Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacked


  • Please log in to reply
7 replies to this topic

#1 blessedx8

blessedx8

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 17 September 2007 - 04:42 PM

When I open my browser and type something in the search the page displays properly. When I click on a topic result to go to that web page I am redirected to other types of searches or to ads.

I downloaded hijack this and removed what looked suspicious to me, but I must not have found the problem because I am still having trouble.

Here is the log:

Attached Files



BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 18 September 2007 - 05:00 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum blessedx8 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please remove\uninstall Trend Micro HijackThis v2.0.0 (BETA) via Add/Remove Programs.

*NOTE*
If you have previously downloaded ComboFix,please delete that version and download it again from below.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Download Trend Micro HijackThis 2.0.2 to your desktop:
Double click on HJTInstall.exe,it will prompt you to extract hijackthis.exe to C:\Program Files\Trend Micro\HijackThis.
When the install is complete,HijackThis will automatically launch.
When the license agreement appears,select "I Accept" and then click on the "Do a system scan only" button.
When the scan is complete,click on the "Save Log" button,then save it to your desktop.
Copy and paste the entire contents of that log into your next reply.

*Note*
After posting the log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised.
Doing so can result in system changes which may not show it the log you already posted.
Further, any modifications you make may cause confusion and could complicate any/the malware removal process.
Posted Image
Posted Image

#3 blessedx8

blessedx8
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 23 September 2007 - 12:58 PM

Thank you for your help. I am sorry for the delay in responding.

Here is the combofix log.

ComboFix 07-09-21.2 - "Administrator" 09/23/2007 10:34:09.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.57 [GMT -7:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\kdjls.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-23 to 2007-09-23 )))))))))))))))))))))))))))))))
.

2007-09-23 10:31 51,200 --a------ C:\WINNT\NirCmd.exe
2007-09-21 20:17 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
2007-09-14 20:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-09-14 20:56 <DIR> d-------- C:\Program Files\MyFantasyMaker
2007-09-14 18:10 <DIR> d-------- C:\Program Files\FaceOnBody
2007-09-14 18:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FaceOnBody
2007-09-13 20:24 213,504 --a------ C:\WINNT\system32\SpoonUninstall.exe
2007-09-13 20:24 1,061 --a------ C:\WINNT\system32\SpoonUninstall-Saint Paint Studio.dat
2007-09-13 20:24 <DIR> d-------- C:\Program Files\Saint Paint
2007-09-13 07:22 143,360 --a------ C:\WINNT\system32\dunzip32.dll
2007-09-13 07:17 203,096 --a------ C:\WINNT\system32\wuweb.dll
2007-09-12 22:33 76,560 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2007-09-12 22:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-12 20:29 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\APPLIC~1\yahoo!
2007-09-12 03:22 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-09-11 22:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SiteAdvisor
2007-09-11 21:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-11 20:45 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-11 20:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-11 20:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-08 14:18 983,040 --a------ C:\WINNT\FeedingFrenzy.scr
2007-09-08 14:18 37 --a------ C:\WINNT\popcinfot.dat
2007-09-08 14:18 0 --a------ C:\WINNT\popcreg.dat
2007-09-05 20:10 <DIR> d-------- C:\DOCUME~1\PAULAM~1\APPLIC~1\acccore
2007-09-05 20:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-09-05 20:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-09-05 19:52 <DIR> d-------- C:\Program Files\Viewpoint
2007-09-05 19:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-09-05 19:51 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-09-05 19:43 <DIR> d-------- C:\Program Files\AIM6
2007-09-05 19:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-09-01 05:22 <DIR> d-------- C:\Program Files\Kaneva
2007-08-24 18:48 <DIR> d-------- C:\DOCUME~1\PAULAM~1\APPLIC~1\SBTT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
99-12-07 05:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys
07-09-23 10:25 --------- d-------- C:\Program Files\Nick Arcade
07-09-23 02:35 --------- d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\SiteAdvisor
07-09-21 18:48 --------- d-------- C:\Program Files\McAfee
07-09-12 20:29 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
07-09-12 03:23 --------- d-------- C:\Program Files\SiteAdvisor
07-09-12 03:23 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
07-09-11 21:54 --------- d-------- C:\Program Files\Opera
07-09-11 21:09 --------- d-------- C:\Program Files\Yahoo!
07-09-11 19:28 --------- d-------- C:\Program Files\PopCap Games
07-09-06 16:31 --------- d-------- C:\Program Files\MySpace
07-09-05 00:13 --------- d-------- C:\Program Files\LimeWire
07-09-05 00:01 --------- d-------- C:\DOCUME~1\PAULAM~1\APPLIC~1\LimeWire
07-08-21 18:32 --------- d-------- C:\Program Files\Google
07-08-11 15:33 --------- d-------- C:\DOCUME~1\PAULAM~1\APPLIC~1\Opera
07-08-10 21:59 --------- d-------- C:\Program Files\Kuma Games
07-08-07 13:58 8320 --a------ C:\WINNT\system32\drivers\AWRTRD.sys
07-08-07 13:56 9344 --a------ C:\WINNT\system32\drivers\NSDriver.sys
07-08-04 21:39 --------- d-------- C:\DOCUME~1\PAULAM~1\APPLIC~1\Google
07-08-02 01:23 --------- d-------- C:\DOCUME~1\PAULAM~1\APPLIC~1\MySpace
07-07-30 23:35 --------- d-------- C:\Program Files\Apple Software Update
07-07-30 23:33 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
07-07-30 23:30 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
07-07-30 19:24 --------- d-------- C:\Program Files\Common Files\McAfee
07-07-30 19:19 92504 --a------ C:\WINNT\system32\cdm.dll
07-07-30 19:19 549720 --a------ C:\WINNT\system32\wuapi.dll
07-07-30 19:19 53080 --a------ C:\WINNT\system32\wuauclt.exe
07-07-30 19:19 43352 --a------ C:\WINNT\system32\wups2.dll
07-07-30 19:19 325976 --a------ C:\WINNT\system32\wucltui.dll
07-07-30 19:19 1712984 --a------ C:\WINNT\system32\wuaueng.dll
07-07-30 19:18 33624 --a------ C:\WINNT\system32\wups.dll
07-07-26 10:12 --------- d-------- C:\DOCUME~1\PAULAM~1\APPLIC~1\Real
07-07-26 10:10 --------- d-------- C:\Program Files\Common Files\xing shared
07-07-26 10:10 --------- d-------- C:\Program Files\Common Files\Real
07-07-26 10:08 --------- d-------- C:\Program Files\Real
07-07-24 14:10 --------- d-------- C:\DOCUME~1\PAULAM~1\APPLIC~1\AdobeUM
07-07-24 12:02 33800 --a------ C:\WINNT\system32\drivers\mferkdk.sys
07-07-24 07:40 79304 --a------ C:\WINNT\system32\drivers\mfeavfk.sys
07-07-05 14:35 271 ---h----- C:\Program Files\desktop.ini
07-07-05 14:35 21952 ---h----- C:\Program Files\folder.htt
07-06-26 02:57 235280 --a------ C:\WINNT\system32\GDI32.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\system32\mobsync.exe]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [03-05-08 11:34 ]
"MWLExe"="C:\Program Files\Mcafee\MWL\MWLGui.exe" [07-07-28 09:32 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [07-03-14 03:43 ]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [06-07-24 13:28 ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07-07-26 10:08 ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [07-08-04 02:33 ]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [07-08-08 15:53 ]
"combofix"="C:\WINNT\system32\cmd.exe" [04-11-02 15:48 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [07-07-16 15:17 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
Trend Micro Anti-Spyware.lnk - C:\Program Files\Trend Micro\Tmasy\Tmasy.exe [2007-09-12 22:33:20]

C:\DOCUME~1\PAULAM~1\STARTM~1\Programs\Startup\
hc_tray.lnk - C:\Program Files\Kuma Games\hcsystray\hc_tray.exe [2007-04-26 13:49:20]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

S2 0305331190425692mcinstcleanup;McAfee Application Installer Cleanup (0305331190425692);C:\WINNT\TEMP\030533~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service

*Newly Created Service* - 0305331190425692MCINSTCLEANUP
*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2007-09-21 00:39:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
"2007-09-01 08:01:20 C:\WINNT\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-23 10:48:20
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-23 10:51:22 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-09-23 10:50
.
--- E O F ---

#4 blessedx8

blessedx8
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 23 September 2007 - 01:00 PM

Here is the hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:51 AM, on 9/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Mcafee\MWL\MWLGui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGui.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O23 - Service: McAfee Application Installer Cleanup (0305331190425692) (0305331190425692mcinstcleanup) - Unknown owner - C:\WINNT\TEMP\030533~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4860 bytes

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 23 September 2007 - 01:28 PM

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Also post a new Hijackthis log.
Let me know how your pc is running now please.
Posted Image
Posted Image

#6 blessedx8

blessedx8
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 23 September 2007 - 09:02 PM

Username "Administrator" - 09/23/2007 18:46:51 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"DrvLsnr"="C:\\Program Files\\Analog Devices\\SoundMAX\\DrvLsnr.exe"
"MWLExe"="C:\\Program Files\\Mcafee\\MWL\\MWLGui.exe /Start"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\6172\\SiteAdv.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"mcagent_exe"="C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe /runkey"
"AAWTray"="C:\\Program Files\\Lavasoft\\Ad-Aware 2007\\AAWTray.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

#7 blessedx8

blessedx8
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 23 September 2007 - 09:32 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:29 PM, on 9/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Mcafee\MWL\MWLGui.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mcafee\MWL\MwlSvc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\WINNT\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGui.exe /Start
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O23 - Service: McAfee Application Installer Cleanup (0305331190425692) (0305331190425692mcinstcleanup) - Unknown owner - C:\WINNT\TEMP\030533~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5224 bytes


The browser seems to be working now. Thank you so much :thumbsup:

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 24 September 2007 - 05:09 AM

Your log is clean :thumbsup:
If all's ok,please do the following.

Find and delete:
Combofix.exe
Fixwareout.exe

C:\fixwareout
C:\QOOBOX
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint

Download and install CCleaner:
http://www.ccleaner.com/download/builds/downloading-slim

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
*Note*
Do not use the Issues block to clean anything with this program.
It is for experts only and it is risky.

Select Cleaner Settings.
Check Internet Explorer, Windows Explorer, and System so that all items are checked.
In the Advanced section,have a check only on Old PreFetch Data.

Click on the Options block on the left.
Select Advanced.
Uncheck "Only delete files in Windows Temp folders older than 48 hours".

Set Cookie Retention.
Click on the Options block on the left, then choose Cookies.
Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.

Run Cleaning Scan.
Click on the Cleaner block on the left.
Choose the Windows tab.
Click the Run Cleaner button.
This process could take a while.
When CCleaner shows how much has been removed,cleaning is finished.

Read through the information found here,to help you prevent any possible future infections.
How to prevent Malware by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users