Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Hijack Log And Avg Detected Trojan Sheur.bid


  • This topic is locked This topic is locked
8 replies to this topic

#1 frankgrimes

frankgrimes

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 21 July 2007 - 12:26 PM

Computer keeps freezing after few minutes of use. AVG found this SHeur.BID but can never finish running program because computer freezes. Managed to run a system restore to few days ago now what do i do? Running AVG again and AVG antispy. This cant be as easy as just doing a system restore right? Although computer hasnt froze yet and before it would have by now. Thanks.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:22 AM, on 7/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: connect sbcyahoo!.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mcssl1.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DD4EA5A-B290-4DA8-8E75-66CC3C29CB69}: NameServer = 68.94.156.1 68.94.157.1
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

Edited by frankgrimes, 21 July 2007 - 12:37 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:16 PM

Posted 03 August 2007 - 09:14 PM

Hello frankgrimes,

Our apologies for the delay. We are swamped with logs.

If you still need help, please post a new log so I can see if anything has changed.

This cant be as easy as just doing a system restore right? Although computer hasnt froze yet and before it would have by now

.

Usually, freezing is caused by hardware, drivers, or software, but not always.

Edited by SifuMike, 03 August 2007 - 10:29 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 frankgrimes

frankgrimes
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 04 August 2007 - 02:55 AM

Yes i was getting some advice from majorgeeks.com. I thought it might be malware but recently i got a message saying windows has recovered from a serious error. then when i restarted firefox i got this:
http://wer.microsoft.com/responses/Respons...f3-25d4c1942780

I really just dont know what to do. My computer will record my favorite sirius radio show for six hours every morning but when i goto encode the .wavs into .mp3s it freezes right away.(i use BladeEnc and have tried smartwave with same results) Sometimes i can be on for an hour sometimes five minutes. I think its hardware at this point. ANy input would be greatly appreciated.

Here is the latest log form hijack. I downloaded counterspy, stinger, spyware blaster, registry mechanic. I already use spybot, Avg, CCleaner and adaware. Im dying to get this over with.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:58 AM, on 8/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: connect sbcyahoo!.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mcssl1.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DD4EA5A-B290-4DA8-8E75-66CC3C29CB69}: NameServer = 68.94.156.1 68.94.157.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 7890 bytes

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:16 PM

Posted 04 August 2007 - 11:27 AM

Hi frank,

I see no malware in your Hijackthis log :thumbsup: , so I appears this a truly a hardware problem.

We can update your java and check for hidden malware in this forum, but for hardware advice you need to go to our Hardware forum.

When posting to any other forum, do not post a HijackThis log or the post will simply be moved back to this forum for infection analysis. That is what HijackThis is used for and that is what we specialize in here in this forum.

Also, when posting in any other forum for assistance, give as much detail as possible regarding any issues that are occurring. The more information they have, the better the techs can analyze the issue and make any recommendations for resolving it.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Java Runtime Environment (JRE) 6u2.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u2".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.



Let's do an online virus scan to make sure there is nothing lurking.


You will need to use Internet Explorer for this scan.

Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 frankgrimes

frankgrimes
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 05 August 2007 - 03:34 AM

BitDefender Online Scanner







Scan report generated at: Sat, Aug 04, 2007 - 16:50:54









Scan path: A:\;C:\;D:\;E:\;F:\;















Statistics

Time


01:08:18

Files


175286

Folders


5056

Boot Sectors


5

Archives


3751

Packed Files


7754







Results

Identified Viruses


1

Infected Files


1

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


1







Engines Info

Virus Definitions


684296

Engine build


AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)

Scan plugins


14

Archive plugins


38

Unpack plugins


6

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\WINDOWS\SYSTEM32\ActiveScan\pskahk.dll


Infected with: Generic.Malware.SIMDWYNVdprn.D9407F4E

C:\WINDOWS\SYSTEM32\ActiveScan\pskahk.dll


Disinfection failed

C:\WINDOWS\SYSTEM32\ActiveScan\pskahk.dll


Deleted

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:16 PM

Posted 05 August 2007 - 01:28 PM

Hi Frank,

BitDefender removed one virus :thumbsup: , but that would not cause freezing.


NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

1. Download this file - combofix.exe to your Desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall




As I said in my previous post go to our Hardware forum and post there. We have many harware experts that will help you.

When posting to any other forum, do not post a HijackThis log or the post will simply be moved back to this forum for infection analysis. That is what HijackThis is used for and that is what we specialize in here in this forum.

Edited by SifuMike, 05 August 2007 - 01:32 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 frankgrimes

frankgrimes
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 06 August 2007 - 10:31 PM

I ran combofix tonight. Over the weekend i finally called dell and they told me to run the diagnostics disk. they concluded that my hard drive had unfixable sectors. My memory tests passed. So i have ordered a new HD from newegg and am waiting to reinstall my OS. Hopefully this solves everything. Thanks for your help any additional advice would be helpful. Also maybe you can answer this. I purchased an external drive as well to back up my stuff before switching to new hard drive. Is it as easy as just copying my programs/files like say firefox over to the external and when the new one is ready bringing them back? Thanks again.


ComboFix 07-08-04.3 - "steve" 2007-08-06 20:00:57.1 [GMT -7:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drivers\fad.sys


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-06 19:59 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-05 12:01 7,882 --a------ C:\WINDOWS\SYSTEM32\GTKCMOS.sys
2007-08-05 12:01 7,626 --a------ C:\WINDOWS\SYSTEM32\GPCIEnum.sys
2007-08-05 12:01 7,168 --a------ C:\WINDOWS\SYSTEM32\DLPT64.sys
2007-08-05 12:01 6,977 --a------ C:\WINDOWS\SYSTEM32\DDMI2.sys
2007-08-05 12:01 6,656 --a------ C:\WINDOWS\SYSTEM32\DLPT2.sys
2007-08-05 12:01 5,632 --a------ C:\WINDOWS\SYSTEM32\GPCIEn64.sys
2007-08-05 12:01 5,120 --a------ C:\WINDOWS\SYSTEM32\GTKCMO64.sys
2007-08-05 12:01 4,608 --a------ C:\WINDOWS\SYSTEM32\DDMI64.sys
2007-08-02 22:36 <DIR> d-------- C:\Program Files\DiskCheckup
2007-08-02 22:34 <DIR> d-------- C:\Program Files\Lavalys
2007-07-29 14:05 <DIR> d-------- C:\DrWatson
2007-07-26 22:46 <DIR> d-------- C:\Program Files\Smart WAV Converter
2007-07-26 22:43 <DIR> d-------- C:\DOCUME~1\steve\APPLIC~1\SiteAdvisor
2007-07-26 22:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-07-26 22:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-07-23 19:45 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-23 19:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2007-07-23 19:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2007-07-22 20:25 15,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sbhr.sys
2007-07-22 16:43 11,254 --a------ C:\WINDOWS\SYSTEM32\locate.com
2007-07-22 16:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-07-22 15:02 <DIR> d-------- C:\MGTools
2007-07-22 14:41 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-07-22 14:37 <DIR> d-------- C:\DOCUME~1\steve\APPLIC~1\Sunbelt Software
2007-07-22 10:42 0 --a------ C:\WINDOWS\SYSTEM32\SBRC.dat
2007-07-22 10:42 0 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-07-22 10:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sunbelt Software
2007-07-22 10:28 1,835,008 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-22 10:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-07-22 10:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-07-22 10:03 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-07-22 07:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-22 07:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-22 00:00 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-21 23:50 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-07-21 23:24 <DIR> d-------- C:\DOCUME~1\steve\APPLIC~1\RegClean
2007-07-21 10:31 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-21 02:01 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-07-18 23:43 6,291,456 --a------ C:\DOCUME~1\steve\ntuser.dat
2007-07-18 23:43 1,310,720 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-04 15:35 12843 --a------ C:\WINDOWS\mozver.dat
2007-07-24 22:25 --------- d-------- C:\Program Files\PDMarq Audio Recorder
2007-07-23 19:00 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-07-23 19:00 286720 --------- C:\WINDOWS\Setup1.exe
2007-07-23 18:51 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-23 18:51 --------- d-------- C:\Program Files\MUSICMATCH
2007-07-22 16:12 --------- d-------- C:\Program Files\DellSupport
2007-07-22 15:14 --------- d-------- C:\Program Files\CCleaner
2007-07-22 07:44 --------- d-------- C:\Program Files\Lavasoft
2007-07-22 07:37 --------- d-------- C:\DOCUME~1\steve\APPLIC~1\Lavasoft
2007-07-22 00:14 --------- d-------- C:\Program Files\BitLord
2007-07-21 23:34 --------- d-------- C:\Program Files\Online Services
2007-06-15 14:37 27376 --a------ C:\WINDOWS\system32\SBBD.exe
2007-05-16 08:12 86528 --a------ C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 08:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 08:12 510976 --a------ C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 08:12 1314816 --a------ C:\WINDOWS\system32\dllcache\msoe.dll
2003-09-10 22:30 55808 --a------ C:\DOCUME~1\steve\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 C:\WINDOWS\BCMSMMSG.exe]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 16:22]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 10:28]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-07 11:44]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-27 09:38]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-06-15 15:17]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 17:56]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@="Service"

