Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HijackThis log


  • Please log in to reply

#1
penelopepony

penelopepony

    Member

  • Member
  • PipPipPip
  • 118 posts
:help:
I appreciate this SO VERY MUCH, I paid for the program NoAdware.net and they sent me a diagnostic tool which reads simular, if not the same, and I'd still have over 225 of the infections created by the trojan.W32.Looksky virus if not for this site. I've been waiting 2 days since they sent that, and I just hope they give my by $42 back. They promised to fix this problem, and while their program may be ok for when I start my pc up, :whistling: I feel cheated.

The infection that it shows that is DANGEROUS is; Ultimate DefendeC:\Documents and settings\Penny\ApDirectory

NON DANGEROUS; tracking cookie, ucleaner

Thank you again, :blink: YOU ALL ROCK...

Then when this is over, I have to figure out how to get help with re-creating my "Web, Web1, Web2" file link i use to have for my two websites which after this mess is gone.

TY
Penelopepony



********************************************************************************
***
OS : Windows XP Professional Edition Service Pack 2
Build : 5.1.2600
IE Version : 6.0.2900
Diagnostic Tool Ver:2.0


---------------------------------------------------

UniqueID = {B7321E8E6100C8A011658E1752323F41}


Noadware Versions :
Current Def File :
Noadware Version :
Initial Noadware Def File :
-------------------------------------------

-------------------------
Running Processes
1. N/A (security restriction) MD5={Cannot Open file}
2. \SystemRoot\System32\smss.exe MD5={Cannot Open file}
3. \??\C:\WINDOWS\system32\csrss.exe MD5={Cannot Open file}
4. \??\C:\WINDOWS\system32\winlogon.exe MD5={Cannot Open file}
5. C:\WINDOWS\system32\services.exe MD5={C6CE6EEC82F187615D1002BB3BB50ED4}
6. C:\WINDOWS\system32\lsass.exe MD5={84885F9B82F4D55C6146EBF6065D75D2}
7. C:\WINDOWS\system32\svchost.exe MD5={8F078AE4ED187AAABC0A305146DE6716}
8. C:\WINDOWS\system32\svchost.exe MD5={8F078AE4ED187AAABC0A305146DE6716}
9. C:\WINDOWS\System32\svchost.exe MD5={8F078AE4ED187AAABC0A305146DE6716}
10. C:\Program Files\Ahead\InCD\InCDsrv.exe MD5={E9372A17C22FC4E5C9FD8798A97775FC}
11. C:\WINDOWS\system32\svchost.exe MD5={8F078AE4ED187AAABC0A305146DE6716}
12. C:\WINDOWS\Explorer.EXE MD5={A0732187050030AE399B241436565E64}
13. C:\WINDOWS\system32\svchost.exe MD5={8F078AE4ED187AAABC0A305146DE6716}
14. C:\WINDOWS\system32\spoolsv.exe MD5={7435B108B935E42EA92CA94F59C8E717}
15. C:\WINDOWS\system32\CTsvcCDA.EXE MD5={3C8B6609712F4FF78E521F6DCFC4032B}
16. C:\WINDOWS\System32\alg.exe MD5={F1958FBF86D5C004CF19A5951A9514B7}
17. C:\WINDOWS\SYSTEM32\USRmlnkA.exe MD5={3455E6FBF1A7C0E97666B874642C75BE}
18. C:\WINDOWS\SYSTEM32\USRshutA.exe MD5={7315EDC07245CCF9E194F8A34DA061BC}
19. C:\WINDOWS\SYSTEM32\USRmlnkA.exe MD5={3455E6FBF1A7C0E97666B874642C75BE}
20. C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe MD5={B8C105215A4EE0680BD4A4F43622E48F}
21. C:\WINDOWS\system32\Rundll32.exe MD5={DA285490BBD8A1D0CE6623577D5BA1FF}
22. C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe MD5={9C1C80BBF8E6044980890E2D2D91091C}
23. C:\Program Files\Winamp\winampa.exe MD5={F0537722502644B590CC499ECF26FAD1}
24. C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe MD5={8FB740D758B14B1BC950CC347C21E461}
25. C:\Program Files\Ahead\InCD\InCD.exe MD5={CF508A3971DECEEC1CE575DDDCA4A019}
26. C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe MD5={C744293DFBE1A3347FEC5DBFE3FD123E}
27. C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe MD5={E616A6A6E91B0A86F2F6217CDE835FFE}
28. C:\WINDOWS\system32\ctfmon.exe MD5={24232996A38C0B0CF151C2140AE29FC8}
29. C:\Program Files\NoAdware5.0\NoAdware5.exe MD5={86C5E6EFDD561E371317DAF2F79A8C98}
30. C:\Program Files\Messenger\msmsgs.exe MD5={B53343FE60A33EE765C2476D50D27B26}
31. C:\WINDOWS\system32\wuauclt.exe MD5={F3E9065EB617A7E3A832A7976BFA021B}
32. C:\Program Files\Internet Explorer\iexplore.exe MD5={E7484514C0464642BE7B4DC2689354C8}
33. C:\Documents and Settings\Penny\Desktop\diagnostic.exe MD5={D4F28D5A9A777711B7D5A20AF3C57AA1}
-------------------------
End Running Processes

1. Start Page (IE) - http://softwarerefer...=...6Ojg5&lid=2
2. Default Page URL (IE) - http://www.microsoft...p...&ar=msnhome
3. Search Page - http://www.google.com
4. Search Bar - http://www.google.com/ie
5. Customize Search - http://ie.search.msn...st/srchcust.htm
6. Search Assistant - http://www.google.com/ie
7. Default Prefix - http://
8. Prefixes - http://
9. IE Toolbar - {102BAD8B-CD05-46ff-94FF-A2C1ABD5F7D5} = C:\Program Files\Defender Pro\Defender Pro Anti-Scam\mscoree.dll
10. IE Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} = c:\program files\google\googletoolbar3.dll
11. Extra Buttons - (No Name)
12. Extra Buttons - Popup Blocker
13. Extra Buttons - Messenger
14. IE Context Menu - E&xport to Microsoft Excel = res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
15. Hosts File - 127.0.0.1 localhost
16. BHO - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (No Name){761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
17. BHO - c:\program files\google\googletoolbar3.dll (No Name){AA58ED58-01DD-4d91-8333-CF10577473F7}
18. BHO - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll (No Name){AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
19. BHO - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll [OsbornTech Popup Blocker]{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}
20. Run(HKLM) - USRpdA C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
21. Run(HKLM) - CTSysVol C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
22. Run(HKLM) - P17Helper Rundll32 P17.dll,P17Helper
23. Run(HKLM) - UpdReg C:\WINDOWS\UpdReg.EXE
24. Run(HKLM) - SunJavaUpdateSched "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
25. Run(HKLM) - WinampAgent C:\Program Files\Winamp\winampa.exe
26. Run(HKLM) - RemoteControl "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
27. Run(HKLM) - InCD C:\Program Files\Ahead\InCD\InCD.exe
28. Run(HKLM) - NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
29. Run(HKLM) - 103 "C:\Program Files\Defender Pro Anti Spam\admin" "-hide"
30. Run(HKCU) - Creative Detector C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
31. Run(HKCU) - swg C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
32. Run(HKCU) - ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
33. Run(HKCU) - NoAdware5 "C:\Program Files\NoAdware5.0\NoAdware5.exe" :Scan:
34. Run(HKCU) - MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
35. Startup - desktop(2)(2).ini
36. Startup - desktop(2).ini
37. Startup - desktop(3).ini
38. Startup - desktop(4).ini
39. Global Startup - desktop(2)(2).ini
40. Global Startup - desktop(2).ini
41. Global Startup - desktop(3).ini
42. Global Startup - desktop(4).ini
43. Global Startup - Microsoft Office.lnk
44. DPF - {8AD9C840-044E-11D1-B3E9-00805F499D93} - http://java.sun.com/...ows-i586-jc.cab
45. DPF - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - http://java.sun.com/...indows-i586.cab
46. DPF - {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - http://java.sun.com/...indows-i586.cab
47. DPF - {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload.ma...ash/swflash.cab
48. Trusted Zones - msn.com
49. System Services - DcomLaunch = %SystemRoot%\system32\svchost -k DcomLaunch
50. System Services - FETND5BV = system32\DRIVERS\fetnd5bv.sys
51. System Services - gusvc = "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
52. System Services - InCDPass = System32\DRIVERS\InCDPass.sys
53. System Services - InCDsrv = C:\Program Files\Ahead\InCD\InCDsrv.exe
54. System Services - P17 = system32\drivers\P17.sys
55. System Services - USRpdA = system32\DRIVERS\USRpdA.sys
56. System Services - vmm = \??\C:\WINDOWS\system32\Drivers\vmm.sys
57. System Services - VPCNetS2 = system32\DRIVERS\VMNetSrv.sys
58. System Services - wscsvc = %SystemRoot%\System32\svchost.exe -k netsvcs
59. System Services - xmlprov = %SystemRoot%\System32\svchost.exe -k netsvcs

-------------------------
Installed LSPs
**No Unknown LSPs Found**
LSPs Finished
-----------------------------

