 Hijackthis Logfile |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Dec 24 2007, 12:43 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 4 Joined: 24-December 07 Member No.: 178,613  |
Scan saved at 12:41:52 PM, on 12/24/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: Vongo Tray.lnk = ? O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 5474 bytes |
 |
 
|
|
Dec 25 2007, 03:16 PM
Post
#2
|
|
 Forum Addict Group: HJT Team Posts: 1,550 Joined: 8-October 05 From: The Netherlands Member No.: 36,436 |
Hello escobar91, and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.
Please take note of the following: 1. I will start working on your malware issues, this may or may not solve other issues you have with your machine. 2. The fixes are specific to your problem and should only be used for this issue on this machine. 3. The process is not instant. Please continue to review my answers until I tell you your machine is clean. 4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. 5. Please reply to this thread. Do not start a new topic. Please give me some time to look over your log and I will get back to you as soon as possible. Thanks, htv8 This post has been edited by htv8: Dec 25 2007, 03:16 PM -------------------- If I have not posted back within 24 hours, feel free to send me a PM with your topic link.
 |
|
|
|
|
Dec 25 2007, 03:22 PM
Post
#3
|
|
|
Forum Addict Group: HJT Team Posts: 1,550 Joined: 8-October 05 From: The Netherlands Member No.: 36,436 |
Hello.
__________________________________________________ IMPORTANT It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer. Your log doesn't show a firewall running. If you have disabled your firewall, please re-enable it. If you do not have a firewall installed, please download and install one of these good (and free) products: - ZoneAlarm - Comodo Free Firewall - Outpost Firewall Free - Sunbelt Personal Firewall (= Kerio) - learn more here NOTE: Never install more than one firewall program on your system. Several together can give problems and decrease the reliability of it seriously. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes. Step #1: Create an uninstall list with HijackThis We need to use HijackThis to create an uninstall list. Please provide me an uninstall list by performing these steps: 1. Open HijackThis. 2. Click once on the Config... button. 3. Go to the Misc Tools section by clicking on the Misc Tools button on top of the screen. 4. Click on the Open Uninstall Manager... button. You'll see a list of currently installed programs. 5. Click on the Save list... button and specify where you would like to save the uninstall list. 6. Click Save. Notepad will open up with the contents of that file. 7. Copy and paste the contents of that Notepad file (uninstall_list.txt) as a reply to this topic. Step #2: Rename HijackThis Occasionally malware hides itself from HijackThis. Navigate to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe using My Computer or Windows Explorer and right-click on the HijackThis.exe file. Select the Rename option from the right-click menu and rename HijackThis.exe to fluffybunny.exe and press Enter. Step #3: Rescan with HijackThis Scan with HijackThis and post a new HijackThis log please. __________________________________________________ So in your next reply, please post the entire contents of: - the created uninstall list (uninstall_list.txt) - a new HijackThis log NOTE: Use several posts if necessary to include everything in the requested logs. -------------------- If I have not posted back within 24 hours, feel free to send me a PM with your topic link.
|
|
|
|
|
Dec 25 2007, 08:21 PM
Post
#4
|
|
|
New Member Group: Members Posts: 4 Joined: 24-December 07 Member No.: 178,613 |
Hello thanks for your help and I hope you had a good Xmas
Windows firewall said it was already on... 2Wire Wireless Client 3D Groove Playback Engine Ad-Aware SE Personal Adobe Flash Player 9 ActiveX Adobe Flash Player ActiveX Adobe Reader 8.1.0 Adobe Shockwave Player AIM 6 AOL Coach Version 2.0(Build:20041026.5 en) Apple Mobile Device Support Apple Software Update AT&T Yahoo! Applications AVG 7.5 AviSynth 2.5 BCM V.92 56K Modem Canon Camera Access Library Canon Camera Support Core Library Canon Camera Window DC_DV 5 for ZoomBrowser EX Canon Camera Window DC_DV 6 for ZoomBrowser EX Canon Camera Window MC 6 for ZoomBrowser EX Canon G.726 WMP-Decoder Canon MovieEdit Task for ZoomBrowser EX Canon RAW Image Task for ZoomBrowser EX Canon RemoteCapture Task for ZoomBrowser EX Canon Utilities EOS Utility Canon Utilities PhotoStitch Canon Utilities ZoomBrowser EX CuteFTP 8 Professional Dell ResourceCD Diner Dash 4 Hometown Hero (remove only) GTAIII HijackThis 2.0.2 Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB914440) Hotfix for Windows XP (KB915865) Hotfix for Windows XP (KB926239) Imagicon Intel® Extreme Graphics Driver iPod for Windows 2005-03-23 iTunes Java™ 6 Update 3 Java™ SE Runtime Environment 6 Update 1 Kaspersky Online Scanner Lernout & Hauspie TruVoice American English TTS Engine Lexmark Z600 Series LimeWire 4.14.8 Linksys EasyLink Advisor 1.5 (1010) Madden NFL TM 2002 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Standard Edition 2003 Microsoft Text-to-Speech Engine 4.0 (English) Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual Basic 2005 Express Edition - ENU Microsoft Web Publishing Wizard 1.52 MSN Music Assistant Nicktoons Basketball Outerinfo Paint.NET v3.08 QuickTime SBC Yahoo! DSL Home Networking Installer Security Update for Microsoft .NET Framework 2.0 (KB928365) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893066) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB917159) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918899) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB921883) Security Update for Windows XP (KB922616) Security Update for Windows XP (KB922760) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923694) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924191) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925454) Security Update for Windows XP (KB925486) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB941568) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB943460) Security Update for Windows XP (KB944653) SoundMAX Spybot - Search & Destroy 1.4 Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB904942) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB927891) Update for Windows XP (KB929338) Update for Windows XP (KB930916) Update for Windows XP (KB931836) Update for Windows XP (KB933360) Update for Windows XP (KB936357) Update for Windows XP (KB938828) Update for Windows XP (KB942763) Viewpoint Media Player Vongo Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893086 Windows XP Service Pack 2 WinRAR archiver Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:18:29 PM, on 12/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {12D98CD7-6C54-42AC-81F7-D301ECA2E7D0} - C:\WINDOWS\system32\mllji.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\vturstq.dll O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - Startup: Vongo Tray.lnk = ? O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O20 - Winlogon Notify: vturstq - C:\WINDOWS\SYSTEM32\vturstq.dll O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 6215 bytes |
|
|
|
|
Dec 26 2007, 05:44 AM
Post
#5
|
|
|
Forum Addict Group: HJT Team Posts: 1,550 Joined: 8-October 05 From: The Netherlands Member No.: 36,436 |
Hello again.
QUOTE(escobar91 @ Dec 26 2007, 02:21 AM)  Hello thanks for your help and I hope you had a good Xmas [...] Yes, I had.  Hope you had a good christmas as well.QUOTE(escobar91 @ Dec 26 2007, 02:21 AM) [...] Windows firewall said it was already on... [...] Windows Firewall blocks unsolicited incoming traffic. However, you cannot configure Windows Firewall to block outgoing traffic. In order to prevent unauthorised traffic both out of and into your computer, I strongly reccomend you to install another firewall: using a more powerful firewall is really recommended. It is important that you use a good software firewall in order to keep your computer safe and secure on the Internet.Please download and install one of these good (and free) products as your log still does not show a firewall installed: - ZoneAlarm NOTE: At installing ZoneAlarm, please remove the checkmark from the checkbox labelled "Include ZoneAlarm Spy Blocker [...]". The toolbar is not recommended (see: Sunbelt Blog: Another security company succumbs to temptation). - Comodo Free Firewall - Outpost Firewall Free - Sunbelt Personal Firewall (= Kerio) - learn more here NOTE: Never install more than one firewall program on your system. Several together can give problems and decrease the reliability of it seriously.