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 SbcpHid;SbcpHid;\??\C:\WINDOWS\system32\Drivers\SbcpHid.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 MASPINT;MASPINT;C:\WINDOWS\system32\drivers\MASPINT.sys
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 SBAPIFS;SBAPIFS;\??\C:\WINDOWS\system32\drivers\sbapifs.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
S3 RIOUNIV;Rio universal USB driver;C:\WINDOWS\system32\Drivers\RIOUNIV.sys

*Newly Created Service* - SBAPIFS

Contents of the 'Scheduled Tasks' folder
2007-07-23 19:22:24 C:\WINDOWS\Tasks\howard100.job
2007-08-05 11:32:40 C:\WINDOWS\Tasks\howard101.job - C:\PROGRA~1\PDMARQ~1\PDMARQ~1.EXE
2007-08-06 02:32:18 C:\WINDOWS\Tasks\howardreplay.job - C:\PROGRA~1\PDMARQ~1\PDMARQ~1.EXE
2007-08-06 11:32:59 C:\WINDOWS\Tasks\howardstern.job - C:\Program Files\PDMarq Audio Recorder\PDMarq Audio Recorder.exe
2007-08-06 13:02:26 C:\WINDOWS\Tasks\howardsternact2.job - C:\PROGRA~1\PDMARQ~1\PDMARQ~1.EXE
2007-08-06 14:32:26 C:\WINDOWS\Tasks\howardsternact3.job - C:\PROGRA~1\PDMARQ~1\PDMARQ~1.EXE
2007-08-06 16:02:24 C:\WINDOWS\Tasks\howardwrapup.job - C:\PROGRA~1\PDMARQ~1\PDMARQ~1.EXE
2007-08-01 00:33:11 C:\WINDOWS\Tasks\jokehunt.job - C:\PROGRA~1\PDMARQ~1\PDMARQ~1.EXE
2007-08-05 17:30:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job - C:\Program Files\RegClean\RegClean.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 20:04:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-06 20:05:30
C:\ComboFix-quarantined-files.txt ... 2007-08-06 20:04

--- E O F ---

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:16 PM

Posted 07 August 2007 - 12:34 AM

Hi frank,

Sorry to hear you hard disk is going, but better to find out now that let it crash completly and have no access to the data on the disk.


Is it as easy as just copying my programs/files like say firefox over to the external and when the new one is ready bringing them back?


No, not that easy.
You cannot back up installed programs. You can only backup data files.
If you reinstall Windows, then you will need the original disks or downloads for reinstalling the actual programs. There are far too many registry entries for any particular program for you to be able to find and save them all.

Anything you cannot replace easily should be at the top of your list to backup. Before you get started, make a checklist of files to back up. This will help you determine what to back up, and also give you a reference list in the event you need to retrieve a backed-up file.

Here are some file suggestions to get you started:

Bank records and other financial information
Digital photographs
Software you purchased and downloaded from the Internet
Music you purchased and downloaded from the Internet
Personal projects
Your e-mail address book
Your Microsoft Outlook calendar
Your Internet Explorer bookmarks

I suggest you ask for advice on backing up at our Windows XP Home and Professional forum.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:16 PM

Posted 14 August 2007 - 01:49 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users