Logfile of HijackThis v1.99.1
Scan saved at 18:21:34, on 20/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\ntlw.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jon Daniels\My Documents\Various Programs\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
I am getting constant popups coming from the internet temps folder.
My virus vault log file:
;"";"Trojan horse Downloader.Agent.HW";"C:\WINDOWS\ieni32.dll";"20/06/2005 17:52:54";"ieni32.dll";"122 KB"
;"";"Trojan horse Downloader.Agent.HU";"C:\WINDOWS\ntlw.exe";"20/06/2005 17:52:57";"ntlw.exe";"16.24 KB"
;"";"Trojan horse Startpage.19.AO";"C:\WINDOWS\system32\zdqax.dll";"14/06/2005 18:35:43";"zdqax.dll";"65 KB"
;"";"Trojan horse Downloader.Agent.HE";"C:\WINDOWS\apigm.dll";"20/06/2005 17:53:37";"apigm.dll";"75.1 KB"
;"";"Trojan horse Downloader.Agent.HW";"C:\WINDOWS\system32\mscx32.dll";"20/06/2005 17:55:48";"mscx32.dll";"122 KB"
;"";"Trojan horse Downloader.Agent.HO";"C:\WINDOWS\addcg32.dll";"20/06/2005 17:56:12";"addcg32.dll";"110 KB"
;"";"Trojan horse Downloader.Agent.HE";"C:\WINDOWS\adddi.dll";"20/06/2005 17:56:37";"adddi.dll";"75.1 KB"
;"";"Trojan horse Downloader.Agent.HO";"C:\WINDOWS\addqn.dll";"20/06/2005 17:56:50";"addqn.dll";"110.27 KB"
;"";"Trojan horse Downloader.Agent.HV";"C:\WINDOWS\addrb32.exe";"20/06/2005 17:57:04";"addrb32.exe";"11 KB"
;"";"Trojan horse Downloader.Agent.HO";"C:\WINDOWS\addrj32.dll";"20/06/2005 17:57:06";"addrj32.dll";"110 KB"
;"";"Trojan horse Downloader.Agent.HW";"C:\WINDOWS\appej32.dll";"20/06/2005 17:58:03";"appej32.dll";"122 KB"
;"";"Trojan horse Startpage.19.AO";"C:\WINDOWS\system32\xrnyh.dll";"15/06/2005 08:02:45";"xrnyh.dll";"65 KB"
;"";"Trojan horse Downloader.Agent.HO";"C:\WINDOWS\crce.dll";"20/06/2005 18:00:33";"crce.dll";"110 KB"
;"";"Trojan horse Downloader.Agent.HU";"C:\WINDOWS\crcy.exe";"20/06/2005 18:00:35";"crcy.exe";"16 KB"
;"";"Trojan horse Downloader.Agent.HU";"C:\WINDOWS\crhx32.exe";"20/06/2005 18:00:37";"crhx32.exe";"16.89 KB"
;"";"Trojan horse Downloader.Agent.HO";"C:\WINDOWS\crkz.dll";"20/06/2005 18:00:38";"crkz.dll";"110 KB"
;"";"Trojan horse Startpage.19.AO";"C:\WINDOWS\system32\pcexe.dll";"14/06/2005 18:51:49";"pcexe.dll";"65 KB"
;"";"Trojan horse Startpage.19.AO";"C:\WINDOWS\system32\pcexe.dll";"14/06/2005 18:53:13";"pcexe.dll";"65 KB"
;"";"Trojan horse Startpage.19.AO";"C:\WINDOWS\system32\mhins.dll";"14/06/2005 18:55:50";"mhins.dll";"65 KB"
;"";"Trojan horse Startpage.19.AO";"C:\WINDOWS\system32\ihhfs.dll";"13/06/2005 19:51:48";"ihhfs.dll";"65 KB"
;"";"Trojan horse Startpage.19.AO";"C:\WINDOWS\system32\cqvwn.dll";"14/06/2005 22:13:28";"cqvwn.dll";"65 KB"
Ad-Aware list of critical objects:
Ad-Aware SE Scanning Result, 20-06-2005 18:39:06
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Name Type Category Object Comment
CoolWebSearch Regkey Malware HKEY_CLASSES_ROOT:clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}\
Tracking Cookie IECache Entry Data Miner Cookie:jon [email protected]/ Hits:4
CoolWebSearch File Malware C:\WINDOWS\ktkfl.txt
CoolWebSearch File Malware C:\WINDOWS\system32\cyrmj.log
CoolWebSearch File Malware C:\WINDOWS\system32\hdxry.txt
Possible Browser Hijack attempt File Misc C:\Documents and Settings\Jon Daniels\Favorites\Only sex website.url Problematic URL discovered: http://www.onlysex.ws/
Possible Browser Hijack attempt File Misc C:\Documents and Settings\Jon Daniels\Favorites\Search the web.url Problematic URL discovered: http://www.lookfor.cc/
Possible Browser Hijack attempt File Misc C:\Documents and Settings\Jon Daniels\Favorites\Seven days of free [bleep].url Problematic URL discovered: http://www.7days.ws/
CoolWebSearch Regkey Malware HKEY_LOCAL_MACHINE:software\microsoft\internet explorer\urlsearchhooks\
CoolWebSearch RegValue Malware HKEY_LOCAL_MACHINE:software\microsoft "set"
CoolWebSearch RegValue Malware HKEY_LOCAL_MACHINE:software\microsoft\internet explorer\main "Use Search Asst"
CoolWebSearch RegData Malware HKEY_CURRENT_USER:software\microsoft\internet explorer\main"Use Search Asst" (no)
CoolWebSearch RegData Malware HKEY_LOCAL_MACHINE:software\microsoft\internet explorer\main"Use Search Asst" (no)
CoolWebSearch File Malware C:\WINDOWS\system32\wbem\logs\wbemess.log
Someone please help!