Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

about:blank, CWS res:// and some others [RESOLVED]


  • This topic is locked This topic is locked

#1
ace_porate

ace_porate

    Member

  • Member
  • PipPipPip
  • 223 posts
Hey guys. I'm helping my roommate out here and when i got on his computer today i was apalled. I had no idea how much malware he had going, and i kind of felt insulted he hadn't asked me for help earlier, haha. anyways, here's the HJT.

Logfile of HijackThis v1.99.1
Scan saved at 7:25:14 PM, on 11/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sysay32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\d3fb32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\efyay.dll/sp.html#66987
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\efyay.dll/sp.html#66987
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\efyay.dll/sp.html#66987
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\efyay.dll/sp.html#66987
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\efyay.dll/sp.html#66987
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\efyay.dll/sp.html#66987
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\efyay.dll/sp.html#66987
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {06754FA7-8F1B-677F-65E3-8B2ACBC90342} - C:\WINDOWS\system32\javajs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {3538678A-BDB3-602E-C7FF-6CAB5FA168EC} - C:\WINDOWS\system32\netrk32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {771317EF-0B4F-CF0A-0367-88AF1EDB349F} - C:\WINDOWS\sdkqr32.dll (file missing)
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [iepm32.exe] C:\WINDOWS\iepm32.exe
O4 - HKLM\..\Run: [winyu.exe] C:\WINDOWS\system32\winyu.exe
O4 - HKLM\..\Run: [ntsl.exe] C:\WINDOWS\ntsl.exe
O4 - HKLM\..\Run: [addmk.exe] C:\WINDOWS\system32\addmk.exe
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [ieue32.exe] C:\WINDOWS\system32\ieue32.exe
O4 - HKLM\..\Run: [d3ib.exe] C:\WINDOWS\system32\d3ib.exe
O4 - HKLM\..\Run: [winuh.exe] C:\WINDOWS\winuh.exe
O4 - HKLM\..\Run: [mfcmj.exe] C:\WINDOWS\system32\mfcmj.exe
O4 - HKLM\..\Run: [mfcjv32.exe] C:\WINDOWS\mfcjv32.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ntcj32.exe] C:\WINDOWS\system32\ntcj32.exe
O4 - HKLM\..\Run: [appfd32.exe] C:\WINDOWS\system32\appfd32.exe
O4 - HKLM\..\Run: [mfcbu32.exe] C:\WINDOWS\system32\mfcbu32.exe
O4 - HKLM\..\Run: [sdksg.exe] C:\WINDOWS\system32\sdksg.exe
O4 - HKLM\..\Run: [mfctp32.exe] C:\WINDOWS\system32\mfctp32.exe
O4 - HKLM\..\Run: [addpb32.exe] C:\WINDOWS\system32\addpb32.exe
O4 - HKLM\..\Run: [crso32.exe] C:\WINDOWS\system32\crso32.exe
O4 - HKLM\..\Run: [d3kf.exe] C:\WINDOWS\system32\d3kf.exe
O4 - HKLM\..\Run: [ieuc.exe] C:\WINDOWS\system32\ieuc.exe
O4 - HKLM\..\Run: [msty.exe] C:\WINDOWS\msty.exe
O4 - HKLM\..\Run: [netyq32.exe] C:\WINDOWS\system32\netyq32.exe
O4 - HKLM\..\Run: [winyw.exe] C:\WINDOWS\system32\winyw.exe
O4 - HKLM\..\Run: [d3ko32.exe] C:\WINDOWS\d3ko32.exe
O4 - HKLM\..\Run: [d3wt32.exe] C:\WINDOWS\d3wt32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [atlee.exe] C:\WINDOWS\atlee.exe
O4 - HKLM\..\Run: [ieyl32.exe] C:\WINDOWS\ieyl32.exe
O4 - HKLM\..\Run: [ntor32.exe] C:\WINDOWS\ntor32.exe
O4 - HKLM\..\Run: [systa.exe] C:\WINDOWS\system32\systa.exe
O4 - HKLM\..\Run: [addiv.exe] C:\WINDOWS\addiv.exe
O4 - HKLM\..\Run: [ieru.exe] C:\WINDOWS\system32\ieru.exe
O4 - HKLM\..\Run: [winkh32.exe] C:\WINDOWS\winkh32.exe
O4 - HKLM\..\Run: [javapr32.exe] C:\WINDOWS\javapr32.exe
O4 - HKLM\..\Run: [ipoi32.exe] C:\WINDOWS\ipoi32.exe
O4 - HKLM\..\Run: [croo32.exe] C:\WINDOWS\croo32.exe
O4 - HKLM\..\Run: [creg32.exe] C:\WINDOWS\system32\creg32.exe
O4 - HKLM\..\Run: [javaro32.exe] C:\WINDOWS\javaro32.exe
O4 - HKLM\..\Run: [adddp32.exe] C:\WINDOWS\adddp32.exe
O4 - HKLM\..\Run: [appvt32.exe] C:\WINDOWS\appvt32.exe
O4 - HKLM\..\Run: [sysxf.exe] C:\WINDOWS\system32\sysxf.exe
O4 - HKLM\..\Run: [atlwy.exe] C:\WINDOWS\system32\atlwy.exe
O4 - HKLM\..\Run: [iezf.exe] C:\WINDOWS\iezf.exe
O4 - HKLM\..\Run: [d3nn32.exe] C:\WINDOWS\system32\d3nn32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winpu32.exe] C:\WINDOWS\system32\winpu32.exe
O4 - HKLM\..\Run: [msye32.exe] C:\WINDOWS\system32\msye32.exe
O4 - HKLM\..\Run: [ippd.exe] C:\WINDOWS\ippd.exe
O4 - HKLM\..\Run: [atlem.exe] C:\WINDOWS\atlem.exe
O4 - HKLM\..\Run: [d3fb32.exe] C:\WINDOWS\system32\d3fb32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117575658804
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127682259169
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
Cloutz

Cloutz

    Visiting Staff

  • Member
  • PipPipPip
  • 547 posts
Hi there ace_porate,

I'm currently working on your log,and as soon as another staff member reviews it I'll post a reply.

Thank you for your patience.

Nick :tazz:
  • 0

#3
Cloutz

Cloutz

    Visiting Staff

  • Member
  • PipPipPip
  • 547 posts
Hi ace_porate,

Please print out this post so that you have a hard copy of these instructions. You will need to keep Internet Explorer and Windows Explorer (including My Computer) closed throughout the entire process.

Please download Intermute's CWShredder from here:
http://cwshredder.ne.../CWShredder.exe
Save it to the desktop but do NOT run it yet.

Then please download About:Buster from here:
http://www.malwareby...AboutBuster.zip
Unzip it to the desktop, run it, Check for Updates, and update the files, but do NOT run a scan yet.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please run CWShredder, and click Fix.

Then please run About:Buster and click Start to begin the scan. If prompted to end the Explorer.exe process, click Yes. Your desktop may disappear --- this is normal. Allow the program to scan twice, and when complete click "Save Log". This will create a text file called "AB Logfile.txt" in the folder where About:Buster is saved. I will want to see this logfile later.

Then please run Ewido, and run a full scan. Save the log from the scan for me.

Finally, please run HijackThis, click Scan, and check:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\efyay.dll/sp.html#66987
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\efyay.dll/sp.html#66987
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\efyay.dll/sp.html#66987
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\efyay.dll/sp.html#66987
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\efyay.dll/sp.html#66987
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\efyay.dll/sp.html#66987
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\efyay.dll/sp.html#66987
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {06754FA7-8F1B-677F-65E3-8B2ACBC90342} - C:\WINDOWS\system32\javajs.dll
O2 - BHO: Class - {3538678A-BDB3-602E-C7FF-6CAB5FA168EC} - C:\WINDOWS\system32\netrk32.dll
O2 - BHO: Class - {771317EF-0B4F-CF0A-0367-88AF1EDB349F} - C:\WINDOWS\sdkqr32.dll (file missing)
O4 - HKLM\..\Run: [iepm32.exe] C:\WINDOWS\iepm32.exe
O4 - HKLM\..\Run: [winyu.exe] C:\WINDOWS\system32\winyu.exe
O4 - HKLM\..\Run: [ntsl.exe] C:\WINDOWS\ntsl.exe
O4 - HKLM\..\Run: [addmk.exe] C:\WINDOWS\system32\addmk.exe
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor
O4 - HKLM\..\Run: [SpyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent
O4 - HKLM\..\Run: [ieue32.exe] C:\WINDOWS\system32\ieue32.exe
O4 - HKLM\..\Run: [d3ib.exe] C:\WINDOWS\system32\d3ib.exe
O4 - HKLM\..\Run: [winuh.exe] C:\WINDOWS\winuh.exe
O4 - HKLM\..\Run: [mfcmj.exe] C:\WINDOWS\system32\mfcmj.exe
O4 - HKLM\..\Run: [mfcjv32.exe] C:\WINDOWS\mfcjv32.exe
O4 - HKLM\..\Run: [ntcj32.exe] C:\WINDOWS\system32\ntcj32.exe
O4 - HKLM\..\Run: [appfd32.exe] C:\WINDOWS\system32\appfd32.exe
O4 - HKLM\..\Run: [mfcbu32.exe] C:\WINDOWS\system32\mfcbu32.exe
O4 - HKLM\..\Run: [sdksg.exe] C:\WINDOWS\system32\sdksg.exe
O4 - HKLM\..\Run: [mfctp32.exe] C:\WINDOWS\system32\mfctp32.exe
O4 - HKLM\..\Run: [addpb32.exe] C:\WINDOWS\system32\addpb32.exe
O4 - HKLM\..\Run: [crso32.exe] C:\WINDOWS\system32\crso32.exe
O4 - HKLM\..\Run: [d3kf.exe] C:\WINDOWS\system32\d3kf.exe
O4 - HKLM\..\Run: [ieuc.exe] C:\WINDOWS\system32\ieuc.exe
O4 - HKLM\..\Run: [msty.exe] C:\WINDOWS\msty.exe
O4 - HKLM\..\Run: [netyq32.exe] C:\WINDOWS\system32\netyq32.exe
O4 - HKLM\..\Run: [winyw.exe] C:\WINDOWS\system32\winyw.exe
O4 - HKLM\..\Run: [d3ko32.exe] C:\WINDOWS\d3ko32.exe
O4 - HKLM\..\Run: [d3wt32.exe] C:\WINDOWS\d3wt32.exe
O4 - HKLM\..\Run: [atlee.exe] C:\WINDOWS\atlee.exe
O4 - HKLM\..\Run: [ieyl32.exe] C:\WINDOWS\ieyl32.exe
O4 - HKLM\..\Run: [ntor32.exe] C:\WINDOWS\ntor32.exe
O4 - HKLM\..\Run: [systa.exe] C:\WINDOWS\system32\systa.exe
O4 - HKLM\..\Run: [addiv.exe] C:\WINDOWS\addiv.exe
O4 - HKLM\..\Run: [ieru.exe] C:\WINDOWS\system32\ieru.exe
O4 - HKLM\..\Run: [winkh32.exe] C:\WINDOWS\winkh32.exe
O4 - HKLM\..\Run: [javapr32.exe] C:\WINDOWS\javapr32.exe
O4 - HKLM\..\Run: [ipoi32.exe] C:\WINDOWS\ipoi32.exe
O4 - HKLM\..\Run: [croo32.exe] C:\WINDOWS\croo32.exe
O4 - HKLM\..\Run: [creg32.exe] C:\WINDOWS\system32\creg32.exe
O4 - HKLM\..\Run: [javaro32.exe] C:\WINDOWS\javaro32.exe
O4 - HKLM\..\Run: [adddp32.exe] C:\WINDOWS\adddp32.exe
O4 - HKLM\..\Run: [appvt32.exe] C:\WINDOWS\appvt32.exe
O4 - HKLM\..\Run: [sysxf.exe] C:\WINDOWS\system32\sysxf.exe
O4 - HKLM\..\Run: [atlwy.exe] C:\WINDOWS\system32\atlwy.exe
O4 - HKLM\..\Run: [iezf.exe] C:\WINDOWS\iezf.exe
O4 - HKLM\..\Run: [d3nn32.exe] C:\WINDOWS\system32\d3nn32.exe
O4 - HKLM\..\Run: [winpu32.exe] C:\WINDOWS\system32\winpu32.exe
O4 - HKLM\..\Run: [msye32.exe] C:\WINDOWS\system32\msye32.exe
O4 - HKLM\..\Run: [ippd.exe] C:\WINDOWS\ippd.exe
O4 - HKLM\..\Run: [atlem.exe] C:\WINDOWS\atlem.exe
O4 - HKLM\..\Run: [d3fb32.exe] C:\WINDOWS\system32\d3fb32.exe

Close all open windows except for HijackThis and click "Fix Checked".

Then please restart your computer in Normal Mode, and post a new HijackThis log, as well as the logs from AboutBuster and Ewido.

Thanks,
Cloutz :tazz:
  • 0

#4
ace_porate

ace_porate

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 223 posts
New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:03:39 PM, on 12/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {EE72118D-405B-F80E-60FC-ABE4266F3C23} - C:\WINDOWS\winnf.dll (file missing)
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [sysdu.exe] C:\WINDOWS\sysdu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117575658804
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127682259169
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



AboutBuster:

AboutBuster 5.1, reference file 33
Scan started on [12/2/2005] at [11:16:59 AM]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
Removed File! : C:\WINDOWS\wbacu.dat
Removed File! : C:\WINDOWS\nvsbun.dat
Removed File! : C:\WINDOWS\brkbo.dat
Removed File! : C:\WINDOWS\fzedlq.dat
Removed File! : C:\WINDOWS\xaxifa.dat
Removed File! : C:\WINDOWS\dqkzr.dat
Removed File! : C:\WINDOWS\qmjbus.dat
Removed File! : C:\WINDOWS\cgnrrf.dat
Removed File! : C:\WINDOWS\uhywtq.dat
Removed File! : C:\WINDOWS\zamls.dat
Removed File! : C:\WINDOWS\ahleru.dat
Removed File! : C:\WINDOWS\bgvwpo.dat
Removed File! : C:\WINDOWS\stffn.dat
Removed File! : C:\WINDOWS\lhobry.dat
Removed File! : C:\WINDOWS\kydyc.dat
Removed File! : C:\WINDOWS\ekumm.dat
Removed File! : C:\WINDOWS\xbxim.dat
Removed File! : C:\WINDOWS\kbnmo.dat
Removed File! : C:\WINDOWS\nwcga.dat
Removed File! : C:\WINDOWS\liphl.dat
Removed File! : C:\WINDOWS\eblwvp.dat
Removed File! : C:\WINDOWS\olaojx.dat
Removed File! : C:\WINDOWS\rmjms.dat
Removed File! : C:\WINDOWS\buzsv.dat
Removed File! : C:\WINDOWS\xqflcy.dat
Removed File! : C:\WINDOWS\artgwu.dat
Removed File! : C:\WINDOWS\mttxi.dat
Removed File! : C:\WINDOWS\vrurdw.dat
Removed File! : C:\WINDOWS\shtwpe.dat
Removed File! : C:\WINDOWS\tekfun.dat
Removed File! : C:\WINDOWS\tjfoot.dat
Removed File! : C:\WINDOWS\hrcfa.dat
Removed File! : C:\WINDOWS\kclase.dat
Removed File! : C:\WINDOWS\cjnzx.dat
Removed File! : C:\WINDOWS\dznnm.dat
Removed File! : C:\WINDOWS\uerqq.dat
Removed File! : C:\WINDOWS\zjmslu.dat
Removed File! : C:\WINDOWS\lrsref.dat
Removed File! : C:\WINDOWS\bclixp.dat
Removed File! : C:\WINDOWS\qbiqb.dat
Removed File! : C:\WINDOWS\nlydp.dat
Removed File! : C:\WINDOWS\dmgcq.dat
Removed File! : C:\WINDOWS\eavkyn.dat
Removed File! : C:\WINDOWS\naoawy.dat
Removed File! : C:\WINDOWS\system32\froyq.dat
Removed File! : C:\WINDOWS\system32\eipxs.dat
Removed File! : C:\WINDOWS\system32\axkti.dat
Removed File! : C:\WINDOWS\system32\nhtnz.dat
Removed File! : C:\WINDOWS\system32\yiwyv.dat
Removed File! : C:\WINDOWS\system32\kbkhr.dat
Removed File! : C:\WINDOWS\system32\fzahs.dat
Removed File! : C:\WINDOWS\system32\hkgvg.dat
Removed File! : C:\WINDOWS\system32\yfnbj.dat
Removed File! : C:\WINDOWS\system32\gxzjk.dat
Removed File! : C:\WINDOWS\system32\twbuv.dat
Removed File! : C:\WINDOWS\system32\hebat.dat
Removed File! : C:\WINDOWS\system32\bngjs.dat
Removed File! : C:\WINDOWS\system32\hleke.dat
Removed File! : C:\WINDOWS\system32\nrlpk.dat
Removed File! : C:\WINDOWS\system32\hvdms.dat
Removed File! : C:\WINDOWS\system32\mzvyv.dat
Removed File! : C:\WINDOWS\system32\sqkax.dat
Removed File! : C:\WINDOWS\system32\cyuni.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:19:46 AM


AboutBuster 5.1, reference file 33
Scan started on [12/2/2005] at [11:20:27 AM]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:22:50 AM


The ewido scan found 1200 infected objects :tazz: and i checked out the scan and everything was cleaned with a backup.
  • 0

#5
Cloutz

Cloutz

    Visiting Staff

  • Member
  • PipPipPip
  • 547 posts
Hi ace_porate,

Please scan with HijackThis, and check the following entries:
O2 - BHO: Class - {EE72118D-405B-F80E-60FC-ABE4266F3C23} - C:\WINDOWS\winnf.dll (file missing)
O4 - HKLM\..\Run: [sysdu.exe] C:\WINDOWS\sysdu.exe
Make sure no browser windows are open, and click "Fix Checked".

Enabling the Viewing of Hidden and System Files
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • CheckShow hidden files and folders.
  • Uncheck Hide file extensions for known types.
  • Uncheck Hide protected operating system files
  • Click Yes to confirm.
  • Click OK.

Next, delete the following files (if found):
C:\WINDOWS\winnf.dll
C:\WINDOWS\sysdu.exe

Disabling the Viewing of Hidden and System Files
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect Show hidden files and folders
  • Select Hide file extensions for known types
  • Select Hide protected operating system files
  • Click Yes to confirm.
  • Click OK.

And finally,

Please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log.

Thanks,
Nick :tazz:
  • 0

#6
ace_porate

ace_porate

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 223 posts
Hey Cloutz -
This has been fun to watch from both sides, haha. First posting, then watching the Proposed fixes in GU. Anyway, good work. Hopefully i'll get there soon. Here's the logs:

Logfile of HijackThis v1.99.1
Scan saved at 10:49:36 AM, on 12/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lmu.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117575658804
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127682259169
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Incident Status Location

Spyware:spyware/petro-line Not disinfected C:\Documents and Settings\Administrator\Favorites\SITES ABOUT\Credit counseling.url
Adware:adware/searchaid Not disinfected C:\Documents and Settings\Administrator\Favorites\Search the web.url
Adware:adware/cws.008k Not disinfected C:\WINDOWS\iedb.dll
Adware:adware/navipromo Not disinfected C:\WINDOWS\sdkcy32.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\rcjajb.dat
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\sdkcy32.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\msbf32.exe
  • 0

#7
Cloutz

Cloutz

    Visiting Staff

  • Member
  • PipPipPip
  • 547 posts
Hi ace_porate,

I noticed you are an upper classmen in GeekU also. :tazz:

Once you get to the CMF, it gets really fun. You end up learning even more and more everyday from every log you do. Trust me :)

Now, back to the logs.

Your HijackThis log looks good, but we just have some cleanup to do in the Active Scan.

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Documents and Settings\Administrator\Favorites\SITES ABOUT\Credit counseling.url
C:\Documents and Settings\Administrator\Favorites\Search the web.url
C:\WINDOWS\iedb.dll
C:\WINDOWS\sdkcy32.exe
C:\WINDOWS\rcjajb.dat
C:\WINDOWS\sdkcy32.exe
C:\WINDOWS\msbf32.exe

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log.

Thanks,
Nick :)
  • 0

#8
ace_porate

ace_porate

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 223 posts
HJT;

Logfile of HijackThis v1.99.1
Scan saved at 6:26:34 PM, on 12/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lmu.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117575658804
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127682259169
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Incident Status Location

Spyware:spyware/petro-line Not disinfected C:\Documents and Settings\Administrator\Favorites\SITES ABOUT\Insurance home.url
Adware:adware/searchaid Not disinfected C:\Documents and Settings\Administrator\Favorites\Only sex website.url
Adware:Adware/SearchAid Not disinfected C:\!KillBox\sdkcy32.exe
Adware:Adware/SearchAid Not disinfected C:\!KillBox\msbf32.exe
  • 0

#9
Cloutz

Cloutz

    Visiting Staff

  • Member
  • PipPipPip
  • 547 posts
Hi there ace_porate,

Practically done here, just have a bit of cleaning up to do. :tazz:

1) Please run Killbox.

2) Select "Delete on Reboot".

3) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Documents and Settings\Administrator\Favorites\SITES ABOUT\Insurance home.url
C:\Documents and Settings\Administrator\Favorites\Only sex website.url

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Other than that, your HijackThis log appears to be CLEAN!!!

Here is a list of tools I like to suggest to users to prevent future infections.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware -Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
  • Firefox- Internet Explorer is NOT the most secure browser. I highly recommend Firefox as a safer alternative.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

Also, make sure you run weekly scans in order to keep your computer clean of malware!

Nick :)
  • 0

#10
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP