This topic is locked
Hijack This:
Logfile of HijackThis v1.99.1
Scan saved at 3:53:44 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com;localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2CB32654-FD3F-4CA5-B780-AB3334263C64} - C:\WINDOWS\system32\awtus.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvjip.dll,startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: BigFix.lnk.disabled
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
ComboFix:
ComboFix 08-01-18.5 - Michael 2008-01-19 15:39:53.2 - NTFSx86
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.
2008-01-19 14:07 . 2005-05-29 18:37 211 --a------ C:\Boot.bak
2008-01-19 14:06 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-19 14:02 . 2008-01-19 14:02 103,936 --a------ C:\WINDOWS\system32\drvjip.dll
2008-01-19 14:01 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-19 13:37 . 2008-01-19 13:37 <DIR> d-------- C:\Program Files\CCleaner
2008-01-19 13:25 . 2008-01-19 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-20 21:13 . 1992-10-28 00:00 113,472 --a------ C:\WINDOWS\MPLAYER.EXE
2007-12-20 21:13 . 1993-07-13 00:00 106,624 --a------ C:\WINDOWS\system\INDEO_U.DRV
2007-12-20 21:13 . 1993-07-02 00:00 92,480 --a------ C:\WINDOWS\system\INDEOR3.DRV
2007-12-20 21:13 . 1992-10-28 00:00 78,201 --a------ C:\WINDOWS\MPLAYER.HLP
2007-12-20 21:13 . 1992-10-28 00:00 38,432 --a------ C:\WINDOWS\system\MSVIDC.DRV
2007-12-20 21:13 . 1992-10-28 00:00 8,704 --a------ C:\WINDOWS\MCIOLE.DLL
2007-12-20 21:13 . 1992-10-28 00:00 5,744 --a------ C:\WINDOWS\system\DISPDIB.DLL
2007-12-20 21:13 . 1992-10-28 00:00 667 --a------ C:\WINDOWS\MPLAYER.REG
2007-12-20 21:13 . 2007-12-20 21:13 231 --a------ C:\WINDOWS\SYSTEM.ISV
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 21:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-19 19:47 --------- d-----w C:\Program Files\QuickTime
2008-01-19 19:29 --------- d-----w C:\Documents and Settings\Michael\Application Data\AVG7
2008-01-19 19:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-01-19 19:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-01-19 18:53 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2008-01-04 19:14 --------- d-----w C:\Program Files\Google
2007-12-17 00:56 --------- d-----w C:\Documents and Settings\Michael\Application Data\R-Wipe&Clean
2007-12-07 04:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\dvdcss
2007-12-07 04:29 --------- d-----w C:\Program Files\Presentersoft PowerVideoMaker
2007-12-07 03:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\GeoVid
2007-12-07 03:26 --------- d-----w C:\Program Files\PowerPoint to Video DVD
2007-12-07 03:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\Sony
2007-12-01 01:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\R-Wipe&Clean
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-31 19:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2005-05-30 02:03 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.
CODE<pre>
----a-w 98,304 2008-01-19 19:15:05 C:\Program Files\QuickTime\qttask .exe
----a-w 688,218 2008-01-19 19:14:59 C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w 919,280 2008-01-19 19:15:06 C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CB32654-FD3F-4CA5-B780-AB3334263C64}]
C:\WINDOWS\system32\awtus.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [ ]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2008-01-19 13:15 98304]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-19 13:29 579072]
"MSDrive"="C:\WINDOWS\system32\drvjip.dll" [2008-01-19 14:02 103936]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-19 13:26 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk.disabled [2004-06-18 17:08:12]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-06-01 15:12:52]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"=C:\Program Files\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
.
Contents of the 'Scheduled Tasks' folder
"2005-05-30 00:36:59 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 15:42:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-19 15:42:37
ComboFix-quarantined-files.txt 2008-01-19 21:42:22
ComboFix2.txt 2008-01-19 20:20:10
.
2008-01-19 18:35:14 --- E O F ---
Sign In
Create Account
