Please Check My Log File

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Please Check My Log File, Keep getting browser hijacks

Options

rolopolo View Member Profile	Apr 30 2007, 07:30 AM Post #1
New Member Group: Members Posts: 4 Joined: 30-April 07 Member No.: 127,933	Logfile of HijackThis v1.99.1 Scan saved at 13:21:43, on 30/04/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Spyware Nuker 2004\swn2.exe E:\Power DVD\PDVDServ.exe C:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\MessengerSkinner\MessengerSkinner.exe E:\Adobe Acrobat 6\Distillr\acrotray.exe C:\Program Files\PND Speed Camera Sync\PndSync\PndSync.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\WINDOWS\System32\ZoneLabs\isafe.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\wwSecure.exe c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe C:\Program Files\Pinnacle\Shared Files\Programs\PclePvr\VideoControl.exe C:\Documents and Settings\IBM\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Adobe Acrobat 6\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Adobe Acrobat 6\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Adobe Acrobat 6\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "E:\Power DVD\PDVDServ.exe" O4 - HKLM\..\Run: [Phase One Media Reader] E:\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [PMCS] "C:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe" -host -clearDebug O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\PPE.EXE O4 - HKLM\..\Run: [LaunchPDeviceConn] "C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe" O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0 O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [messengerskinner] C:\Program Files\MessengerSkinner\MessengerSkinner.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Acrobat Assistant.lnk = E:\Adobe Acrobat 6\Distillr\acrotray.exe O4 - Global Startup: Microsoft Office.lnk = E:\Office XP\Office10\OSA.EXE O4 - Global Startup: PND Speed Camera Synchronization.lnk = C:\Program Files\PND Speed Camera Sync\PndSync\PndSync.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OFFICE~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1144354366015 O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://E:\AutoCad Architectural Desktop\AcDcToday.ocx O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://E:\AutoCad Architectural Desktop\InstBanr.ocx O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MediaBar) - http://sib1.od2.com/common/musicmanager/in...nagerPlugin.CAB O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://E:\AutoCad Architectural Desktop\InstFred.ocx O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://E:\AutoCad Architectural Desktop\AcPreview.ocx O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing) O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe Many thanks

RichieUK View Member Profile	Apr 30 2007, 10:48 AM Post #2
Malware Assassin Group: HJT Team Posts: 13,611 Joined: 13-July 06 Member No.: 75,975	Welcome to the BleepingComputer HijackThis Logs and Analysis forum rolopolo Please download Combofix and save to the desktop: http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause the program to freeze/hang. ************************* Please download Sophos Anti-Rootkit,and save it on your desktop. 1. Double-click sarsfx.exe to extract the files and leave the default settings. 2. Open the folder C:\SOPHTEMP and double-click sargui.exe to start the program. 3. Make sure the following are checked: - Running processes - Windows Registry - Local Hard Drives 4. Click the "Start Scan" button. 5. Click the "OK" button after you get the notification that the scan has finished and close the program. 6. Click on Start>Run and type, or copy and paste: %temp%\sarscan.log then press Enter. 7. This should open the log from the rootkit scan. Post this log into your next reply. Note: If the scan is performed while the computer is in use, false positives may appear in the scan results. This is caused by files or registry entries being deleted,including temporary files being deleted automatically. It has also been reported that Trojan Hunter is detecting Sophos Anti-rootkit as Trojan.Dropper.Interlac.100 So if you have Trojan Hunter installed you will need to disable it prior to running a scan. Also post a new Hijackthis log please. -------------------- If I have helped you in any way, please consider a donation: Proud Member of ASAP (Alliance of Security Analysis Professionals). Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators).**

rolopolo View Member Profile	May 1 2007, 03:34 PM Post #3
New Member Group: Members Posts: 4 Joined: 30-April 07 Member No.: 127,933	"IBM" - 07-05-01 21:22:32 Service Pack 2 ComboFix 07-05.01.V - Running from: "C:\Documents and Settings\IBM\Desktop\" /wow section not completed (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\IBM\Desktop.\internet explorer.lnk C:\WINDOWS\system32\nvs2.inf C:\WINDOWS\system32\nasxsq_navps.dat C:\WINDOWS\system32\nasxsq.exe C:\WINDOWS\system32\nasxsq.dat ((((((((((((((((((((((((((((((( Files Created from 2007-04-01 to 2007-05-01 )))))))))))))))))))))))))))))))))) 2007-04-30 13:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-04-20 20:17 502,368 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-04-20 20:17 274,432 --a------ C:\WINDOWS\system32\imon.dll 2007-04-20 19:46 241,066 --a------ C:\WINDOWS\system32\nasxsq_nav.dat 2007-04-18 07:50 <DIR> d-------- C:\Program Files\MSN Messenger 2007-04-18 07:47 332,288 --a------ C:\WINDOWS\system32\seeaua.exe 2007-04-18 07:44 <DIR> d-------- C:\WINDOWS\SxsCaPendDel 2007-04-16 17:31 <DIR> d-------- C:\DOCUME~1\IBM\APPLIC~1\MessengerSkinner 2007-04-16 17:30 <DIR> d-------- C:\Program Files\MessengerSkinner 2007-04-03 12:04 5,767,168 --a------ C:\DOCUME~1\IBM\ntuser.dat (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-30 11:51:18 -------- d-----w C:\Program Files\Messenger 2007-04-22 08:19:46 -------- d-----w C:\Program Files\Windows Live Toolbar 2007-04-16 16:31:01 -------- d-----w C:\DOCUME~1\IBM\APPLIC~1.\MessengerSkinner 2007-04-11 09:47:59 -------- d-----w C:\DOCUME~1\IBM\APPLIC~1.\AdobeUM 2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-16 18:34:31 -------- d-----w C:\Program Files\Disney Interactive 2007-03-12 17:06:03 -------- d-----w C:\DOCUME~1\IBM\APPLIC~1.\MSN6 2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys 2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll 2007-02-03 12:18:22 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="E:\Adobe Acrobat 6\Acrobat\ActiveX\AcroIEHelper.dll" "{53707962-6F74-2D53-2644-206D7942484F}"="C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" "{AA58ED58-01DD-4d91-8333-CF10577473F7}"="c:\program files\google\googletoolbar1.dll" "{AE7CD045-E861-484f-8273-0445EE161910}"="E:\Adobe Acrobat 6\Acrobat\AcroIEFavClient.dll" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "SoundMan"="SOUNDMAN.EXE" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup" "nwiz"="nwiz.exe /install" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit" "Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\"" "Spyware Nuker"="C:\\Program Files\\Spyware Nuker 2004\\swn2.exe /h" "NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe" "RemoteControl"="\"E:\\Power DVD\\PDVDServ.exe\"" "Phase One Media Reader"="E:\\PHASEO~1\\CAPTUR~1\\DCIMImp.exe /noscan /CheckAutoStart" "PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg" "PMCS"="\"C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\MediaCenterService\\PMC.Service.Main.exe\" -host -clearDebug" "BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "PCLEPCI"="C:\\PROGRA~1\\Pinnacle\\PPE\\PPE.EXE" "LaunchPDeviceConn"="\"C:\\Program Files\\Philips\\Philips Device Transfer Pop-up\\PDeviceConn.exe\"" "Easy-PrintToolBox"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon" "nasxsq"="c:\\windows\\system32\\nasxsq.exe nasxsq" "nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe" "SpySweeper"="C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe /0" "H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\"" "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\"" "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "messengerskinner"="C:\\Program Files\\MessengerSkinner\\MessengerSkinner.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NosecurityTab"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NosecurityTab"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source REG_SZ http://disney.go.com/princess/assets/wallp...ora_800x600.jpg HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 HTTPFilter HTTPFilter\0\0 DcomLaunch DcomLaunch\0TermService\0\0 ****************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-01 21:25:35 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... ? [2056] scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 1 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 07-05-01 21:27:01 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 07-05-01 21:27

rolopolo View Member Profile	May 1 2007, 03:47 PM Post #4
New Member Group: Members Posts: 4 Joined: 30-April 07 Member No.: 127,933	Sophos Anti-Rootkit Version 1.3RC (data 1.06) © 2006 Sophos Plc Started logging on 01/05/2007 at 21:36:40 Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Scrunch Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\Suffixes\video/x-ivf Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\User Trusted External Applications\"C:\PROGRA~1\WINDOW~3\wmplayer.exe" Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\User Trusted External Applications\C:\PROGRA~1\WINDOW~3\wmplayer.exe Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\User Trusted External Applications\"C:\Program Files\Windows Media Player\wmplayer.exe" Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\User Trusted External Applications\C:\Program Files\Windows Media Player\wmplayer.exe Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\Viewers\video/x-ivf Stopped logging on 01/05/2007 at 21:39:23

RichieUK View Member Profile	May 1 2007, 04:36 PM Post #5
Malware Assassin Group: HJT Team Posts: 13,611 Joined: 13-July 06 Member No.: 75,975	Please download Brute Force Uninstaller to your desktop. · Right click the BFU folder on your desktop, and choose Extract All · Click "Next" · In the box to choose where to extract the files to, · Click "Browse" · Click on the + sign next to "My Computer" · Click on "Local Disk (C:) or whatever your primary drive is · Click "Make New Folder" · Type in BFU · Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish". RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover. Save it in the same folder you made earlier (c:\BFU). Copy the part in bold below into notepad and save it as aftermath.bfu Save it in the same folder you made earlier (c:\BFU) and set Filetype to "All files" RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nasxsq RegDelValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nasxsq FileDelete %SYSDIR%\nasxsq_navps.dat FileDelete %SYSDIR%\nasxsq_nav.dat FileDelete %SYSDIR%\nasxsq.dat FileDelete %SYSDIR%\nasxsq.exe FileDelete %SYSDIR%\nasxsq_m2s.xml FileDelete %WINDIR%\nasxsq.exe-.pf Then, please go to Start > My Computer* and navigate to the C:\BFU folder. · Start the Brute Force Uninstaller by doubleclicking BFU.exe · Behind the scriptline to execute field click the folder icon and select EGDACCESS.bfu · Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.) · Wait for the complete script execution box to pop up and press OK. · Behind the scriptline to execute field click the folder icon again and this time select aftermath.bfu · Press Execute and let it do it’s job. · Wait for the complete script execution box to pop up and press OK. · Press exit to terminate the BFU program. Restart your pc. ************************** Double click on combofix.exe again and follow the prompts. When it's finished it will produce a log. Post the C:\ComboFix.txt into your next reply. Also post a new HijackThis log. -------------------- If I have helped you in any way, please consider a donation: Proud Member of ASAP (Alliance of Security Analysis Professionals). Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators).**

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides