Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

something is wrong with my computer, please help


  • This topic is locked This topic is locked

#1
jennefur8675

jennefur8675

    Member

  • Member
  • PipPip
  • 79 posts
I am a new member and I am unfamiliar with this infection. I have tons of pop-ups, a blue desktop wallpaper screen that reads "Security Warning" and says trojan-spy smitfraud, etc :tazz:. It willnot let me change the wallpaper, and it hijacked my homepage to quicknavigate.com. I am lost on what yo do, I have tried reading through previous posts, but it seems like you need to view each persons HJT logs individually, so I am posting mine. Please help me!!! ;) Thanks!!



Logfile of HijackThis v1.99.1
Scan saved at 2:49:11 PM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Windows\Explorer.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Windows\SCARDS32.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Windows\System32\PROMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\System32\wuauclt.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\popuper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT.exe
C:\Windows\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by StarBand
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\Windows\System32\hp5E6C.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSN Messenger] C:\Windows\System32\msmsgs.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {31BD0436-0C98-408A-B1B5-848D9CA8FB2E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {31BD0436-0C98-408A-B1B5-848D9CA8FB2E} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07345093-68FD-45B3-9653-BC5B09E932C1}: NameServer = 206.222.53.1,206.222.53.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{07345093-68FD-45B3-9653-BC5B09E932C1}: NameServer = 206.222.53.1,206.222.53.3
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: RPAService - Unknown owner - C:\Program Files\StarBand\Internet Page Accelerator\RPAService.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: CHIPDRIVE SCARD Service (TWKSCARDSRV) - SCM Microsystems - C:\Windows\SCARDS32.EXE





THANKS!
  • 0

Advertisements


#2
jennefur8675

jennefur8675

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
I followed the instructions on how to use HJT and this is what I got, someone please help, I am so lost!




Logfile of HijackThis v1.99.1
Scan saved at 2:49:11 PM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Windows\Explorer.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Windows\SCARDS32.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Windows\System32\PROMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\System32\wuauclt.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\popuper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT.exe
C:\Windows\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by StarBand
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\Windows\System32\hp5E6C.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSN Messenger] C:\Windows\System32\msmsgs.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {31BD0436-0C98-408A-B1B5-848D9CA8FB2E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {31BD0436-0C98-408A-B1B5-848D9CA8FB2E} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07345093-68FD-45B3-9653-BC5B09E932C1}: NameServer = 206.222.53.1,206.222.53.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{07345093-68FD-45B3-9653-BC5B09E932C1}: NameServer = 206.222.53.1,206.222.53.3
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intelģ NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: RPAService - Unknown owner - C:\Program Files\StarBand\Internet Page Accelerator\RPAService.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: CHIPDRIVE SCARD Service (TWKSCARDSRV) - SCM Microsystems - C:\Windows\SCARDS32.EXE
  • 0

#3
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello jennefur8675 and welcome to Geeks to Go.

Please note that I have merged both of your posts into this single thread so that you donít get two people trying to help you at the same time. Looking at your log, I counted at least 8 separate infections. I am therefore going to employ the services of a couple of automated programmes to clean some of it, and Iíll take care of whatever is left over. Now if you are ready, letís get fixing!

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

CWShredder
CCleaner
Ewido Security Suite

Now please install CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about.

Install Ewido Security Suite (it is a 14-day trial version of the programme).
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The programme will prompt you to update click the OK button
  • The programme will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the programme scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop and include it in your reply.
There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds.

Post back a fresh HijackThis log and also an Uninstall Log:

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click Save List (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

and I will take another look.
  • 0

#4
jennefur8675

jennefur8675

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
Thanks Phil, I will try this now and post a reply shortly!
  • 0

#5
jennefur8675

jennefur8675

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
Ok, I did what you told me to, and I ran CWSHredder and it did not find anything. I ran Ewido and CCleaner also, following are all the logs. Thanks!


--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:00:01 AM, 5/14/2005
+ Report-Checksum: 51D8DE3D

+ Date of database: 5/14/2005
+ Version of scan engine: v3.0

+ Duration: 27 min
+ Scanned Files: 64116
+ Speed: 38.93 Files/Second
+ Infected files: 50
+ Removed files: 50
+ Files put in quarantine: 50
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NX0DHMVY\ncal[1].exe -> TrojanDropper.Small.um -> Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1F.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq24.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq27.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF.tmp -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\S-1-5-21-557728558-514352727-2020637620-500\Dc20.exe -> Spyware.Agent.cr -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP840\A0106788.exe -> Trojan.Puper.d -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP840\A0106801.exe -> Trojan.Puper.d -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP840\A0106826.exe -> Trojan.Puper.d -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP840\A0106848.dll -> Spyware.MaidBar.b -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP841\A0106869.exe -> Trojan.Puper.d -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP859\A0107439.exe -> Trojan.Puper.d -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP859\A0107455.exe -> Trojan.Puper.d -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP859\A0107544.exe -> Trojan.Puper.d -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP859\A0107550.exe -> Trojan.Puper.d -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP859\A0107556.exe -> Trojan.Puper.e -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP860\A0107576.exe -> Trojan.Puper.e -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP861\A0107594.exe -> Trojan.Puper.e -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP861\A0107600.exe -> Trojan.Puper.d -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP862\A0108852.exe -> Trojan.Puper.a -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP862\A0108863.exe -> Trojan.Puper.a -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP863\A0108891.exe -> Trojan.Puper.a -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP864\A0108899.exe -> Dialer.Generic -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP864\A0108965.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP864\A0108975.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP864\A0108985.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP864\A0108988.dll -> Spyware.WildTangent.b -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP865\A0109048.exe -> Trojan.Puper.a -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP866\A0109071.exe -> Trojan.Puper.a -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP866\A0109073.exe -> Trojan.Agent.dv -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP866\A0109089.exe -> Trojan.Puper.a -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP867\A0109099.exe -> Trojan.Puper.a -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP867\A0109111.exe -> Trojan.Puper.a -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP867\A0109120.exe -> Trojan.Puper.a -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP868\A0109130.exe -> TrojanDownloader.Zlob.i -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP868\A0109142.exe -> Trojan.Puper.a -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP869\A0109155.exe -> Trojan.Puper.a -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP869\A0109162.exe -> Trojan.Puper.a -> Cleaned with backup
C:\System Volume Information\_restore{B22743D3-F062-426E-B1F6-9338BC116202}\RP870\A0109187.exe -> Trojan.Puper.a -> Cleaned with backup
C:\WINDOWS\system32\hp99FF.tmp -> Trojan.Puper.g -> Cleaned with backup
C:\WINDOWS\system32\hpC328.tmp -> Trojan.Puper.g -> Cleaned with backup
C:\WINDOWS\system32\intmon.exe -> Trojan.Puper.a -> Cleaned with backup
C:\WINDOWS\system32\ole32vbs.exe -> Trojan.Favadd.v -> Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__shnlog.exe -> Spyware.Hijacker.Generic -> Cleaned with backup


::Report End







Logfile of HijackThis v1.99.1
Scan saved at 11:06:04 AM, on 5/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Windows\SCARDS32.EXE
C:\Windows\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Windows\System32\PROMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://register.starband.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by StarBand
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\Windows\System32\hpC328.tmp (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {31BD0436-0C98-408A-B1B5-848D9CA8FB2E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {31BD0436-0C98-408A-B1B5-848D9CA8FB2E} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07345093-68FD-45B3-9653-BC5B09E932C1}: NameServer = 206.222.53.1,206.222.53.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{07345093-68FD-45B3-9653-BC5B09E932C1}: NameServer = 206.222.53.1,206.222.53.3
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: RPAService - Unknown owner - C:\Program Files\StarBand\Internet Page Accelerator\RPAService.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: CHIPDRIVE SCARD Service (TWKSCARDSRV) - SCM Microsystems - C:\Windows\SCARDS32.EXE








D Groove Playback Engine
Ad-aware 6 Personal
Adobe Acrobat 5.0
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0
AVG Free Edition
Card Station
ccCommon
CCleaner (remove only)
CentraOne
ChainCast Proxy (remove only)
CHIPDRIVE - terminal driver V2.14.39
ewido security suite
HijackThis 1.99.1
Intel® 845G Chipset Graphics Driver Software
Intel® PRO Ethernet Adapter and Software
Intel® PROSet II
Internet Worm Protection
Java 2 Runtime Environment Standard Edition v1.3
Java 2 Runtime Environment Standard Edition v1.3.0_05
Java 2 Runtime Environment Standard Edition v1.3.1
Java 2 Runtime Environment, SE v1.4.2
Java Web Start
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Shockwave Player
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft Office 2000 SR-1 Small Business
Microsoft PowerPoint Viewer 97
Microsoft Windows Journal Viewer
MSN Gaming Zone
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
Outlook Express Update Q330994
QuickTime
RealPlayer
Search Assistant - My Web Search
Shockwave
SoundMAX
SPBBC
Spybot - Search & Destroy 1.3
Symantec
Symantec Script Blocking Installer
SymNet
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q322011
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q328310
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q331953
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q811493
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q814995
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817287
Windows XP Hotfix (SP2) Q817606
Windows XP Hotfix (SP2) Q819696
Yahoo! Anti-Spy
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Photos Easy Upload Tool 1v4
Yahoo! Toolbar

Edited by jennefur8675, 14 May 2005 - 10:25 AM.

  • 0

#6
jennefur8675

jennefur8675

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
Since I have been infected, I cannot change my desktop backgound, it hijacked my home page, and I cannot get into any Yahoo site, it closes my browser down when accessing anything Yahoo. I have to go to Google to gte to any web page, I cannot just type a URL in the browser, I get QuickNavigate. Just wanted you to know.
  • 0

#7
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Jennifur

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix will require you to be in Safe Mode, which may not allow you to access the Internet, or my instructions!

Two things of note about your current log are that you have two antivirus programmes running (Norton and AVG), not good practice since they will interfere with each other; youíll have to choose one and uninstall the other. The other thing was that you do still have a CWS infection and yet CWShredder came up blank. Letís see what we can do this time.

To start please download the following programme, we will run it later. Please save it to a place that you will remember, I suggest the Desktop:

Hoster

Now please open CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about.

Please run Hoster (just double click it to open). Choose the Restore Original Hosts button and press OK.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\Windows\System32\hpC328.tmp (file missing)
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe
O9 - Extra button: Microsoft AntiSpyware helper - {31BD0436-0C98-408A-B1B5-848D9CA8FB2E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {31BD0436-0C98-408A-B1B5-848D9CA8FB2E} - (no file) (HKCU)
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please remove this entry from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

Search Assistant - My Web Search

Please notify me of any other programmes that you donít recognise in that list in your next response

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these files (if present) using Windows Explorer:

C:\Windows\System32\hpC328.tmp
c:\bsw.exe - please use search to locate this file

Close Windows Explorer and Reboot normally.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

Post back a fresh HijackThis log and I will take another look.

Edited by Crustyoldbloke, 14 May 2005 - 01:13 PM.

  • 0

#8
jennefur8675

jennefur8675

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
ok, well i reran cwshredder - nothing again

i ran hoster

i checked the boxes you wanted me to on hjt and hit fix checked

rebooted in safe mode

tried to remove search assistant - my web search, it will not remove, i tried about 5 times. i just get a blank window when i hit remove. The top of the window says res://c:\progra~1mywebs~1\srchastt\1.bin\mwssrcas.dll/101

No other progams look suspicious

I tried to locate the 2 files, but non were found.

I rebooted normally, ran hjt and here is my new log. do you want me to hide the system files again now?

Thanks!




Logfile of HijackThis v1.99.1
Scan saved at 3:22:35 PM, on 5/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Windows\System32\NMSSvc.exe
C:\Windows\SCARDS32.EXE
C:\Windows\System32\wuauclt.exe
C:\Windows\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Windows\System32\PROMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Documents and Settings\Administrator\Desktop\HJT.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://register.starband.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by StarBand
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {31BD0436-0C98-408A-B1B5-848D9CA8FB2E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {31BD0436-0C98-408A-B1B5-848D9CA8FB2E} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07345093-68FD-45B3-9653-BC5B09E932C1}: NameServer = 206.222.53.1,206.222.53.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{07345093-68FD-45B3-9653-BC5B09E932C1}: NameServer = 206.222.53.1,206.222.53.3
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: RPAService - Unknown owner - C:\Program Files\StarBand\Internet Page Accelerator\RPAService.exe (file missing)
O23 - Service: CHIPDRIVE SCARD Service (TWKSCARDSRV) - SCM Microsystems - C:\Windows\SCARDS32.EXE
  • 0

#9
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix will require you to be in Safe Mode, which may not allow you to access the Internet, or my instructions!

So you opted for AVG over Norton, I thought you would. The log is looking better, however the CWS infection is still present. Letís try a slightly different approach.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

About:Buster
Ad-aware SE Personal

Please install Ad-Aware. Configure, and run a FULL Ad-Aware scan using the following configuration below
  • Check for Update
  • Click Start
  • Select Perform Full System Scan and hit Next to let Ad-Aware scan your drives.
  • It will list malware files and registry keys. Click Next.
  • Under the Critical Objects tab, rightclick in the list, choose Select All, then Next.
  • It will ask for verification of checked items-. Choose OK.
  • Close Ad-Aware, Shut down and restart your system.
Install About:Buster by RubbeRDuckyUnzip the contents of AboutBuster.zip and an AboutBuster directory will be created. Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click OK at the prompt with instructions.
Click Update and then Check For Update to begin the update process.
If any updates exist please download them by clicking Download Update then click the X to close that window.
Now close About:Buster
Boot into Safe Mode (Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode).

Please run About:Buster by RubbeRDuckYClick Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again

Now please open CWShredder, and run it. Click Check For Update, then Fix and then OK followed by Next, let it fix everything it asks about.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O9 - Extra button: Microsoft AntiSpyware helper - {31BD0436-0C98-408A-B1B5-848D9CA8FB2E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {31BD0436-0C98-408A-B1B5-848D9CA8FB2E} - (no file) (HKCU)
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O23 - Service: RPAService - Unknown owner - C:\Program Files\StarBand\Internet Page Accelerator\RPAService.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode again.

Please remove this entry from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

Search Assistant - My Web Search

Close Windows Explorer and Reboot normally.

Post back a fresh [b]HijackThis log
and I will take another look.
  • 0

#10
jennefur8675

jennefur8675

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
I already have AdAware 6.0 on my computer and evertime I run it, it comes up with nothing.

I tried to run it as you state here -->


Select Perform Full System Scan and hit Next to let Ad-Aware scan your drives.
It will list malware files and registry keys. Click Next.
Under the Critical Objects tab, rightclick in the list, choose Select All, then Next.
It will ask for verification of checked items-. Choose OK.
Close Ad-Aware, Shut down and restart your system.


BUT I do not have these options. I checked for updates, and none were found, but I do not have th option to perform full system scan. What do I do now?
  • 0

#11
jennefur8675

jennefur8675

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
I ran CWShredder again nothing came up. I deleted all the files in HJT that you said, and I tried to remove the Search Assistant, it still will not let me remove it......here is the latest HJT log.....thanks



Logfile of HijackThis v1.99.1
Scan saved at 3:01:24 PM, on 5/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Windows\SCARDS32.EXE
C:\WINDOWS\system32\userinit.exe
C:\Windows\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Windows\System32\PROMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\NMSSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\Administrator\Desktop\HJT.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

Microsoft Internet Explorer provided by StarBand
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\Windows\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll (file

missing)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog

Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog

Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

/STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program

Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions

present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel

present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Windows\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra button: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should

be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should

be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should

be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should

be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should

be Internet Zone
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)

-

http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy

Upload Tool Class) -

http://us.dl1.yimg.c...ropper/ydropper

1_4us.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{07345093-68FD-45B3-9653-BC5B09E932C1

}: NameServer = 206.222.53.1,206.222.53.3
O17 -

HKLM\System\CS1\Services\Tcpip\..\{07345093-68FD-45B3-9653-BC5B09E932C1

}: NameServer = 206.222.53.1,206.222.53.3
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation -

C:\Windows\System32\NMSSvc.exe
O23 - Service: CHIPDRIVE SCARD Service (TWKSCARDSRV) - SCM Microsystems

- C:\Windows\SCARDS32.EXE
  • 0

#12
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

Please note the download for Ad-Aware SE Personal is not the same as version 6.0.

Please post a fresh HJT log without all the gaps and spare lines as it is virtually impossible to read.

Before reposting your log:please ensure that you have logged on with administrator rights,
please set your system to show all files
please use the search function to find and delete this file:
mwssrcas.dll

Please preview your post to ensure it looks OK before pressing the ADD REPLY button.

Thanks.
  • 0

#13
jennefur8675

jennefur8675

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
Ok, I installed AdAware SE, ran it and it found & deleted 50 new critical objects.

I reran Buster twice with no ads found.

I reran CWShredder with none found.

Tred to delete Search Assistant in Add/Remove programs, but it still would not remove.

Here is the newest HJT log.....thanks



Logfile of HijackThis v1.99.1
Scan saved at 4:09:14 PM, on 5/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Windows\System32\NMSSvc.exe
C:\Windows\SCARDS32.EXE
C:\Windows\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Windows\System32\PROMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Windows\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by StarBand
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Windows\System32\msjava.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07345093-68FD-45B3-9653-BC5B09E932C1}: NameServer = 206.222.53.1,206.222.53.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{07345093-68FD-45B3-9653-BC5B09E932C1}: NameServer = 206.222.53.1,206.222.53.3
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: CHIPDRIVE SCARD Service (TWKSCARDSRV) - SCM Microsystems - C:\Windows\SCARDS32.EXE
  • 0

#14
jennefur8675

jennefur8675

    Member

  • Topic Starter
  • Member
  • PipPip
  • 79 posts
I also have my desktop wallpaper back and my internet explorer goes to my homepage again!
  • 0

#15
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

OK we're nearly there now. Let's just see if we can remove those sites from a trusted zone; the rest of it is OK..

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zon

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot.

Try and uninstall the programme "Search Assistent" again; it should go this time, and were you able to delete this file: mwssrcas.dll ?

Post back a fresh HijackThis log and I will take another look.




"Edit,
As there has been no reply from the original poster this topic is now closed,
Should you have any further problems please create a new Topic,

Thanks "

Edited by Crustyoldbloke, 26 May 2005 - 02:44 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP