 Infected Winantispyware2007freeinstall, Winpop, Help on Removing Winantispyware2007freeinstall, and winpop |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Aug 6 2007, 11:28 AM
Post
#1
|
|
|
New Member  Group: Members Posts: 1 Joined: 6-August 07 Member No.: 148,373  |
Here's my hijackthis log: Logfile of HijackThis v1.99.1 Scan saved at 8:51:53 AM, on 8/6/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\System32\DVDRAMSV.exe C:\WINDOWS\System32\svchost.exe c:\Toshiba\IVP\swupdate\swupdtmr.exe C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\McAfee.com\Agent\MCAGENT.EXE C:\Program Files\RSSoft\RedSwoosh.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\WINDOWS\svhost.exe C:\WINDOWS\bhakavsA.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\PROGRA~1\ICROSO~1.NET\msiexec.exe C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\??stem\j?vaw.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Xanthe\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.antlink.uci.edu/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/ O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe" /EMBEDDING O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\MCAGENT.EXE O4 - HKLM\..\Run: [Red Swoosh] C:\Program Files\RSSoft\RedSwoosh.exe /S O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe" O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe" O4 - HKLM\..\Run: [bhakavsA] C:\WINDOWS\bhakavsA.exe O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\TISKY009.exe SKY009 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A O4 - HKLM\..\RunServices: [wp32] wp32.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Osus] "C:\PROGRA~1\ICROSO~1.NET\msiexec.exe" -vt yazb O4 - HKCU\..\Run: [Lrb] "C:\Program Files\Common Files\??stem\j?vaw.exe" O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe O4 - Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095651407034 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\bhakavs.exe |
 |
 
|
|
Aug 6 2007, 02:48 PM
Post
#2
|
|
 Malware Assassin Group: HJT Team Posts: 13,611 Joined: 13-July 06 Member No.: 75,975 |
Welcome to the BleepingComputer HijackThis Logs and Analysis forum achirino
 My name is Richie and i'll be helping you to fix your problems. Please move HijackThis to a permanent folder on the hard drive such as C:\HJT. Create a new folder and place your HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse any line entry deletion if found to be necessary. If you run Hijackthis from the desktop, the files it removes will not be backed up properly. How to create a new folder named HJT 1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C: 2. From the 'File' menu choose 'New'. 3. From the 'New' menu choose 'Folder'. 4. Type the folder name: HJT 5. Then press Enter. --------------------------------------------------------- Download SDFix.exe and save it to your desktop: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe * Double click on SDFix on your desktop,and install the fix to C:\ Please then reboot your computer into Safe Mode by doing the following: * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; * Instead of Windows loading as normal, a menu with options should appear; * Select the first option, to run Windows in Safe Mode, then press "Enter". * Choose your usual account. * In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script. * Type Y to begin the script. * It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * Your system will take longer that normal to restart as the fixtool will be running and removing files. * When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons. * Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply. ---------------------------------------------------------- Download Combofix and save to your desktop: Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. Do NOT post the ComboFix-quarantined-files.txt unless I ask. ---------------------------------------------------------- Now go to: C:\HJT\HijackThis.exe Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please. -------------------- If I have helped you in any way, please consider a donation:
 Proud Member of ASAP (Alliance of Security Analysis Professionals). Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators). |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 9th February 2010 - 10:35 AM |
© 2003-2010 All Rights Reserved Bleeping Computer LLC.