miroydaA.exe -> Downloader.VB.ang : Ignored.
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe -> Downloader.VB.awj : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\dls0523pmw.exe.vir -> Downloader.Zlob.bqw : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054515.exe -> Downloader.Zlob.bqw : Ignored.
C:\WINDOWS\system32\F4\wen2.exe -> Dropper.Agent.bfr : Ignored.
C:\WINDOWS\miroyda.exe -> Dropper.Agent.mu : Ignored.
C:\WINDOWS\system32\F1\bk53.exe -> Dropper.Agent.mu : Ignored.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FODN7D6A\acdt-pid67N[1].exe -> Hijacker.Small.jf : Ignored.
C:\QooBox\Quarantine\catchme2007-06-24_230559.75.zip/core.sys -> Rootkit.Agent.eq : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Adbrite : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Adbrite : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Adbrite : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Adbrite : Ignored.
:mozilla.15:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wxcb54ct.default\cookies.txt -> TrackingCookie.Advertising : Ignored.
:mozilla.16:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wxcb54ct.default\cookies.txt -> TrackingCookie.Advertising : Ignored.
:mozilla.17:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wxcb54ct.default\cookies.txt -> TrackingCookie.Advertising : Ignored.
:mozilla.18:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wxcb54ct.default\cookies.txt -> TrackingCookie.Advertising : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected]ing[1].txt -> TrackingCookie.Advertising : Ignored.
:mozilla.19:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wxcb54ct.default\cookies.txt -> TrackingCookie.Atdmt : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Bfast : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Casalemedia : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Cpvfeed : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Epilot : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Mediaplex : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Questionmarket : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Revsci : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Ru4 : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Serving-sys : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Serving-sys : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Top-banners : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Tribalfusion : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Ignored.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054484.exe -> Trojan.Agent.anr : Ignored.
C:\VundoFix Backups\sjcrppjv.exe.bad -> Trojan.Agent.anr : Ignored.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GH8Z4HG5\tob_snd_20070616[1] -> Trojan.Agent.aoy : Ignored.
C:\WINDOWS\system32\sdrgiwon.exe -> Trojan.Agent.aoy : Ignored.
C:\WINDOWS\system32\geplxss.dll -> Trojan.Dialer.cs : Ignored.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054343.exe -> Trojan.Small.oa : Ignored.


::Report end

Sorry it took so lng to repost, fell asleep last night. An update to how my computer is running: I still get random popups. Some of them come up trying to re-install Winantivirus Pro but I've blocked all that. My computer still seems a little slower than usual..But everything else is running okay. Also random audio clips keep playing on my computer...It's freaking wierd..

Edited by crusader01, 25 June 2007 - 01:59 PM.

  • 0

#12
MoNsTeReNeRgY22

MoNsTeReNeRgY22

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,539 posts
Hello again,
First, did you have any problems with the BFU???

Second, it doesn't look you followed step 5 on the AVG as instructions.

5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".


So please follow the instructions again closely and post another AVG as log with another fresh HJT log.
  • 0

#13
crusader01

crusader01

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
AVG REPORT:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:50:20 PM 6/27/2007

+ Scan result:



C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054453.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\offun.exe.vir -> Adware.Bagon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054508.exe -> Adware.Bagon : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ascbalon.dll -> Adware.Balloon : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\cfg32.exe.vir -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\cfg32a.exe.vir -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\cfg32o.dll.vir -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\cfg32r.dll.vir -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\cfg32s.dll.vir -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\stub_mma2.exe.vir -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054500.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054501.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054505.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054510.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054511.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054512.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP169\A0054246.DLL -> Adware.FunWeb : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{aed6f6a3-183c-488d-9f90-23db99f56e7f} -> Adware.Generic : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall6_38.exe.vir -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054502.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\itpb_3.exe.vir -> Adware.Relevant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054513.exe -> Adware.Relevant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054387.exe -> Adware.RK : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054344.exe -> Adware.Rond : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054509.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Messenger\__delete_on_reboot__q_u_c_o_k_a_4_3_8_5_5_._d_l_l_ -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0055564.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\dwdsregt.exe.vir -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054507.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\itpb_11.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mldsrego.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pwinmndt.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\retadpu1000106.exe.vir -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\retadpu2000219.exe.vir -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054503.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054504.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\WINDOWS\system32\F3\wr620.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054340.exe -> Downloader.PurityScan : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-829957098-2474552606-222780406-1003\Dc1.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\miroydaA.exe -> Downloader.VB.ang : Cleaned with backup (quarantined).
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe -> Downloader.VB.awj : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\dls0523pmw.exe.vir -> Downloader.Zlob.bqw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054515.exe -> Downloader.Zlob.bqw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\F4\wen2.exe -> Dropper.Agent.bfr : Cleaned with backup (quarantined).
C:\WINDOWS\miroyda.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\WINDOWS\system32\F1\bk53.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\catchme2007-06-24_230559.75.zip/core.sys -> Rootkit.Agent.eq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054484.exe -> Trojan.Agent.anr : Cleaned with backup (quarantined).
C:\VundoFix Backups\sjcrppjv.exe.bad -> Trojan.Agent.anr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nuqmtxqc.exe -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sdrgiwon.exe -> Trojan.Agent.aoy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\geplxss.dll -> Trojan.Dialer.cs : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP170\A0054343.exe -> Trojan.Small.oa : Cleaned with backup (quarantined).


::Report end

Hijack Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:14:39 PM, on 6/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\qgyeepvi.dll",forkonce
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

I'm still getting pop-ups..If I didn't follow another step lemme know..I went through everything on th list twice to ke sure I didn't skip it..

Edited by crusader01, 27 June 2007 - 08:17 PM.

  • 0

#14
MoNsTeReNeRgY22

MoNsTeReNeRgY22

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,539 posts
I also do not see a Anti-Virus program running on your system. An AntiVirus program is a must! I reccomend Active Virus Shield or AVG for free programs, and for shareware programs I reccomend NOD32.
Note - Uncheck security toolbar at installation of Active Virus Shield

DO NOT install more than one antivirus program. They will conflict, and provide less protection, not more.

Please let me know if you have any problems installing a Anti - Virus, and also please post a fresh HJT Log.
  • 0

#15
crusader01

crusader01

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
What are some good Antivirus programs that cost?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP