Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthislog Help Please B Whataboutadog


  • This topic is locked This topic is locked
15 replies to this topic

#1 melton2525

melton2525

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 27 October 2007 - 03:14 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:26 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Excite Private Messenger Pipe] C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com/start.html
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://s.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex...wareControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 5456 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:40 PM

Posted 27 October 2007 - 06:04 PM

Hello melton2525,

I am SifuMike and I will be helping you.


Any idea where you go whataboutadog from?


Whether or not it's helpful, we're interested in knowing where it came from so that we can get it ourselves. We need to further analyze this infection. We've had reports of users becoming infected while looking for Vanessa Anne Hudgens pics.


Download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 melton2525

melton2525
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 27 October 2007 - 06:41 PM

may have come from kids games on net or me looking at pics the kids use my wifes computer and its not on that one( i think its the only thing it dosent have but mine first:) here is the log
Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sat 10/27/2007
The current time is: 19:36:08.26


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:56 AM 15,360 ctfmon.exe
08/08/2001 03:36 AM 90,112 hkcmd.exe
08/08/2001 04:25 AM 143,360 igfxtray.exe
09/06/2001 03:05 AM 794,112 LXSUPMON.EXE
4 File(s) 1,042,944 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\2\BAK

09/06/2001 02:45 AM 36,864 printray.exe
1 File(s) 36,864 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
28176 Oct 2 2007 "C:\WINDOWS\system32\hkcmd.exe"
90112 Aug 8 2001 "C:\WINDOWS\system32\bak\hkcmd.exe"
90112 Aug 8 2001 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\hkcmd.exe"
28176 Oct 2 2007 "C:\WINDOWS\system32\igfxtray.exe"
143360 Aug 8 2001 "C:\WINDOWS\system32\bak\igfxtray.exe"
143360 Aug 8 2001 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\igfxtray.exe"
28176 Oct 2 2007 "C:\WINDOWS\system32\LXSUPMON.EXE"
794112 Sep 6 2001 "C:\WINDOWS\system32\bak\LXSUPMON.EXE"
794112 Sep 6 2001 "C:\WINDOWS\system32\spool\drivers\w32x86\LXSUPMON.EXE"
794112 Sep 6 2001 "C:\WINDOWS\system32\spool\drivers\w32x86\2\LXSUPMON.EXE"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
28176 Oct 2 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
36864 Sep 6 2001 "C:\WINDOWS\system32\spool\drivers\w32x86\PrinTray.exe"
28176 Oct 2 2007 "C:\WINDOWS\system32\spool\drivers\w32x86\2\printray.exe"
36864 Sep 6 2001 "C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe"


end of report

#4 melton2525

melton2525
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 27 October 2007 - 06:51 PM

the pics and vido come from yahoo and yahoo search dont know if that helps and thank you for helping me

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:40 PM

Posted 27 October 2007 - 10:04 PM

Hi melton2525,

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:



"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\WINDOWS\system32\bak\LXSUPMON.EXE"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 melton2525

melton2525
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 27 October 2007 - 11:04 PM

ok i did it here is the new log
Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Sun 10/28/2007
The current time is: 0:02:12.00


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:56 AM 15,360 ctfmon.exe
08/08/2001 03:36 AM 90,112 hkcmd.exe
08/08/2001 04:25 AM 143,360 igfxtray.exe
09/06/2001 03:05 AM 794,112 LXSUPMON.EXE
4 File(s) 1,042,944 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\2\BAK

09/06/2001 02:45 AM 36,864 printray.exe
1 File(s) 36,864 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
90112 Aug 8 2001 "C:\WINDOWS\system32\hkcmd.exe"
90112 Aug 8 2001 "C:\WINDOWS\system32\bak\hkcmd.exe"
90112 Aug 8 2001 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\hkcmd.exe"
143360 Aug 8 2001 "C:\WINDOWS\system32\igfxtray.exe"
143360 Aug 8 2001 "C:\WINDOWS\system32\bak\igfxtray.exe"
143360 Aug 8 2001 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\igfxtray.exe"
794112 Sep 6 2001 "C:\WINDOWS\system32\LXSUPMON.EXE"
794112 Sep 6 2001 "C:\WINDOWS\system32\bak\LXSUPMON.EXE"
794112 Sep 6 2001 "C:\WINDOWS\system32\spool\drivers\w32x86\LXSUPMON.EXE"
794112 Sep 6 2001 "C:\WINDOWS\system32\spool\drivers\w32x86\2\LXSUPMON.EXE"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
36864 Sep 6 2001 "C:\WINDOWS\system32\spool\drivers\w32x86\PrinTray.exe"
36864 Sep 6 2001 "C:\WINDOWS\system32\spool\drivers\w32x86\2\printray.exe"
36864 Sep 6 2001 "C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe"


end of report

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:40 PM

Posted 28 October 2007 - 12:32 AM

Hi melton2525,

Please double-click the FindAWF icon once again
This time we are going to remove some folders. :thumbsup:

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\WINDOWS\system32\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\WINDOWS\system32\spool\drivers\w32x86\2\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 melton2525

melton2525
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 28 October 2007 - 12:53 AM

ok did that to here is the log i notis that there is less log this time
Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Sun 10/28/2007
The current time is: 1:51:03.25


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:40 PM

Posted 28 October 2007 - 01:08 AM

Hi melton2525,


Find and delete the following folder:

C:\PROGRA~1\YAHOO!\MESSEN~1\BAK <== folder

*********************

Run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones

When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

*********************

You need to realize that you are missing one important program on that computer: An antivirus.

This is somewhat suicidal in today's digital world. :thumbsup:

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

After you run the antivirus program, run Hijackthis and post a log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 melton2525

melton2525
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 28 October 2007 - 10:55 AM

thank you i am now useing anti virus here is the new log
Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sun 10/28/2007
The current time is: 11:49:13.82


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:40 PM

Posted 28 October 2007 - 11:45 AM

You are not clean yet.

After you run the antivirus program, run Hijackthis and post a log.



You forgot to post a fresh Hijackthis log.

Edited by SifuMike, 28 October 2007 - 11:46 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 melton2525

melton2525
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 29 October 2007 - 09:13 PM

here is the new log thought i was done sorry
Find AWF report by noahdfear 2006
Version 1.40

The current date is: Mon 10/29/2007
The current time is: 22:08:53.64


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:40 PM

Posted 29 October 2007 - 10:33 PM

Hi melton2525,

Before we start, you need to realize that you are missing one important program on that computer: An antivirus.

This is somewhat suicidal in today's digital world. :blink:

You need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

********************************************

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 3.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 3".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
********************************************

whataboutadog should be gone, but we are no done yet. :thumbsup:


If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by SifuMike, 29 October 2007 - 10:41 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 melton2525

melton2525
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 30 October 2007 - 06:26 PM

ComboFix 07-10-29.1 - SUSAN CAMPBELL 2007-10-30 19:09:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.146 [GMT -4:00]
Running from: C:\Documents and Settings\SUSAN CAMPBELL\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1191370232.old
C:\Program Files\WinBudget\bin\crap.1192260744.old
C:\Program Files\WinBudget\bin\crap.1192434144.old
C:\Program Files\WinBudget\bin\crap.1193182549.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
C:\Program Files\WinBudget\bin\matrix.dll.1192260743.old
C:\Program Files\WinBudget\bin\matrix.dll.1192434143.old
C:\Program Files\WinBudget\bin\matrix.dll.1193182548.old

.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-30 )))))))))))))))))))))))))))))))
.

2007-10-30 19:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-28 02:48 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-10-28 02:48 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-28 02:48 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-28 02:48 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-28 02:48 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-28 02:48 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-28 02:47 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-28 02:47 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-10-28 02:47 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-10-28 02:47 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-10-28 02:47 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-10-27 16:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-27 14:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-27 13:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-27 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-27 13:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-26 22:19 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-26 22:19 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-26 22:19 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-26 22:19 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-26 22:19 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-26 22:19 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-26 22:19 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-26 22:19 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-26 22:12 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-10-24 22:42 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-10-24 22:42 <DIR> d-------- C:\Program Files\NCH Software
2007-10-24 22:42 <DIR> d-------- C:\Documents and Settings\SUSAN CAMPBELL\Application Data\NCH Swift Sound
2007-10-24 22:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-10-11 16:31 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-10-11 16:31 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-10-11 16:31 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-10-11 16:31 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-10-11 16:31 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-10-11 16:31 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-10-11 16:31 159,744 --a------ C:\WINDOWS\system32\lfpng13n.dll
2007-10-11 16:31 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-10-11 16:31 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-10-09 18:01 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-01 21:00 <DIR> d-------- C:\Documents and Settings\SUSAN CAMPBELL\Application Data\Nexon
2007-10-01 20:59 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-10-01 20:51 <DIR> d-------- C:\Nexon
2007-09-21 21:06 <DIR> d-------- C:\Program Files\3DGroove
2007-09-13 19:48 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0804.dll
2007-09-08 00:51 <DIR> d-------- C:\Documents and Settings\SUSAN CAMPBELL\WINDOWS
2007-09-07 20:42 <DIR> d-------- C:\Documents and Settings\SUSAN CAMPBELL\Application Data\MSN6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-28 15:46 --------- d-----w C:\Program Files\Java
2007-10-18 23:04 --------- d-----w C:\Documents and Settings\SUSAN CAMPBELL\Application Data\LimeWire
2007-09-08 04:55 --------- d-----w C:\Program Files\Google
2007-09-08 04:54 --------- d-----w C:\Program Files\eGames
2007-09-08 04:51 --------- d-----w C:\Program Files\TextBridge Classic 2.0
2007-09-08 04:48 --------- d-----w C:\Program Files\1200 CP
2007-05-20 02:12 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-08 04:25]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-08 03:36]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe" [2001-09-06 02:45]
"LXSUPMON"="C:\WINDOWS\System32\LXSUPMON.exe" [2001-09-06 03:05]
"Excite Private Messenger Pipe"="C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

R1 RapFile;RapFile;\??\C:\WINDOWS\System32\drivers\RapFile.sys
R1 RapNet;RapNet;\??\C:\WINDOWS\System32\drivers\RapNet.sys
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys

.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 19:14:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-30 19:21:22 - machine was rebooted
.
--- E O F ---

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:40 PM

Posted 30 October 2007 - 06:29 PM

Hi melton2525

You forgot to post the Hijackthis log. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users