Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked!


  • This topic is locked This topic is locked
8 replies to this topic

#1 Philgrammer

Philgrammer

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 04 December 2007 - 12:34 PM

HI EVERYBODY

I'VE BEEN USING THIS WEB SITE FOREVER, BUT THIS IS THE FIRST TIME I EVER HAD TO POST A LOG. NORMALLY I JUST READ THE FORUMS AND FIX IT MYSELF. THIS IS NO REFLECTION ON MY OWN ABILITY BUT RATHER ON THE DEPTH OF COMPUTER KNOWLEDGE AVAILABLE ON THIS SITE. :thumbsup:

ANYWAY, ENOUGH OF THAT. FINALLY I HAVE BEEN DEFEATED AND MUST LOWER MY SWORD AND BEG FOR MERCY. AS MY TOPIC DESCRIPTION INDICATES, YAHOO SEARCHES ARE BEING REDIRECTED TO SEARCH-DAILY. THIS MUST STOP.
MAYBE WHEN THIS IS OVER, IF WE ALL PRAY REALLY HARD FIRE AND BRIMSTONE WILL DESTROY SEARCH-DAILY FOREVER. :blink:

HERE IS MY HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:20 PM, on 12/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\Phil\Local Settings\Temporary Internet Files\Content.IE5\PB7QOKLP\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.watchtower.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {A4A282D6-49C9-4BC4-AAEA-9F01CB946E8B} - C:\WINDOWS\System32\avmete.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 4288 bytes

BC AdBot (Login to Remove)

 


#2 SpySentinel

SpySentinel

  • Staff Emeritus
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:10:26 PM

Posted 04 December 2007 - 03:43 PM

Hello and Welcome to Bleeping Computer.

My name is SpySentinel and I will be assisting you with your malware problem today.

You may wish to Subscribe to this thread (Options --> Track this topic) so that you are notified when you receive a reply.

Please give me some time to analyze your log, and I will post back with instructions ASAP.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

#3 Philgrammer

Philgrammer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 04 December 2007 - 11:06 PM

Thanks in advance. I have to tell you, though. I found in someone elses thread where they were advised to download a utility and run it in safe mode. (Sorry I can't remember the name of it right this second because I'm on a different computer - Spider somethingorother). It found 2 trojans and one loader and the computer seemes to be clean now, but I'd be greatful for you to doublecheck for residue. Should I post a new hijack log?

#4 SpySentinel

SpySentinel

  • Staff Emeritus
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:10:26 PM

Posted 05 December 2007 - 03:56 PM

You are very welcome.

I need to see another HijackThis log, but you need to extract (unzip) HijackThis first. Otherwise the backups made when items are fixed won't be secure. The easiest way to accomplish this is to reinstall and delete any copies of HijackThis.zip you have saved.

Please download the self-extracting version of HijackThis from here:

HijackThis Installer Download

Save HJTInstall.exe to your desktop.

Double-click the file then click the Install button.

The file will be extracted to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
A shortcut for future use will also be created on your desktop and the Intro Frame of HijackThis will open.

It is a good idea to rename Hijackthis, as some malware hides from Hijackthis.
  • Please go to the folder where you saved Hijackthis.exe:
    C:\HIJACKTHIS\HijackThis.exe
  • Right-click on it, then select Rename.
  • Name it something like: AnalyzeThis.exe (or whatever you want, like FluffyBunny.exe)
  • Then double-click AnalyzeThis.exe (or the name you chose) to scan.
Click Do a system scan and save a log file. Copy the entire contents of that log and post it here by clicking the Add Reply button.

Please use the shortcut to run the extracted HijackThis.exe from now on. Delete any copies of HijackThis.zip that you have saved.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

#5 Philgrammer

Philgrammer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 07 December 2007 - 02:31 PM

Thanx for the info on renaming hijackthis. It makes sense that this program would be a target.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:29:09 PM, on 12/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\UnjackThis\UnjackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.watchtower.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 5231 bytes

#6 SpySentinel

SpySentinel

  • Staff Emeritus
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:10:26 PM

Posted 07 December 2007 - 06:35 PM

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

#7 Philgrammer

Philgrammer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 09 December 2007 - 10:51 PM

You're the boss!!!

ComboFix 07-12-09.1 - Phil 2007-12-09 22:38:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.275 [GMT -5:00]
Running from: C:\Documents and Settings\Phil\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.

2007-12-05 22:53 . 2007-12-05 22:53 <DIR> d-------- C:\Program Files\Yahoo!
2007-12-05 00:44 . 2007-12-05 00:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\YoYoGames
2007-12-04 13:40 . 2007-12-07 14:27 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-04 13:10 . 2007-12-04 13:10 <DIR> d-------- C:\Documents and Settings\Phil\DoctorWeb
2007-12-04 12:57 . 2007-12-04 12:57 8,360,352 --a------ C:\Program Files\drweb-cureit.exe
2007-12-04 10:38 . 2007-12-04 10:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-04 10:38 . 2007-12-04 10:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-04 10:36 . 2007-12-04 10:36 1,953,799 --a------ C:\Program Files\stinger.exe
2007-12-04 10:31 . 2007-12-04 10:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-03 13:28 . 2007-12-03 14:45 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-03 13:28 . 2007-12-03 13:36 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-03 13:28 . 2007-12-03 13:36 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-03 13:28 . 2007-12-03 13:36 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-03 01:03 . 2007-10-12 17:17 2,626 --a------ C:\WINDOWS\system32\config.bak
2007-12-03 01:03 . 2002-08-29 07:00 1,688 --a------ C:\WINDOWS\system32\autoexec.bak
2007-12-01 14:31 . 2007-12-01 14:31 <DIR> d-------- C:\Program Files\OneStepSearch
2007-11-30 23:36 . 2007-11-30 23:50 <DIR> d-------- C:\Program Files\XoftSpySE
2007-11-30 20:42 . 2007-11-30 20:42 <DIR> d-------- C:\Program Files\flashconvert
2007-11-30 20:42 . 2007-11-30 20:42 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-11-26 10:48 . 2007-11-26 10:48 <DIR> d-------- C:\Program Files\Real
2007-11-26 10:48 . 2007-11-30 20:33 <DIR> d-------- C:\Program Files\Common Files\Real
2007-11-26 10:37 . 2007-11-30 20:42 <DIR> d-------- C:\Program Files\WMR11
2007-11-25 22:20 . 2002-08-29 07:00 102,144 --a------ C:\WINDOWS\system32\avmete.2
2007-11-21 10:13 . 2007-11-21 10:13 <DIR> d-------- C:\Program Files\Debugmode
2007-11-21 10:13 . 2007-11-21 10:13 <DIR> d-------- C:\Program Files\Common Files\debugmode
2007-11-20 21:51 . 2007-11-20 21:52 <DIR> d-------- C:\Program Files\MakeHuman
2007-11-20 21:00 . 2007-11-20 21:00 <DIR> d-------- C:\Program Files\Blender Foundation
2007-11-19 12:36 . 2007-11-19 12:36 78,976 --a------ C:\Documents and Settings\Phil\Application Data\GDIPFONTCACHEV1.DAT
2007-11-16 01:37 . 2007-11-16 01:40 45 --a------ C:\TEST.XML
2007-11-16 01:23 . 2007-11-19 19:20 88 --a------ C:\WINDOWS\StyleBuilder.INI
2007-11-12 23:59 . 2007-11-12 23:59 <DIR> d-------- C:\Program Files\Stardock
2007-11-12 23:59 . 2007-11-12 23:59 <DIR> d-------- C:\Program Files\Common Files\Stardock
2007-11-12 23:59 . 2007-12-04 13:33 163,840 --a------ C:\WINDOWS\system32\drivers\vidstub.sys
2007-11-12 22:27 . 2007-11-12 22:28 <DIR> d-------- C:\Program Files\Photoshop
2007-11-12 22:23 . 2007-11-12 22:23 <DIR> d-------- C:\WINDOWS\PreviewSoft
2007-11-12 22:23 . 2007-11-12 22:23 <DIR> d-------- C:\WINDOWS\Noslip
2007-11-12 22:23 . 2007-11-13 09:20 10 --a------ C:\WINDOWS\Wininit.ini
2007-11-12 22:22 . 1999-05-26 09:46 196,608 --a------ C:\WINDOWS\kpcp32.dll
2007-11-12 22:22 . 1999-06-18 21:13 133,120 --a------ C:\WINDOWS\sprof32.dll
2007-11-12 22:22 . 1999-05-26 09:46 58,368 --a------ C:\WINDOWS\pfpick.dll
2007-11-12 22:22 . 1999-05-26 09:46 40,129 --a------ C:\WINDOWS\iccsigs.dat
2007-11-12 22:22 . 1999-05-26 09:46 37,376 --a------ C:\WINDOWS\kpsys32.dll
2007-11-12 22:22 . 1999-05-26 09:46 20,992 --a------ C:\WINDOWS\icccodes.dll
2007-11-12 22:21 . 2007-11-12 22:21 <DIR> d-------- C:\KPCMS
2007-11-12 19:48 . 2007-12-04 11:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 02:06 . 2007-11-12 02:06 <DIR> d-------- C:\Documents and Settings\Phil\Application Data\Publish Providers
2007-11-12 02:06 . 2007-11-12 02:06 <DIR> d-------- C:\Documents and Settings\Phil\Application Data\NetMedia Providers
2007-11-12 02:03 . 2007-11-12 02:41 <DIR> d-------- C:\Program Files\Sony
2007-11-12 02:02 . 2007-11-12 02:02 <DIR> d-------- C:\Program Files\Sony Setup

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 01:09 --------- d-----w C:\Program Files\Sonic Foundry ACID 2.0
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-21 01:57 --------- d-----w C:\Program Files\WinBootINICU
2007-11-20 19:36 --------- d-----w C:\Documents and Settings\Phil\Application Data\Pegasys Inc
2007-11-19 23:30 --------- d-----w C:\Program Files\ZPaint 1.4
2007-11-13 03:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-22 07:19 --------- d-----w C:\Program Files\Common Files\Nullsoft
2007-10-20 17:24 --------- d-----w C:\Program Files\Common Files\Kodak
2007-10-20 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-10-20 17:19 --------- d-----w C:\Program Files\Kodak
2007-10-20 17:14 --------- d-----w C:\Program Files\QuickTime
2007-10-20 17:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-10-17 02:58 --------- d-----w C:\Program Files\LiknoWebButtonMakerFree
2007-10-16 15:21 --------- d-----w C:\Program Files\Sonic Foundry Plug-Ins
2007-10-16 15:21 --------- d-----w C:\Program Files\Sonic Foundry MP3 Plug-In
2007-10-16 12:16 49,152 ----a-w C:\WINDOWS\qvstwrapperksb.dll
2007-10-16 12:16 49,152 ----a-w C:\WINDOWS\Qui251256.exe
2007-10-16 12:16 40,960 ----a-w C:\WINDOWS\qvstwrapper_ui.exe
2007-10-16 12:16 114,688 ----a-w C:\WINDOWS\qvstwrapper.dll
2007-10-16 12:16 --------- d-----w C:\Program Files\DigitalSoundPlanet
2007-10-15 16:56 --------- d-----w C:\Program Files\t@b
2007-10-15 16:04 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-10-15 16:04 262,144 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-10-15 16:04 --------- d-----w C:\Documents and Settings\Phil\Application Data\jah
2007-10-15 15:23 --------- d-----w C:\Program Files\Pegasys Inc
2007-10-14 02:52 --------- d-----w C:\Documents and Settings\Phil\Application Data\Ulead Systems
2007-10-14 02:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 02:49 --------- d-----w C:\Program Files\Ulead Systems
2007-10-14 02:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-10-14 02:29 --------- d-----w C:\Program Files\Windows Media Components
2007-10-14 02:28 --------- d-----w C:\Program Files\Common Files\SONY Digital Images
2007-10-14 02:24 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-10-14 02:22 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-14 02:15 --------- d-----w C:\Program Files\Canon
2007-10-13 23:48 4,608 ----a-w C:\WINDOWS\system32\w95inf32.dll
2007-10-13 23:36 --------- d-----w C:\Program Files\Sierra On-Line
2007-10-13 23:32 --------- d-----w C:\Documents and Settings\Phil\Application Data\Watchtower
2007-10-13 23:26 --------- d-----w C:\Program Files\Watchtower
2007-10-13 23:13 --------- d-----w C:\Program Files\Common Files\Nero
2007-10-13 23:10 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-13 23:10 --------- d-----w C:\Program Files\Ahead
2007-10-13 22:12 --------- d-----w C:\Program Files\ArcSoft
2007-10-13 21:56 --------- d-----w C:\Program Files\Microsoft Works
2007-10-13 21:47 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-13 18:47 --------- d-----w C:\Program Files\trash_reg
2007-10-13 18:19 --------- d-----w C:\Program Files\Smart Projects
2007-10-13 17:38 --------- d-----w C:\Program Files\RegistryFix
2007-10-13 04:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2007-10-13 04:34 --------- d-----w C:\Program Files\Common Files\Intuit
2007-10-13 04:33 --------- d-----w C:\Program Files\Intuit
2007-10-13 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\COMMON FILES
