Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! -worm/ Highjacker


  • This topic is locked This topic is locked
9 replies to this topic

#1 tino_ma

tino_ma

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 02 August 2007 - 02:37 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:31:16 AM, on 8/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Prevx2\PXAgent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://blogtq.blogspot.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brought to you by TQ!
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [winconfig] C:\WINDOWS\winconfig.dll.vbs
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\GDEZ41YV\RRT[1].exe auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1185923711250
O17 - HKLM\System\CCS\Services\Tcpip\..\{D92D77CD-7EB2-4C35-8D5C-F4798FF69544}: NameServer = 58.69.254.78 58.69.254.80
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx2\PXAgent.exe

--
End of file - 2605 bytes

my computer has been infected by a local usb drive. after plugging it my task manager was disabled and my homepage was changed. my home page keeps on going to this site http://blogtq.blogspot.com/. in that site a person apologizes and gives a link that can remove the site. luckily i read the comments before downloading and i saw a lot of people cursing the person bacause the download wasn't really a cure but even caused the system to crash. i used online scan but nothing was able to detect it. i downloaded some antivirus etc like windows defender, avg, prevX 2.0 which detected nothing except for prevx that detected some trojans but my task manager was still disabled and my homepage was still unchanged. i tried some online scanner from symantec and panda but there was still nohting. symantec located a generic worm or something but was not able to cure it. i then saw teh "Preparation Guide for use before posting a HijackThis Log" and followed the instructions. they were able to detect some trailing cache but the problem still remains. i also had to remove the antivirus i installed like avg, bitdefender, adware etc... because my PC was really really slowing down. any click would take about 5 mins.
please help me ihave tried everything but i still cannot remove this watever it is...

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 02 August 2007 - 12:12 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum tino_ma :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

It appears you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

----------------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log.
Posted Image
Posted Image

#3 tino_ma

tino_ma
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 07 August 2007 - 05:32 AM

thanks richie. sori for the late reply. unfortunately i don't have access to the internet everyday.

ComboFix 07-08-07.5 - "Admin" 2007-08-08 5:32:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.72 [GMT 8:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


c:\autorun.inf
c:\winconfig.dll.vbs
C:\WINDOWS\winconfig.dll.vbs
d:\autorun.inf
d:\winconfig.dll.vbs


((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))


2007-08-08 05:27 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 05:25 <DIR> d--h----- C:\WINDOWS\PIF
2007-08-08 05:11 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-08-08 05:10 9,984 --a------ C:\WINDOWS\system32\drivers\DriveSentryRegHookDriver.sys
2007-08-08 05:10 73,728 -r------- C:\WINDOWS\system32\psProxy.dll
2007-08-08 05:10 53,248 --------- C:\WINDOWS\system32\Winlogonevents.dll
2007-08-08 05:10 380,928 -r------- C:\WINDOWS\system32\pSOAP32.dll
2007-08-08 05:10 188,416 -r------- C:\WINDOWS\system32\pocketHTTP.dll
2007-08-08 05:10 16,000 --a------ C:\WINDOWS\system32\drivers\DriveSentryCommsDriver.sys
2007-08-08 05:10 12,800 --a------ C:\WINDOWS\system32\drivers\DriveSentryFilterDriver2Lite.sys
2007-08-08 05:10 110,676 -r------- C:\WINDOWS\system32\psDime.dll
2007-08-08 05:10 <DIR> d-------- C:\Program Files\DriveSentry
2007-08-08 05:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tarma Installer
2007-08-08 05:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DriveSentry
2007-08-03 05:54 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Uniblue
2007-08-03 03:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-02 08:31 14 --a------ C:\DOCUME~1\Admin\getfile.dat
2007-08-01 07:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-01 07:35 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-01 07:35 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-08-01 07:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-08-01 07:19 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-08-01 03:26 14 --a------ C:\WINDOWS\system32\getfile.dat
2007-08-01 03:25 8,576 --a------ C:\WINDOWS\system32\drivers\wnrftevoanej.sys
2007-07-31 08:01 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-31 07:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-31 07:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-29 23:25 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Prevx
2007-07-29 23:22 <DIR> d-------- C:\Program Files\Prevx2
2007-07-29 23:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-07-29 23:21 77,312 --a------ C:\WINDOWS\ua2.dll
2007-07-29 23:08 <DIR> d---s---- C:\DOCUME~1\Admin\UserData
2007-07-29 07:15 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-29 07:02 <DIR> d--hs---- C:\RECYCLER
2007-07-29 06:31 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-07-29 06:31 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-07-29 06:31 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-07-29 06:31 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-07-29 06:29 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-07-29 06:28 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-29 04:36 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-07-29 04:33 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-07-29 04:32 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-07-29 04:32 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-07-29 04:31 <DIR> d-------- C:\Program Files\Microsoft Works
2007-07-29 04:30 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-07-29 04:24 <DIR> dr-h----- C:\MSOCache
2007-07-29 04:22 <DIR> d-------- C:\DOCUME~1\Admin\Shared
2007-07-29 04:22 <DIR> d-------- C:\DOCUME~1\Admin\Incomplete
2007-07-29 04:19 <DIR> d-------- C:\DOCUME~1\Admin\APPLIC~1\Yahoo!
2007-07-29 04:18 <DIR> d-------- C:\Program Files\Yahoo!
2007-07-29 04:14 1,310,720 --ah----- C:\DOCUME~1\Admin\NTUSER.DAT
2007-07-29 04:13 262,144 --ah----- C:\DOCUME~1\LOCALS~1\NTUSER.DAT
2007-07-29 04:13 225,280 --ah----- C:\DOCUME~1\NETWOR~1\NTUSER.DAT
2007-07-29 04:13 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-07-29 04:13 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-29 04:12 9,216 --a--c--- C:\WINDOWS\system32\dllcache\wamps51.dll
2007-07-29 04:12 76,800 --a--c--- C:\WINDOWS\system32\dllcache\wam51.dll
2007-07-29 04:12 73,728 --a--c--- C:\WINDOWS\system32\dllcache\w3ext.dll
2007-07-29 04:12 53,248 --a--c--- C:\WINDOWS\system32\dllcache\wamreg51.dll
2007-07-29 04:12 5,632 --a--c--- C:\WINDOWS\system32\dllcache\w3svapi.dll
2007-07-29 04:12 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll
2007-07-29 04:12 363,520 --a--c--- C:\WINDOWS\system32\dllcache\w3svc.dll
2007-07-29 04:12 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys
2007-07-29 04:11 9,728 --a--c--- C:\WINDOWS\system32\dllcache\rwnh.dll
2007-07-29 04:11 9,728 --a--c--- C:\WINDOWS\system32\dllcache\query.exe
2007-07-29 04:11 86,073 --a--c--- C:\WINDOWS\system32\dllcache\voicesub.dll
2007-07-29 04:11 8,704 --a--c--- C:\WINDOWS\system32\dllcache\snmptrap.exe
2007-07-29 04:11 79,872 --a--c--- C:\WINDOWS\system32\dllcache\rwia330.dll
2007-07-29 04:11 79,872 --a--c--- C:\WINDOWS\system32\dllcache\rwia001.dll
2007-07-29 04:11 76,288 --a--c--- C:\WINDOWS\system32\dllcache\uniime.dll
2007-07-29 04:11 70,144 --a--c--- C:\WINDOWS\system32\dllcache\pintlphr.exe
2007-07-29 04:11 7,680 --a--c--- C:\WINDOWS\system32\dllcache\pwsdata.dll
2007-07-29 04:11 7,168 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_snprfdll.dll
2007-07-29 04:11 67,584 --a--c--- C:\WINDOWS\system32\dllcache\pmigrate.dll
2007-07-29 04:11 6,144 --a--c--- C:\WINDOWS\system32\dllcache\snmpmib.dll
2007-07-29 04:11 6,144 --a--c--- C:\WINDOWS\system32\dllcache\pmxgl.dll
2007-07-29 04:11 57,856 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_scripto.dll
2007-07-29 04:11 53,760 --a--c--- C:\WINDOWS\system32\dllcache\pintlcsd.dll
2007-07-29 04:11 5,632 --a--c--- C:\WINDOWS\system32\dllcache\smimsgif.dll
2007-07-29 04:11 5,632 --a--c--- C:\WINDOWS\system32\dllcache\smierrsy.dll
2007-07-29 04:11 48,256 --a--c--- C:\WINDOWS\system32\dllcache\w32.dll
2007-07-29 04:11 46,592 --a--c--- C:\WINDOWS\system32\dllcache\svcext51.dll
2007-07-29 04:11 46,592 --a--c--- C:\WINDOWS\system32\dllcache\sspifilt.dll
2007-07-29 04:11 456,704 --a--c--- C:\WINDOWS\system32\dllcache\smtpsvc.dll
2007-07-29 04:11 455,168 --a--c--- C:\WINDOWS\system32\dllcache\tintsetp.exe
2007-07-29 04:11 45,056 --a--c--- C:\WINDOWS\system32\dllcache\ssinc51.dll
2007-07-29 04:11 44,032 --a--c--- C:\WINDOWS\system32\dllcache\tintlphr.exe
2007-07-29 04:11 426,041 --a--c--- C:\WINDOWS\system32\dllcache\voicepad.dll
2007-07-29 04:11 40,448 --a--c--- C:\WINDOWS\system32\dllcache\snmpthrd.dll
2007-07-29 04:11 4,608 --a--c--- C:\WINDOWS\system32\dllcache\w3ctrs51.dll
2007-07-29 04:11 4,096 --a--c--- C:\WINDOWS\system32\dllcache\rpcref.dll
2007-07-29 04:11 38,912 --a--c--- C:\WINDOWS\system32\dllcache\sm9aw.dll
2007-07-29 04:11 36,927 --a--c--- C:\WINDOWS\system32\dllcache\padrs411.dll
2007-07-29 04:11 358,400 --a--c--- C:\WINDOWS\system32\dllcache\snmpincl.dll
2007-07-29 04:11 32,768 --a--c--- C:\WINDOWS\system32\dllcache\snmp.exe
2007-07-29 04:11 31,744 --a--c--- C:\WINDOWS\system32\dllcache\smb6w.dll
2007-07-29 04:11 31,744 --a--c--- C:\WINDOWS\system32\dllcache\sma3w.dll
2007-07-29 04:11 31,744 --a--c--- C:\WINDOWS\system32\dllcache\pagecnt.dll
2007-07-29 04:11 31,232 --a--c--- C:\WINDOWS\system32\dllcache\tools.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SchedulingAgent"="mstinit.exe" [2004-08-04 06:56 C:\WINDOWS\system32\mstinit.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 04:03]
"winconfig"="C:\WINDOWS\winconfig.dll.vbs" []
"DriveSentry"="C:\Program Files\DriveSentry\DriveSentry.exe" [2007-05-25 16:59]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-08 05:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-07-05 23:29]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoTrayContextMenu"=0 (0x0)

R0 PrevxDriver;PREVX Kernel Mode Agent;C:\WINDOWS\system32\DRIVERS\pxfsf.sys
R1 PREVXTdi;PREVX TDI filter;C:\WINDOWS\system32\DRIVERS\pxtdi.sys
R1 PXRDDriver;PREVX Rootkitscan driver;C:\WINDOWS\system32\DRIVERS\pxrd.sys
R2 DriveSentryCommsDriver;DriveSentryCommsDriver;C:\WINDOWS\system32\DRIVERS\DriveSentryCommsDriver.sys
R2 DriveSentryFilterDriver2Lite;DriveSentryFilterDriver2Lite;C:\WINDOWS\system32\DRIVERS\DriveSentryFilterDriver2Lite.sys
R2 DriveSentryRegHookDriver;DriveSentryRegHookDriver;C:\WINDOWS\system32\DRIVERS\DriveSentryRegHookDriver.sys
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys
R3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 PREVXEmulator;PREVX Emulator driver;C:\WINDOWS\system32\DRIVERS\PxEmu.sys


Contents of the 'Scheduled Tasks' folder
2007-08-02 22:44:59 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
2007-08-02 22:27:17 C:\WINDOWS\Tasks\Uniblue SpyEraser.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 05:39:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableCMD"=dword:00000000
"DisableRegistryTools"=dword:00000001
"DisableTaskMgr"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ZoneMap]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ZoneMap\ProtocolDefaults]
"tv"=dword:00000003
"dvd"=dword:00000003
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell]
"BagMRU Size"=dword:00001388

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU]
"NodeSlots"=hex:02
"MRUListEx"=hex:ff,ff,ff,ff
"NodeSlot"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop]
"Mode"=dword:00000001
"ScrollPos800x600(1).x"=dword:00000000
"ScrollPos800x600(1).y"=dword:00000000
"Sort"=dword:00000000
"SortDir"=dword:00000001
"Col"=dword:ffffffff
"ColInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,fd,df,df,fd,0f,..
"ScrollPos1024x768(1).x"=dword:00000000
"ScrollPos1024x768(1).y"=dword:00000000
"FFlags"=dword:00000224
"ScrollPos1152x864(1).x"=dword:00000000
"ScrollPos1152x864(1).y"=dword:00000000
"ScrollPos1280x960(1).x"=dword:00000000
"ScrollPos1280x960(1).y"=dword:00000000
"ItemPos1280x960(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,15,00,00,00,02,..

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-08 5:41:47 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-08 05:41

--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:48:13 AM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DriveSentry\DriveSentry.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\iwwaibgl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Prevx2\PXAgent.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://blogtq.blogspot.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [winconfig] C:\WINDOWS\winconfig.dll.vbs
O4 - HKLM\..\Run: [DriveSentry] C:\Program Files\DriveSentry\DriveSentry.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx2\PXAgent.exe

--
End of file - 2943 bytes

also i just want to say that after downloading something that enabled me to edit registry, i tried to unlock the task manager. but the effect is temporary and it still keeps on locking itself. i checked that permissions and saw that it all had the name "TQ" in it. the blogspot to which my homepage keeps on being redirected. i changed the permission and denied it but it also keeps on returning back to full control... just thought it may help. thanks...

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 07 August 2007 - 07:42 AM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\drivers\wnrftevoanej.sys
C:\DOCUME~1\Admin\LOCALS~1\Temp\iwwaibgl.exe


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image.
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

------------------------------------------

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winconfig"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableCMD"=dword:00000000
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000


Restart your pc.

------------------------------------------

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Post a new Hijackthis log.
Let me know how the pc is running now please.
Posted Image
Posted Image

#5 tino_ma

tino_ma
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 08 August 2007 - 09:24 AM

i have already solved the problem by downloading drivesentry. it gaurds all your drives and prevents any exe to execute without permission and prevents them from altering system files. i deleted "registry.exe" and from then on all restrictions were gone. the only thing left is that my PC is still quite slow and it has not reached its potential.

i did the instruction too. i hope it makes my PC faster. thanks richie. :thumbsup:

C:\WINDOWS\system32\drivers\wnrftevoanej.sys moved successfully
File/Folder C:\DOCUME~1\Admin\LOCALS~1\Temp\iwwaibgl.exe not found.

Created on 08/08/2007 20:20:14

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:44 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DriveSentry\DriveSentry.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\ncyzhmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Prevx2\PXAgent.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DriveSentry] C:\Program Files\DriveSentry\DriveSentry.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{D92D77CD-7EB2-4C35-8D5C-F4798FF69544}: NameServer = 58.69.254.78 58.69.254.80
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx2\PXAgent.exe

--
End of file - 3092 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 09 August 2007 - 02:27 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
R3 - Default URLSearchHook is missing
--------------------------------------------------
Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.
--------------------------------------------------
Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will start the program and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

Restart your pc.
Also post a new Hijackthis log.
Posted Image
Posted Image

#7 tino_ma

tino_ma
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 11 August 2007 - 03:00 AM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, August 11, 2007 4:25:25 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 11/08/2007
Kaspersky Anti-Virus database records: 355148
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 20494
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 00:50:15

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_EV-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_EV-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_FP-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_FP-01.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_FP-02.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_FP-03.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_FP-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_GX-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_GX-01.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_GX-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_PX-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_PX-01.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_PX-02.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_PX-03.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_PX-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_RG-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_RG-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_TG-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_TG-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_VX-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_VX-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\Local.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Prevx2\lclbrk.cache Object is locked skipped
C:\Program Files\Prevx2\log\px-log.txt Object is locked skipped
C:\Program Files\Prevx2\paws.cache Object is locked skipped
C:\Program Files\Prevx2\prevx.cache Object is locked skipped
C:\QooBox\Quarantine\C\winconfig.dll.vbs.vir Infected: Worm.VBS.Solow.b skipped
C:\QooBox\Quarantine\C\WINDOWS\winconfig.dll.vbs.vir Infected: Worm.VBS.Solow.b skipped
C:\QooBox\Quarantine\d\winconfig.dll.vbs.vir Infected: Worm.VBS.Solow.b skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:26 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Prevx2\PXAgent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DriveSentry] C:\Program Files\DriveSentry\DriveSentry.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D92D77CD-7EB2-4C35-8D5C-F4798FF69544}: NameServer = 58.69.254.78 58.69.254.80
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx2\PXAgent.exe

--
End of file - 3114 bytes

ive tried to remove the "R3 - Default URLSearchHook is missing" with hijack this but it also keeps on returning. there seem to be a worm on my PC too.
thanks.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 11 August 2007 - 04:30 AM

Disable Prevx as its interfering.

1. Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose Show Management Console..
2. On the Management Console click the Protection Level drop-down menu. You will see three levels:

Maximum
Off
User Defined

3. To disable all protection set the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.
4. Click the X on the upper right hand corner to exit the Management console.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
R3 - Default URLSearchHook is missing

Find and delete:
C:\QOOBOX

-------------------------------------------------------

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Also post a new Hijackthis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#9 tino_ma

tino_ma
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 14 August 2007 - 02:00 AM

i can't start it in safe mode. i can't find the setting. anyway to save time and effort i just had my PC reformatted so it'll be as good as new.
thanks for all the help richie :thumbsup: really appreciated it...

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:20 AM

Posted 14 August 2007 - 05:14 PM

Ok,thanks for the update.

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users