BleepingComputer.com: Hijack this log file

I need you to tell me what to fix and what to leave alone. I'm sending both attachments so look for the other one. Do I have it right now?

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results.
  
• Follow the instructions that pop up for posting the results.
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

What had happened was about two years ago I had got hacked by [http://www.porntube.com/] and now I am and have fixed my computer. P.s. check out my protection the worlds first cloud it has 5 vendors in one and you can run suites with it (one real anti virus and or spy ware or freeware). which makes it 64.1% stronger! Hitman pro 3 from Surfright it's also dutch.(one of there sites [http://www.hitmanpro.com/en/)]

DDS (Ver_09-06-26.01) - NTFSx86
Run by SCOTTY at 6:20:33.37 on Fri 07/03/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearch Bar =
uSearch Page =
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearchAssistant =
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Gamevance: {0ed403e8-470a-4a8a-85a4-d7688cfe39a3} - Gamevance
BHO: {0eedb912-c5fa-486f-8334-57288578c627} - Shareaza Web Download Hook
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: UrlHelper Class: {74322bf9-df26-493f-b0da-6d2fc5e6429e} - c:\program files\bearshare applications\bearshare mediabar\BearShareIEHelper.dll
BHO: IEHlprObj Class: {8ca5ed52-f3fb-4414-a105-2e3491156990} - c:\program files\iwin games\iWinGamesHookIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\scotty.home-dqq06mmvuh\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SmartDefrag] "c:\program files\iobit\iobit smartdefrag\IObit SmartDefrag.exe" /StartUp
mRun: [fssui] "c:\program files\windows live\family safety\fsui.exe" -autorun
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Weekend%20Party%20-%20Fashion%20Show/Images/stg_drm.ocx
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203947954265
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203948421500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Amazing%20Adventures%20Around%20the%20World/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\scotty~1.hom\applic~1\mozilla\firefox\profiles\fb5z9l95.default\
FF - prefs.js: browser.search.selectedEngine - Search Microsoft Answers
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\scotty.home-dqq06mmvuh\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\opera\program\plugins\npsoestb.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-06-30 00:04 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-30 00:04 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-30 00:04 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 23:18 <DIR> --d----- c:\docume~1\scotty~1.hom\applic~1\Malwarebytes
2009-06-29 23:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-29 06:38 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-06-29 06:38 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-06-29 06:38 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-06-29 06:38 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-06-29 06:38 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-06-29 06:38 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-06-29 06:38 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-06-29 06:38 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2009-06-29 06:38 452,440 a------- c:\windows\system32\d3dx10_40.dll
2009-06-29 06:38 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2009-06-28 22:36 34 a------- c:\windows\winver.ini
2009-06-28 22:11 <DIR> --d----- c:\program files\Find Junk Files
2009-06-28 02:40 <DIR> --d----- c:\program files\VS Revo Group
2009-06-27 15:42 <DIR> --d----- c:\docume~1\scotty~1.hom\applic~1\MySpace
2009-06-26 23:58 44 a---h--- c:\windows\system32\InternetAccelerator_sysquict.dat
2009-06-25 22:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Hagel Technologies
2009-06-25 22:13 <DIR> --d----- c:\program files\TweakMASTER
2009-06-23 21:11 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-23 21:11 <DIR> --d----- c:\program files\Avira
2009-06-23 21:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-06-23 06:07 <DIR> --d----- c:\docume~1\scotty~1.hom\applic~1\IObit
2009-06-23 06:07 <DIR> --d----- c:\program files\IObit
2009-06-23 02:23 0 a------- C:\defragme.dat
2009-06-22 21:31 <DIR> --dsh--- c:\documents and settings\scotty.home-dqq06mmvuh\IECompatCache
2009-06-21 20:27 42 a------- c:\windows\Pt.dll
2009-06-21 16:43 2,414,360 a------- c:\windows\system32\d3dx9_31.dll
2009-06-21 16:42 <DIR> --d----- c:\windows\Logs
2009-06-21 16:42 <DIR> --d----- c:\program files\Sony Online Entertainment
2009-06-20 07:08 <DIR> --d----- c:\program files\Trend Micro
2009-06-20 00:53 <DIR> --d----- c:\program files\AVG
2009-06-17 22:11 42 a------- c:\windows\system32\AK083E209605E394C.lie
2009-06-17 21:48 <DIR> --d----- c:\docume~1\scotty~1.hom\applic~1\Blitware
2009-06-17 21:47 <DIR> --d----- c:\program files\Driver Robot
2009-06-16 16:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\RegCure
2009-06-14 15:35 <DIR> --d----- c:\docume~1\scotty~1.hom\applic~1\OnlineArmor
2009-06-13 21:06 <DIR> --d----- c:\documents and settings\scotty.home-dqq06mmvuh\Tracing
2009-06-13 14:53 <DIR> --d----- c:\docume~1\scotty~1.hom\applic~1\Windows Search
2009-06-13 14:46 <DIR> --dsh--- c:\documents and settings\scotty.home-dqq06mmvuh\PrivacIE
2009-06-13 14:42 <DIR> --dsh--- c:\documents and settings\scotty.home-dqq06mmvuh\IETldCache
2009-06-13 14:42 <DIR> --d----- c:\documents and settings\SCOTTY.HOME-DQQ06MMVUH
2009-06-10 14:00 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 14:00 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-05 06:38 11,904 a------- c:\windows\system32\drivers\hitmanpro35.sys

==================== Find3M ====================

2009-06-01 05:36 12,288 a------- c:\windows\system32\drivers\hitmanpro3.sys
2009-05-28 20:55 12,800 a------- c:\windows\system32\bootdelete.exe
2009-05-25 00:24 350,208 -------- c:\windows\system32\mssph.dll
2009-05-22 16:47 348,160 a------- c:\windows\system32\msvcr71.dll
2009-05-22 16:47 499,712 a------- c:\windows\system32\msvcp71.dll
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-30 23:02 539,160 a------- c:\windows\system32\LVUI2RC.dll
2009-04-30 23:02 539,160 a------- c:\windows\system32\LVUI2.dll
2009-04-30 22:57 199,192 a------- c:\windows\system32\lvci1201278.dll
2009-04-30 22:57 416,280 a------- c:\windows\system32\lvcodec2.dll
2009-04-30 22:39 34,068 a------- c:\windows\system32\Repository.reg
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-04-02 05:03 449 a------- c:\program files\Shortcut to Java.lnk
2008-05-26 12:10 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052620080527\index.dat

============= FINISH: 6:22:09.00 ===============

Freeware bug repellent software <http://www.allmosquito.com/> (another one that fights malaria Anti-MAL but I can't find it in English.)

I made a mistake mosquitos with a s.

Hi Jimmy Dick Hill,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

• Please subscribe to this topic, if you haven't already.
  
  
• Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  
  
• Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks

ok

I am here.

Hi Jimmy Dick Hill,

There's a bit of adware on the logs but nothing really bad.

Just to make sure please run these two scanners.

We need to scan for Rootkits with GMER

• Please download GMER from one of the following locations, and save it to your desktop, please rename it as gamer.exe.
  • Main Mirror
    This version will download a randomly named file (Recommended)
    
  • Zip Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  
  
• Close any and all open programs, as this process may crash your computer.
  
• Double click or on your desktop.
  
• Allow the gmer.sys driver to load if asked.
  
• You may see this window. If you do, click No.
  
  
• Click on and wait for the scan to finish.
  
• If you see a rootkit warning window, click OK.
  
• Push and save the logfile to your desktop.
  
• Copy and Paste the contents of that file in your next post.

Then

We need to create an OTL Report

• Please download OTL from the mirror:
  [http://oldtimer.geekstogo.com/OTL.exe]This is THE Mirror[/url]
  
• Save it to your desktop.
  
• Double click on the icon on your desktop.
  
• Click the "Scan All Users" checkbox.
  
• Push the button.
  
• Two reports will open, copy and paste them in a reply here:[list]
  OTListIt.txt <-- Will be opened
  Extra.txt <-- Will be minimized

Thanks

Are you there m0le?

ok i din not see you were ok hold on

I have been trying but the first one gamer.exe. it says I don't have permission to access sorry for delay internet interruption.

Yeah there's got to be a little ad ware because when I tuned on my firewall and then back off before trying again it worked. Here is the first one.

The second one says Access violation at address 004f005h in module OTL.exe. Read of address ffffffff. It only gave one report there may be something wrong. Or I didn't wait long enough for the second report to finish or I couldn't find the minimized report. But here's the log tell me what to do.

I did the first one wrong I'll send it again but I'll have to find it or do it again. It will probally be tomorrow I have to go to work

Here's gamer.exe I sorry it took so long. My mom and aunt were on myspace. When I did the first one it looked like it was finished like something was wrong tell me what to do about that one . I'll try it again and wait longer if you want me to.