2007-10-13 04:31 --------- d-----w C:\Program Files\MSXML 4.0
2007-10-13 04:25 --------- d-----w C:\Documents and Settings\Phil\Application Data\Download Manager
2007-10-13 04:00 --------- d-----w C:\Program Files\Akamai
2007-10-13 03:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-10-13 03:40 --------- d-----w C:\Documents and Settings\Phil\Application Data\Leadertech
2007-10-13 03:37 --------- d-----w C:\Documents and Settings\Phil\Application Data\InterVideo
2007-10-13 03:36 --------- d-----w C:\Program Files\InterVideo
2007-10-13 03:34 --------- d-----w C:\Program Files\Sonic
2007-10-13 03:26 --------- d-----w C:\Program Files\CCleaner
2007-10-13 03:14 --------- d-----w C:\Program Files\directx
2007-10-13 02:45 --------- d-----w C:\Program Files\DvdReMake Pro_3[1].6.2_R
2007-10-13 01:02 --------- d-----w C:\Program Files\Adventure Maker v4.3.0
2007-10-13 00:45 --------- d-----w C:\Program Files\truespace
2007-10-13 00:39 --------- d-----w C:\Program Files\2d game_maker
2007-10-13 00:37 --------- d-----w C:\Program Files\sfArk
2007-10-13 00:37 --------- d-----w C:\Program Files\res_hack
2007-10-13 00:35 --------- d-----w C:\Program Files\SubRip
2007-10-13 00:29 --------- d-----w C:\Program Files\Wisdom-soft AutoScreenRecorder Free
2007-10-13 00:28 --------- d-----w C:\Program Files\AWicons Lite
2007-10-13 00:26 --------- d-----w C:\Program Files\DVD Decrypter
2007-10-13 00:25 --------- d-----w C:\Program Files\DVD Shrink
2007-10-13 00:24 --------- d-----w C:\Program Files\GoldWave
2007-10-13 00:22 --------- d-----w C:\Program Files\RegSeeker
2007-10-12 23:42 --------- d-----w C:\Program Files\WinASO
2007-10-12 23:42 --------- d-----w C:\Program Files\URUSoft
2007-10-12 23:42 --------- d-----w C:\Program Files\Bryce
2007-10-12 22:17 --------- d-----w C:\Program Files\Alwil Software
2007-10-12 21:14 558,142 ----a-w C:\WINDOWS\java\Packages\TFDBZVZX.ZIP
2007-10-12 21:14 155,995 ----a-w C:\WINDOWS\java\Packages\PFXB9Z93.ZIP
2007-10-12 21:14 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 16:21]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 C:\WINDOWS\mixer.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-26 10:48]

C:\Documents and Settings\Phil\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 12:57:16]

R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\System32\DRIVERS\CINEMSUP.SYS

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 22:40:07
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-09 22:40:44
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:17 PM, on 12/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\UnjackThis\UnjackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.watchtower.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 4977 bytes

#8 SpySentinel

SpySentinel

  • Staff Emeritus
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:10:26 PM

Posted 11 December 2007 - 07:09 PM

How is your computer running?

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

#9 __RiP_ChAiN_

__RiP_ChAiN_

    Eh, whatever goes here.


  • Members
  • 1,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha, Nebraska U.S.A
  • Local time:09:26 PM

Posted 11 January 2008 - 01:55 PM

Due to inactivity, this topic is now closed. If you need this thread re-opened, please Private Message any member of the moderating team with this thread's address.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users