[/color] __________________________________________________ Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes. You most likely got infected through file sharing. I see LimeWire 4.14.8 installed on your computer: a P2P/File Sharing (related) program. Aside from the obvious legal issues, file sharing is one of the primary ways through which people become infected with malware. Anytime you are running any type of P2P application, you are more prone to infection. I suggest to remove this program. If you agree, go to Start > Control Panel > Add/Remove Programs and remove LimeWire 4.14.8. If you do not want to uninstall the program, please at least refrain from using any peer-to-peer programs for the remainder of my fix. Step #1 Go to Start > Control Panel > Add/Remove Programs and uninstall the following programs (if they are listed): Java™ SE Runtime Environment 6 Update 1 <-- outdated (you already have the latest version) Outerinfo <-- adware, see Adware.PurityScan I see Viewpoint installed. Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything bad. This will change from what we know in 2006. For more information about this, see this reference: Viewpoint to Plunge Into Adware. Additional information here: Viewpoint. I strongly recommend removing Viewpoint. If you agree, remove Viewpoint Media Player from Add/Remove Programs as well. Step #2 You have a Vundo infection. Download VundoFix.exe to your Desktop to get rid of it. Download VundoFix.exe Once downloaded, follow these steps to run VundoFix: 1. Double-click VundoFix.exe to run it. 2. Click the Scan for Vundo button. 3. Once it is done scanning, click the Remove Vundo button. 4. Click the Yes button at the prompt asking you if you want to remove the files. NOTE: Once you click Yes, your Desktop will go blank as it starts removing Vundo. 5. When completed, it will prompt that it will reboot your computer. Click OK. 6. Post the entire contents of C:\vundofix.txt in your next reply. NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from the second step - "2. Click the Scan for Vundo button." - when VundoFix appears upon rebooting. Step #3 Scan with HijackThis again and post a new HijackThis log please. __________________________________________________ So in your next reply, please post the entire contents of: - C:\vundofix.txt - a new HijackThis log NOTE: Use several posts if necessary to include everything in the requested logs. This post has been edited by htv8: Dec 26 2007, 06:05 AM -------------------- If I have not posted back within 24 hours, feel free to send me a PM with your topic link.
|
|
|
|
|
Dec 26 2007, 05:02 PM
Post
#6
|
|
|
New Member Group: Members Posts: 4 Joined: 24-December 07 Member No.: 178,613 |
VundoFix V6.7.7
Checking Java version... Scan started at 3:56:52 PM 12/26/2007 Listing files found while scanning.... C:\WINDOWS\system32\gjkkj.ini C:\WINDOWS\system32\gjkkj.ini2 C:\WINDOWS\system32\jkkjg.dll Beginning removal... Attempting to delete C:\WINDOWS\system32\gjkkj.ini C:\WINDOWS\system32\gjkkj.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\gjkkj.ini2 C:\WINDOWS\system32\gjkkj.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\jkkjg.dll C:\WINDOWS\system32\jkkjg.dll Has been deleted! Performing Repairs to the registry. Done! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:00:44 PM, on 12/26/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Comodo\Firewall\cmdagent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Comodo\Firewall\CPF.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank F3 - REG:win.ini: load=C:\WINDOWS\system32\awtqq.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {2B7AD908-6A01-4F71-9AA5-51B9A6A5D847} - C:\WINDOWS\system32\awtqq.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O2 - BHO: (no name) - {74ADBE58-6D52-4144-97E7-65B252D7DEBD} - C:\WINDOWS\system32\jkkjg.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\vturstq.dll O2 - BHO: (no name) - {D2D7C2F7-D9B6-402A-A19A-F820146E0043} - C:\WINDOWS\system32\mllji.dll (file missing) O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - Startup: Vongo Tray.lnk = ? O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE -- End of file - 6609 bytes |
|
|
|
|
Dec 27 2007, 05:06 AM
Post
#7
|
|
|
Forum Addict Group: HJT Team Posts: 1,550 Joined: 8-October 05 From: The Netherlands Member No.: 36,436 |
Hello again.