-------------------------
Policies
Key Name : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,Value = NoDriveTypeAutoRun, ValueData = 145
Key Name : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum,Value = {BDEADF00-C265-11D0-BCED-00A0C90AB50F}, ValueData = 1
Key Name : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum,Value = {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}, ValueData = 1073741857
Key Name : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum,Value = {0DF44EAA-FF21-4412-828E-260A8728E7F1}, ValueData = 32
Key Name : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system,Value = shutdownwithoutlogon, ValueData = 1
Key Name : HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system,Value = undockwithoutlogon, ValueData = 1

-------------------------
End Policies


These Files can be uploaded
------------------------------------------

1. c:\program files\google\googletoolbar3.dll MD5(6319F2D4708DBCAE37CFA03DA10782C0)
2. C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll MD5(70FD57D6EDBED8D80C1995257C99D27E)
3. c:\program files\google\googletoolbar3.dll MD5(6319F2D4708DBCAE37CFA03DA10782C0)
4. C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll MD5(1DC47CA76A0FFEAA25B45DE5706F2115)
5. C:\WINDOWS\SYSTEM32\USRmlnkA.exe MD5(3455E6FBF1A7C0E97666B874642C75BE)
6. C:\WINDOWS\UpdReg.EXE MD5(C419DF63E0121D72411285780C2FC6CC)
7. C:\Program Files\Winamp\winampa.exe MD5(F0537722502644B590CC499ECF26FAD1)
8. C:\Program Files\Ahead\InCD\InCD.exe MD5(CF508A3971DECEEC1CE575DDDCA4A019)
9. C:\WINDOWS\system32\NeroCheck.exe MD5(3E4C03CEFAD8DE135263236B61A49C90)
10. C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe MD5(E616A6A6E91B0A86F2F6217CDE835FFE)
11. C:\WINDOWS\system32\ctfmon.exe MD5(24232996A38C0B0CF151C2140AE29FC8)
  • 0

Advertisements


#2
OwNt

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
hello penelopepony,

* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#3
penelopepony

penelopepony

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 118 posts
Thanks again, so very much.

Sorry so slow on my end, T-W-Th are my 12 shift nights, and Mondays are Mondays usually for me :). Then this week was a bit more complicated, Tue. had to go to home town, and deal with my fiance after he had to see his :blink: mother (I've learned to go to the library & checking emails or something), but then there's the aftermath :).

Here is my report;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:41 PM, on 9/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll (file missing)
O3 - Toolbar: Defender Pro Anti-Scam - {102BAD8B-CD05-46ff-94FF-A2C1ABD5F7D5} - C:\Program Files\Defender Pro\Defender Pro Anti-Scam\mscoree.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [103] "C:\Program Files\Defender Pro Anti Spam\admin" "-hide"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NoAdware5] "C:\Program Files\NoAdware5.0\NoAdware5.exe" :Scan:
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - S-1-5-18 Startup: desktop(2)(2).ini (User 'SYSTEM')
O4 - S-1-5-18 Startup: desktop(2).ini (User 'SYSTEM')
O4 - S-1-5-18 Startup: desktop(3).ini (User 'SYSTEM')
O4 - .DEFAULT Startup: desktop(2)(2).ini (User 'Default user')
O4 - .DEFAULT Startup: desktop(2).ini (User 'Default user')
O4 - .DEFAULT Startup: desktop(3).ini (User 'Default user')
O4 - Startup: desktop(2)(2).ini
O4 - Startup: desktop(2).ini
O4 - Startup: desktop(3).ini
O4 - Startup: desktop(4).ini
O4 - Global Startup: desktop(2)(2).ini
O4 - Global Startup: desktop(2).ini
O4 - Global Startup: desktop(3).ini
O4 - Global Startup: desktop(4).ini
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://games.amishdonkey.com
O15 - Trusted Zone: http://www.amishdonkey.com
O15 - Trusted Zone: http://www.casinofunforfree.com
O15 - Trusted Zone: http://www.ebay.com
O15 - Trusted Zone: http://www.godaddy.com
O15 - Trusted Zone: http://www.java.com
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: http://email.secureserver.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{81AD278B-277A-4383-9BFE-0CE86AA19B8D}: NameServer = 216.226.19.11 216.226.19.12
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

--
End of file - 4849 bytes

Over the weekend, contacted my web host provider (GoDaddy), to see what they might see on their end, reset my passwords, & I tried to update my casino site, www.casinofunforfree.com, but my system never seem to load it, and for the house 4 sale site (www.oklahomarealestates.us), even though we're suppose to have it selling I know the bank will be looking at it, and it, and the trojan re-entered an older not so polished version, and in short, it's still a mess :help: .

NOLAVA ADAWARE is the only adware remover that should still be being used, DEFENDER & NOADWARE.NET should be off the system, as they only helped cause some issues.

TY again :whistling: , penelopepony

Edited by penelopepony, 13 September 2007 - 12:39 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP