Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log


  • This topic is locked This topic is locked
7 replies to this topic

#1 Edible

Edible

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 30 July 2007 - 04:46 AM

I've used almost all of the anti-spyware suggested so far. I have also reformated my computer numerous times, and it will still keep popping up. I have installed all of my usual anti-spyware items and other add-ons ( Such as lime wire and winamp etc. ) every time I reformat. So its clear that in one of the programs there is spyware inside of it...

I do not wish to reformat again and I do not want to change all my programs that I use. But if Im told to I will :thumbsup:

I have read another topic based on my exact problem in your forums, http://www.bleepingcomputer.com/forums/lof...hp/t101189.html , I have looked at both of them but I realy dont see a match where it would suggest spyware.

Finally, the log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:58 AM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Eset\nod32kui.exe
C:\Windows\system32\isys32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\World of Warcraft\WoW-2.1.0.6729-to-2.1.1.6739-enUS-downloader.exe
C:\DOCUME~1\Edible\LOCALS~1\Temp\Blizzard Installer Bootstrap - 0057a774\Installer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Edible\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MonAppli] C:\Windows\system32\isys32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 3131 bytes


Im not very good at these, so I could have missed several things :flowers:. The main thing thats popping up as a reminder is http://smartgame.uni.cc/

Hopefully im posting the correct information :D

Thanks for the help

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 30 July 2007 - 07:45 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Edible :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.exe
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
C:\Windows\system32\isys32.exe
Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

------------------------------------------------------

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply.

------------------------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log.
Posted Image
Posted Image

#3 Edible

Edible
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 30 July 2007 - 08:30 PM

Thank you Richie for helping me :thumbsup:

I followed your steps in order and here are the logs...

Username "Edible" - 2007-07-30 19:11:50 [Fixwareout edited 2007/07/05]

»»»»»Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"TPSMain"="TPSMain.exe"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"MonAppli"="C:\\Windows\\system32\\isys32.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Steam"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»









ComboFix 07-07-31 - "Edible" 2007-07-30 19:18:25.1 [GMT -6:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-31 )))))))))))))))))))))))))))))))