__________________________________________________ Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is NOT available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above. Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes. Step #1 Please download ComboFix from any of the links below and save it to your Desktop. (1) Download ComboFix.exe (2) Download ComboFix.exe (3) Download ComboFix.exe WARNING: You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could render your system/pc inoperable. NOTE: In the event you already have ComboFix, this is a new version that I need you to download. It is important that ComboFix is saved directly to your Desktop. When the file has finished downloading: 1. Close any open broswers/windows. 2. Disconnect from the Internet. 3. VERY IMPORTANT: Temporarily disable your antivirus, script blocking and any anti-malware real-time protection before performing a scan. (They can interfere with the running of ComboFix or remove some of its embedded files which may cause "unpredictable results".) Click on this link to see a list of programs that should be disabled. NOTE: The list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask. 4. Double-click ComboFix.exe to launch the application and follow the on-screen prompts. NOTE: Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang! 5. When finished, ComboFix shall produce a log for you; post the entire contents of C:\ComboFix.txt in your next reply. Step #2 Scan with HijackThis again and post a new HijackThis log. __________________________________________________ So in your next reply, please post the entire contents of: - C:\ComboFix.txt - a new HijackThis log NOTE: Use several posts if necessary to include everything in the requested logs. -------------------- If I have not posted back within 24 hours, feel free to send me a PM with your topic link.
|
|
|
|
|
Dec 27 2007, 01:19 PM
Post
#8
|
|
|
New Member Group: Members Posts: 4 Joined: 24-December 07 Member No.: 178,613 |
ComboFix 07-12-28.1 - Owner 2007-12-27 12:51:13.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data.\salesmonitor C:\Documents and Settings\Owner\Application Data\DriveCleaner Freeware C:\Documents and Settings\Owner\Application Data\DriveCleaner Freeware\Logs\update.log C:\Documents and Settings\Owner\err.log C:\WINDOWS\bobsaver.exe C:\WINDOWS\bobsaver.scr C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\rtutv.ini C:\WINDOWS\system32\rtutv.ini2 C:\WINDOWS\system32\vturstq.dll C:\WINDOWS\system32\vtutr.dll . ((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 ))))))))))))))))))))))))))))))) . 2007-12-26 20:53 . 2007-12-26 20:53 3,584 --a------ C:\WINDOWS\system32\vtutr.exe 2007-12-26 16:59 . 2007-12-26 16:59 3,584 --a------ C:\WINDOWS\system32\awtqq.exe 2007-12-26 16:55 . 2007-12-26 16:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Comodo 2007-12-26 16:55 . 2007-12-26 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo 2007-12-26 16:51 . 2006-08-26 15:14 211 --a------ C:\boot.ini.comodofirewall 2007-12-26 16:50 . 2007-12-26 18:57 <DIR> d-------- C:\Program Files\Comodo 2007-12-26 15:57 . 2007-12-26 15:57 3,584 --a------ C:\WINDOWS\system32\jkkjg.exe 2007-12-26 14:12 . 2007-12-26 20:01 <DIR> d-------- C:\VundoFix Backups 2007-12-26 10:33 . 2007-12-26 10:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier 2007-12-26 10:32 . 2007-12-26 10:37 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat 2007-12-26 10:31 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll 2007-12-26 10:28 . 2007-12-26 15:51 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs 2007-12-26 10:27 . 2007-12-26 15:51 <DIR> d-------- C:\WINDOWS\Internet Logs 2007-12-23 21:38 . 2007-12-26 18:18 <DIR> d-------- C:\Program Files\AIM6 2007-12-23 16:34 . 2007-12-23 16:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore 2007-12-23 15:35 . 2007-12-23 15:35 3,584 --a------ C:\WINDOWS\system32\mllji.exe 2007-12-23 15:05 . 2007-12-23 15:05 <DIR> d-------- C:\Program Files\Trend Micro 2007-12-23 13:32 . 2007-12-23 13:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-12-23 13:32 . 2007-12-23 13:32 1,409 --a------ C:\WINDOWS\QTFont.for 2007-12-19 15:23 . 2007-12-19 15:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\gtk-2.0 2007-12-19 15:14 . 2007-12-22 18:58 <DIR> d-------- C:\Documents and Settings\Owner\.gimp-2.4 2007-12-03 19:45 . 2007-12-03 19:45 <DIR> d-------- C:\Documents and Settings\brian\Application Data\acccore 2007-12-03 19:42 . 2007-12-03 19:43 <DIR> d-------- C:\Documents and Settings\brian\Application Data\AVG7 2007-12-02 19:31 . 2007-12-02 19:31 <DIR> d-------- C:\Program Files\Devious Codeworks 2007-12-02 19:10 . 2007-12-02 19:10 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\GlobalSCAPE 2007-12-02 19:09 . 2007-12-02 19:09 <DIR> d-------- C:\Program Files\GlobalSCAPE . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-27 17:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7 2007-12-26 15:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2007-12-24 02:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2007-12-24 02:39 --------- d-----w C:\Program Files\Common Files\AOL 2007-12-23 20:34 --------- d-----w C:\Program Files\iTunes 2007-12-23 17:39 --------- d-----w C:\Program Files\Vongo 2007-12-23 17:39 --------- d-----w C:\Program Files\QuickTime 2007-12-23 17:39 --------- d-----w C:\Program Files\Linksys EasyLink Advisor 2007-12-23 17:39 --------- d-----w C:\Program Files\Common Files\DriveCleaner Freeware 2007-12-23 17:39 --------- d-----w C:\Program Files\2Wire 2007-12-23 15:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2007-12-23 00:01 --------- d-----w C:\Program Files\DivX 2007-12-08 22:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\VikingsScreenServer 2007-12-07 20:03 --------- d-----w C:\Program Files\Java 2007-12-04 00:58 --------- d-----w C:\Documents and Settings\brian\Application Data\Apple Computer 2007-12-03 00:09 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-12-02 20:05 --------- d-----w C:\Program Files\Google 2007-11-23 14:05 --------- d-----w C:\Program Files\EA GAMES 2007-11-21 22:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst 2007-11-21 22:44 --------- d-----w C:\Program Files\Yahoo! Games 2007-11-17 22:27 --------- d-----w C:\Program Files\Windows Media Connect 2 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-10-29 21:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer 2007-10-29 21:46 --------- d-----w C:\Program Files\iPod 2007-10-29 21:36 --------- d-----w C:\Program Files\Apple Software Update 2007-10-29 21:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2007-10-28 15:18 --------- d-----w C:\Program Files\Apple Software Update(2) 2007-10-28 15:17 --------- d-----w C:\Program Files\QuickTime(2) 2007-10-28 15:16 --------- d-----w C:\Program Files\iTunes(2) 2007-10-28 15:13 --------- d-----w C:\Program Files\QuickTime(3) 2007-10-28 15:12 --------- d-----w C:\Program Files\iTunes(3) 2006-06-11 02:23 266 ---h--w C:\Program Files\desktop.ini 2006-06-11 02:23 11,079 ---h--w C:\Program Files\folder.htt . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C6DED89-E2D8-4F44-8FD9-51ECBADDCAE3}] C:\WINDOWS\system32\awtqq.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74ADBE58-6D52-4144-97E7-65B252D7DEBD}] C:\WINDOWS\system32\jkkjg.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2D7C2F7-D9B6-402A-A19A-F820146E0043}] C:\WINDOWS\system32\mllji.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="C:\Program Files\AIM6\aim6.exe" [] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [] "COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-12-28 12:52] C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ Vongo Tray.lnk - C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-02-21 14:02:04] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1177238915-842925246-839522115-1003\Scripts\Logoff\0\0] "Script"=C:\Program Files\Automatic Windows Internet Washer\xp.cmd S3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys [2004-09-15 03:42] . Contents of the 'Scheduled Tasks' folder "2007-12-27 14:45:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-28 13:11:10 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-28 13:13:48 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-07-06 17:40 C:\ComboFix2.txt ... 2007-07-06 17:40 . 2007-12-13 08:08:21 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:16:05 PM, on 12/28/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Comodo\Firewall\cmdagent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {2C6DED89-E2D8-4F44-8FD9-51ECBADDCAE3} - C:\WINDOWS\system32\awtqq.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O2 - BHO: (no name) - {74ADBE58-6D52-4144-97E7-65B252D7DEBD} - C:\WINDOWS\system32\jkkjg.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {D2D7C2F7-D9B6-402A-A19A-F820146E0043} - C:\WINDOWS\system32\mllji.dll (file missing) O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - Startup: Vongo Tray.lnk = ? O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE -- End of file - 6375 bytes |
|
|
|
|
Dec 28 2007, 06:42 AM
Post
#9
|
|
|
Forum Addict Group: HJT Team Posts: 1,550 Joined: 8-October 05 From: The Netherlands Member No.: 36,436 |
Hello again. We are making progress!
 __________________________________________________ Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is NOT available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above. Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes. Step #1 Copy the entire contents inside the CODE box below into Notepad - don't use any other text editor than Notepad or the script will fail. CODE File:: Click File > Save and save as CFScript.txt to the Desktop.C:\WINDOWS\system32\vtutr.exe C:\WINDOWS\system32\awtqq.exe C:\WINDOWS\system32\jkkjg.exe C:\WINDOWS\system32\mllji.exe Folder:: C:\VundoFix Backups C:\Program Files\Common Files\DriveCleaner Freeware Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C6DED89-E2D8-4F44-8FD9-51ECBADDCAE3}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74ADBE58-6D52-4144-97E7-65B252D7DEBD}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2D7C2F7-D9B6-402A-A19A-F820146E0043}] WARNING: The above code was created specifically for this user. If you are not this user, do NOT follow these directions. Once the file is created: 1. Close any open browsers/windows. 2. Disconnect from the Internet (physically unplug/pull out CAT5 cable if you hafta). 3. VERY IMPORTANT: Temporarily disable your antivirus, script blocking and any anti-malware real-time protection. 4. Drag CFScript.txt on top of ComboFix.exe as shown in the screenshot below. This will start ComboFix again. .…  5. After reboot--in case it asks to reboot--post the entire contents of ComboFix.txt in your next reply. NOTE: Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang! Step #2 Download Deckard's System Scanner (DSS) to your Desktop. NOTE: You must be logged onto an account with administrator privileges. Download Deckard's System Scanner (dss.exe) To run the program: 1. Close all programs/windows so that you have nothing open and are at your Desktop. 2. Double-click on dss.exe to run it, and follow the prompts. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized. 3. Copy (Ctrl + A then Ctrl + C) and paste (Ctrl + V) the contents main.txt and the extra.txt in your next reply. If you have any problems with the logs, both can be found in C:\Deckard\System Scanner. NOTE: Some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Step #3 Scan with HijackThis again and post a new HijackThis log. Although we are not done yet, please also let me know how the computer is running now. __________________________________________________ So in your next reply, please post the entire contents of: - the ComboFix log - the DSS reports main.txt + extra.txt - a new HijackThis log NOTE: Use several posts if necessary to include everything in the requested logs. -------------------- If I have not posted back within 24 hours, feel free to send me a PM with your topic link.
|
|
|
|
|
Jan 4 2008, 02:00 PM
Post
#10
|
|
|
Forum Addict Group: HJT Team Posts: 1,550 Joined: 8-October 05 From: The Netherlands Member No.: 36,436 |
Due to the lack of feedback, this topic is closed.
To get it reopened, PM a staff member with the address of this thread. This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
-------------------- If I have not posted back within 24 hours, feel free to send me a PM with your topic link.
|
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 8th November 2009 - 08:57 AM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.