2007-07-30 19:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-30 19:11 8,686 --a------ C:\dnsbak.reg
2007-07-30 19:08 <DIR> d-------- C:\!KillBox
2007-07-30 02:34 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-30 00:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-30 00:16 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-30 00:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-30 00:16 <DIR> d-------- C:\DOCUME~1\Edible\APPLIC~1\SUPERAntiSpyware.com
2007-07-29 23:44 <DIR> d-------- C:\Program Files\World of Warcraft
2007-07-29 23:44 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-07-29 23:34 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-07-29 23:34 34,885 --a------ C:\WINDOWS\DIIUnin.dat
2007-07-29 23:34 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-29 23:34 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2007-07-29 23:26 <DIR> d-------- C:\DOCUME~1\Edible\Contacts
2007-07-29 23:25 <DIR> d-------- C:\Program Files\Steam
2007-07-29 23:24 <DIR> d-------- C:\Program Files\MSN Messenger
2007-07-29 23:22 <DIR> d-------- C:\Program Files\Diablo II
2007-07-29 23:19 967 --a------ C:\WINDOWS\ScUnin.pif
2007-07-29 23:19 94,208 --a------ C:\WINDOWS\ScUnin.exe
2007-07-29 23:19 35,382 --a------ C:\WINDOWS\scunin.dat
2007-07-29 23:18 <DIR> d-------- C:\Program Files\Starcraft
2007-07-29 23:06 <DIR> d-------- C:\WINDOWS\pss
2007-07-29 23:00 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-07-29 22:58 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-07-29 22:58 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-07-29 22:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-07-29 22:54 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-07-29 22:49 <DIR> d-------- C:\Program Files\LimeWire
2007-07-29 22:48 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-07-29 22:47 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-07-29 22:47 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-07-29 22:47 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-07-29 22:46 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-07-29 22:46 <DIR> d-------- C:\Program Files\Microsoft Works
2007-07-29 22:45 <DIR> dr-h----- C:\MSOCache
2007-07-29 22:42 36,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-07-29 22:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-07-29 22:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-07-29 22:42 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-29 22:42 115,880 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-29 22:41 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-29 22:41 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-07-29 22:40 <DIR> d-------- C:\Program Files\Winamp
2007-07-29 22:38 <DIR> d-------- C:\Program Files\VideoLAN
2007-07-29 22:37 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-07-29 22:37 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-07-29 22:37 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-07-29 22:36 <DIR> d-------- C:\Program Files\PowerISO
2007-07-29 22:35 9,216 --a------ C:\WINDOWS\system32\agrsmsvc.exe
2007-07-29 22:35 77,824 --a------ C:\WINDOWS\system32\tosmreg.exe
2007-07-29 22:35 491,520 --a------ C:\WINDOWS\system32\cselect.exe
2007-07-29 22:35 45,056 --a------ C:\WINDOWS\system32\csellang.dll
2007-07-29 22:35 135,168 -ra------ C:\WINDOWS\system32\igfxres.dll
2007-07-29 22:35 13,312 --a------ C:\WINDOWS\system32\agrscoin.dll
2007-07-29 22:35 1,161,888 --a------ C:\WINDOWS\system32\drivers\AGRSM.sys
2007-07-29 22:35 <DIR> d--hs---- C:\RECYCLER
2007-07-29 22:35 <DIR> d-------- C:\Program Files\ltmoh
2007-07-29 22:32 90,112 --a------ C:\WINDOWS\system32\CpuPerf.dll
2007-07-29 22:32 81,920 --a------ C:\WINDOWS\system32\TPwrReg.dll
2007-07-29 22:32 679,936 --a------ C:\WINDOWS\system32\NETw4c32.dll
2007-07-29 22:32 53,248 --a------ C:\WINDOWS\system32\TPwrCfg.dll
2007-07-29 22:32 53,248 --a------ C:\WINDOWS\system32\TPSTrace.dll
2007-07-29 22:32 53,248 --a------ C:\WINDOWS\system32\TPSDel.dll
2007-07-29 22:32 45,056 --a------ C:\WINDOWS\system32\TPSMainCtl.dll
2007-07-29 22:32 45,056 --a------ C:\WINDOWS\system32\TPSBattM.exe
2007-07-29 22:32 45,056 --a------ C:\WINDOWS\system32\TPSAddin.dll
2007-07-29 22:32 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-07-29 22:32 282,624 --a------ C:\WINDOWS\system32\TPSMain.exe
2007-07-29 22:32 2,756,608 --a------ C:\WINDOWS\system32\NETw4r32.dll
2007-07-29 22:32 2,203,520 --a------ C:\WINDOWS\system32\drivers\NETw4x32.sys
2007-07-29 22:32 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-07-29 22:32 <DIR> d-------- C:\Program Files\TOSHIBA
2007-07-29 22:32 <DIR> d-------- C:\DOCUME~1\Edible\WINDOWS
2007-07-29 22:31 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2007-07-29 22:31 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2007-07-29 22:31 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2007-07-29 22:31 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2007-07-29 22:31 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2007-07-29 22:31 32,768 --a------ C:\WINDOWS\system32\EBLib.DLL
2007-07-29 22:31 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2007-07-29 22:31 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2007-07-29 22:31 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2007-07-29 22:31 11,264 --a------ C:\WINDOWS\system32\drivers\TPwSav.sys
2007-07-29 22:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\XP
2007-07-29 22:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Vista64
2007-07-29 22:28 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-07-29 22:28 49,152 -ra------ C:\WINDOWS\system32\ChCfg.exe
2007-07-29 22:28 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2007-07-29 22:27 9,715,200 -ra------ C:\WINDOWS\RTLCPL.exe
2007-07-29 22:27 86,016 -ra------ C:\WINDOWS\SoundMan.exe
2007-07-29 22:27 69,632 -ra------ C:\WINDOWS\Alcmtr.exe
2007-07-29 22:27 4,429,312 -ra------ C:\WINDOWS\system32\drivers\RtkHDAud.sys
2007-07-29 22:27 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-07-29 22:27 2,808,832 -ra------ C:\WINDOWS\alcwzrd.exe
2007-07-29 22:27 2,162,688 -ra------ C:\WINDOWS\MicCal.exe
2007-07-29 22:27 176 -ra------ C:\WINDOWS\system32\drivers\RTHDAEQ1.dat
2007-07-29 22:27 176 -ra------ C:\WINDOWS\system32\drivers\RTHDAEQ0.dat
2007-07-29 22:27 16,377,344 -ra------ C:\WINDOWS\RTHDCPL.exe
2007-07-29 22:27 1,826,816 -ra------ C:\WINDOWS\SkyTel.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 14:49 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 18:43 C:\WINDOWS\Alcmtr.exe]
"TPSMain"="TPSMain.exe" [2005-05-31 17:16 C:\WINDOWS\system32\TPSMain.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-07-29 22:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-07-29 23:25]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Edible^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Edible\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

R1 nod32drv;nod32drv;C:\WINDOWS\system32\drivers\nod32drv.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 SCDEmu;SCDEmu;C:\WINDOWS\system32\drivers\SCDEmu.sys
R1 TPwSav;TPwSav;\??\C:\WINDOWS\system32\drivers\TPwSav.sys
R3 NETw4x32;Intel® Wireless WiFi Link Adapter Driver for Windows XP 32 Bit;C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver;C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
R3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys
R3 usbvideo;USB Video Device (WDM);C:\WINDOWS\system32\Drivers\usbvideo.sys
S3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-30 19:19:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-30 19:19:39

--- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:50 PM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Edible\Desktop\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 2516 bytes






Ugh, thats a lot to read o.o
I really appreciate you for doing this

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 31 July 2007 - 06:12 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

--------------------------------------------------

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

Restart your pc,post a new Hijackthis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#5 Edible

Edible
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 01 August 2007 - 02:58 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:26 AM, on 8/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Edible\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 2139 bytes


Thats the new Hijackthis log

I wasn't getting any spyware after the first process, and when I did the second process, still no spyware

Thank you very much for fixing this problem for me :thumbsup:

Now should I delete these items that I've downloaded, or shall I keep them?

Thank you again very much so for your help :D

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 01 August 2007 - 07:05 AM

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
KillBox
Fixwareout
Combofix.exe

C:\!KillBox
C:\Fixwareout
C:\QOOBOX

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#7 Edible

Edible
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 04 August 2007 - 12:46 AM

Everythings fine, Thank you very much :D

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 04 August 2007 - 05:22 AM

You're welcome.

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users