Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Cleanup, Hjt Log


  • This topic is locked This topic is locked
4 replies to this topic

#1 c1cdj

c1cdj

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:Jacksonville, FL
  • Local time:10:20 AM

Posted 04 April 2008 - 08:42 AM

I posted before I read what to do first. Sorry. I'm following your removal steps and this is the HiJack This Log requested.
My Trend Micro Housecall found: ADWARE_MEMWATCHER. I watched the cleanup scan and saw
SOBIG
SOBER WORM
TROJAN.Agent
And many other worms. I did this scan a couple of days ago and it found, and supposedly removed it but it obviously returned to, hopefully, be removed this time. Am also including the log from my Antivir program. It found a couple of "unopenable" files. Thank you in advance for any help you can give me.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:55 AM, on 2008-04-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www6.comcast.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.majorgeeks.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - Startup: ESHEEP.lnk = C:\Program Files\ESHEEP\ESHEEP.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371420.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...238/mcfscan.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe

--
End of file - 5800 bytes



AntiVir PersonalEdition Classic
Report file date: 2008-04-03 20:21

Scanning for 1178038 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: DENISEP3

Version information:
BUILD.DAT : 270 15603 Bytes 2007-09-19 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 2007-08-23 18:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 2007-08-16 17:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 2007-08-14 20:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 2007-08-21 17:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 2007-07-18 19:27:15
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 2008-03-07 13:03:24
ANTIVIR2.VDF : 7.0.3.85 434176 Bytes 2008-03-27 13:03:25
ANTIVIR3.VDF : 7.0.3.116 147968 Bytes 2008-04-03 18:51:12
AVEWIN32.DLL : 7.6.0.80 3420672 Bytes 2008-04-03 18:51:13
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2007-02-26 15:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 2007-07-18 12:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 2007-04-16 18:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 2008-04-02 13:03:26
AVREG.DLL : 7.0.1.6 30760 Bytes 2007-07-18 12:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 2007-08-28 17:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 2007-07-18 12:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 2007-03-08 16:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 2007-08-07 17:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 2007-08-21 17:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 2007-07-23 14:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 2008-04-03 20:21

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'AcroRd32.exe' - '1' Module(s) have been scanned
Scan process 'IncMail.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'IMApp.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'WgaTray.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'cmdagent.exe' - '1' Module(s) have been scanned
Scan process 'BOCore.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'a2service.exe' - '1' Module(s) have been scanned
Scan process 'ntvdm.exe' - '1' Module(s) have been scanned
Scan process 'BOC425.EXE' - '1' Module(s) have been scanned
Scan process 'cfp.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
32 processes with 32 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '28' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!


End of the scan: 2008-04-03 21:47
Used time: 1:25:25 min

The scan has been done completely.

4305 Scanning directories
190766 Files were scanned
0 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
190766 Files not concerned
2402 Archives were scanned
4 Warnings
7 Notes

I'm also sending my log from a-square scanner

a-squared Free - Version 3.1
Last update: 2008-04-02 10:37:27 AM

Scan settings:

Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 2008-04-02 10:39:20 AM

c:\windows\system32\thbres25.dll detected: Trace.File.HackerWacker
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Freeze.com\Installer --> id detected: Trace.Registry.Living Beaches #2 Animated Wallpaper
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Freeze.com\Installer --> id detected: Trace.Registry.EZ Game Cheats
C:\System Volume Information\_restore{5473ADF0-4AFB-443F-BC8F-30CEFE185BB5}\RP1\A0000110.EXE detected: Worm.Win32.Anilogo.b
C:\WINDOWS\system32\GetHardDiskNo.dll detected: Riskware.FraudTool.Win32.SpywareDetector.a

Scanned

Files: 90681
Traces: 398260
Cookies: 12
Processes: 26

Found

Files: 2
Traces: 3
Cookies: 0
Processes: 0
Registry keys: 0

Scan end: 2008-04-02 12:57:01 PM
Scan time: 2:17:41

C:\WINDOWS\system32\GetHardDiskNo.dll Quarantined Riskware.FraudTool.Win32.SpywareDetector.a
C:\System Volume Information\_restore{5473ADF0-4AFB-443F-BC8F-30CEFE185BB5}\RP1\A0000110.EXE Quarantined Worm.Win32.Anilogo.b
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Freeze.com\Installer --> id Quarantined Trace.Registry.EZ Game Cheats
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Freeze.com\Installer --> id Quarantined Trace.Registry.Living Beaches #2 Animated Wallpaper
c:\windows\system32\thbres25.dll Quarantined Trace.File.HackerWacker

Quarantined

Files: 2
Traces: 3
Cookies: 0

And a log from RunScanner

Runscanner logfile http://www.runscanner.net

* = signed file
- = file not found

000 General info
----------------
Computer name : DENISEP3
Creation time : 2008-04-03 1:01:38 PM
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 7.0.5730.13
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
RunScanner Version : 1.6.3.0
User Language : English (United States)
User rights : Administrator
Windows folder : C:\WINDOWS

001 Running processes
---------------------
* c:\program files\lavasoft\ad-aware 2007\aawservice.exe (Lavasoft)
c:\program files\avira\antivir personaledition classic\avguard.exe (Avira GmbH)
c:\program files\avira\antivir personaledition classic\sched.exe (Avira GmbH)
c:\program files\avira\antivir personaledition classic\avgnt.exe (Avira GmbH)
* c:\windows\system32\alg.exe (Microsoft Corporation)
c:\program files\a-squared free\a2service.exe (Emsi Software GmbH)
* c:\windows\system32\ati2evxx.exe (ATI Technologies Inc.)
* c:\windows\system32\ati2evxx.exe (ATI Technologies Inc.)
* c:\windows\system32\csrss.exe (Microsoft Corporation)
* c:\program files\comodo\firewall\cmdagent.exe (COMODO)
c:\progra~1\comodo\cboclean\boc425.exe (COMODO)
c:\program files\comodo\cboclean\bocore.exe (COMODO)
* c:\program files\comodo\firewall\cfp.exe (COMODO)
* c:\windows\system32\svchost.exe (Microsoft Corporation)
* c:\windows\system32\svchost.exe (Microsoft Corporation)
* c:\windows\system32\svchost.exe (Microsoft Corporation)
* c:\windows\system32\svchost.exe (Microsoft Corporation)
* c:\windows\system32\svchost.exe (Microsoft Corporation)
* c:\program files\incredimail\bin\imapp.exe (IncrediMail, Ltd.)
* c:\windows\system32\lsass.exe (Microsoft Corporation)
* c:\windows\system32\ntvdm.exe (Microsoft Corporation)
* c:\documents and settings\denise\desktop\runscanner.exe (Runscanner.net)
* c:\windows\system32\services.exe (Microsoft Corporation)
* c:\windows\system32\spoolsv.exe (Microsoft Corporation)
* c:\windows\explorer.exe (Microsoft Corporation)
* c:\windows\system32\wgatray.exe (Microsoft Corporation)
* c:\windows\system32\winlogon.exe (Microsoft Corporation)
* c:\windows\system32\smss.exe (Microsoft Corporation)

002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
c:\program files\avira\antivir personaledition classic\avgnt.exe (Avira GmbH)
c:\progra~1\comodo\cboclean\boc425.exe (COMODO)

004 C:\Documents and Settings\Denise\Start Menu\Programs\Startup
----------------------------------------------------------------
c:\progra~1\esheep\esheep.exe (Esheep.)

010 HKLM\SYSTEM\CurrentControlSet\Services (Services)
-----------------------------------------------------
* c:\program files\lavasoft\ad-aware 2007\aawservice.exe (Ad-Aware 2007 Service)
c:\program files\avira\antivir personaledition classic\avguard.exe (AntiVir PersonalEdition Classic Guard)
c:\program files\avira\antivir personaledition classic\sched.exe (AntiVir PersonalEdition Classic Scheduler)
c:\program files\a-squared free\a2service.exe (a-squared Free Service)
c:\program files\comodo\cboclean\bocore.exe (BOCore)

011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
----------------------------------------------------
c:\windows\system32\drivers\aspi32.sys (Aspi32)
* c:\program files\avira\antivir personaledition classic\avgio.sys (avgio)
* c:\program files\avira\antivir personaledition classic\avgntflt.sys (avgntflt)
* C:\WINDOWS\system32\drivers\avipbb.sys (avipbb)
* c:\program files\comodo\cboclean\bocdrive.sys (BOClean Kernel Monitor.)
- c:\windows\system32\drivers\changer.sys (Changer)
- c:\windows\system32\drivers\co_mon.sys (CO_Mon)
C:\WINDOWS\system32\drivers\gmer.sys (gmer)
- c:\windows\system32\drivers\i2omgmt.sys (i2omgmt)
- c:\windows\system32\drivers\iaimtv2.sys (iAimTV2)
- c:\windows\system32\drivers\lbrtfdc.sys (lbrtfdc)
- c:\windows\system32\drivers\pcidump.sys (PCIDump)
- c:\windows\system32\drivers\pdcomp.sys (PDCOMP)
- c:\windows\system32\drivers\pdframe.sys (PDFRAME)
- c:\windows\system32\drivers\pdreli.sys (PDRELI)
- c:\windows\system32\drivers\pdrframe.sys (PDRFRAME)
- c:\program files\internet explorer\sabprocenum.sys (SABProcEnum)
- c:\program files\superantispyware\sasdifsv.sys (SASDIFSV)
- c:\program files\superantispyware\sasenum.sys (SASENUM)
- c:\program files\superantispyware\saskutil.sys (SASKUTIL)
* C:\WINDOWS\system32\drivers\ssmdrv.sys (ssmdrv)
c:\windows\system32\drivers\tvichw32.sys (TVICHW32)
- c:\windows\system32\drivers\wdica.sys (WDICA)

031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
-------------------------------------------
c:\program files\common files\system\ole db\msdaipp.dll (Microsoft Corporation) {E1D2BF42-A96B-11d1-9C6B-0000F875AC61}
c:\program files\common files\system\ole db\msdaipp.dll (Microsoft Corporation) {E1D2BF42-A96B-11d1-9C6B-0000F875AC61}
c:\program files\common files\microsoft shared\web folders\pkmcdo.dll (Microsoft Corporation) {CD00020A-8B95-11D1-82DB-00C04FB1625D}
c:\program files\common files\microsoft shared\information retrieval\msitss.dll (Microsoft Corporation) {0A9007C0-4076-11D3-8789-0000F8105754}
c:\program files\common files\system\ole db\msdaipp.dll (Microsoft Corporation) {E1D2BF40-A96B-11d1-9C6B-0000F875AC61}

041 HKLM-HKCU\Software\Microsoft\Internet Explorer\Toolbar
----------------------------------------------------------
c:\progra~1\comcas~1\comcas~1.dll (Comcast Cable Communications.) {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}

045 HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
----------------------------------------------------------------
c:\progra~1\comcas~1\comcas~1.dll (Comcast Cable Communications.) {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}

052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
c:\progra~1\comcas~1\comcas~1.dll (Comcast Cable Communications.) {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}
* c:\progra~1\spybot~1\sdhelper.dll (Safer Networking Limited) {53707962-6F74-2D53-2644-206D7942484F}
c:\program files\ws_ftp pro\wsbho2k0.dll (Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421) {601ED020-FB6C-11D3-87D8-0050DA59922B}

061 HKLM-HCKU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
---------------------------------------------------------------------------------
c:\program files\a-squared free\a2freecontmenu.dll (Emsi Software GmbH) {A155339D-CCCD-4714-85EB-3754B804C9DF}
C:\WINDOWS\system32\layout.dll (Microsoft) {19F500E0-9964-11cf-B63D-08002B317C03}
c:\windows\system32\phototoys.dll (Microsoft Corporation) {1530F7EE-5128-43BD-9977-84A4B0FAD7DF}
c:\program files\avira\antivir personaledition classic\shlext.dll (Avira GmbH) {45AC2688-0253-4ED8-97DE-B5370FA7D48A}
c:\progra~1\common~1\micros~1\webfol~1\msonsext.dll (Microsoft Corporation) {BDEADF00-C265-11D0-BCED-00A0C90AB50F}
c:\program files\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}

062 HKLM-HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
------------------------------------------------------------
c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}

063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
---------------------------------------------------------------------
* C:\WINDOWS\system32\lsdelete.exe

073 %windir%\Tasks
------------------
TASK20040403095204.job : c:\program files\ws_ftp pro\wsftppro.exe (Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421)

100 Internet Explorer settings
------------------------------
ProxyOverride HKCU : actsvr.comcastonline.com
ProxyServer HKCU : actsvr.comcastonline.com:8100
Search Page HKCU : http://www6.comcast.net
SearchUrl HKCU : http://home.microsoft.com/access/autosearch.asp?p=%s
Start Page HKCU : http://www.majorgeeks.com/

104 HKLM\Software\Microsoft\Code Store Database\Distribution Units
------------------------------------------------------------------
c:\windows\downlo~1\pestsc~1.ocx (Visicom Media) {56393399-041A-4650-94C7-13DFCB1F4665}
c:\windows\downlo~1\oscan82.ocx (BitDefender) {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}
* c:\windows\downloaded program files\icsscan.dll (Zone Labs, Inc) {7F8C8173-AD80-4807-AA75-5672F22B4582}
c:\windows\downloaded program files\sabspx.dll (SuperAdBlocker.com) {B1E2B96C-12FE-45E2-BEF1-44A219113CDD}
GUID / CLSID not found {CC450D71-CC90-424C-8638-1F2DBAC87A54}
* c:\windows\mcafee.com\freescan\mcfscan.dll (McAfee, Inc.) {EF791A6B-FC12-4C68-99EF-FB9E207A39E6}

173 HKCR\*\shellex\ContextMenuHandlers
--------------------------------------
GUID / CLSID not found
c:\program files\incredimail\bin\imshextu.dll (IncrediMail, Ltd.) {F8984111-38B6-11D5-8725-0050DA2761C4}
c:\program files\avira\antivir personaledition classic\shlext.dll (Avira GmbH) {45AC2688-0253-4ED8-97DE-B5370FA7D48A}
c:\program files\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
c:\program files\ws_ftp pro\wsftpsi.dll (Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421) {797F3885-5429-11D4-8823-0050DA59922B}

221 HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
-------------------------------------------------------
GUID / CLSID not found
c:\program files\incredimail\bin\imshextu.dll (IncrediMail, Ltd.) {F8984111-38B6-11D5-8725-0050DA2761C4}
c:\program files\avira\antivir personaledition classic\shlext.dll (Avira GmbH) {45AC2688-0253-4ED8-97DE-B5370FA7D48A}
c:\program files\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
c:\program files\ws_ftp pro\wsftpsi.dll (Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421) {797F3885-5429-11D4-8823-0050DA59922B}

223 HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
--------------------------------------------------------------------------
c:\program files\a-squared free\a2freecontmenu.dll (Emsi Software GmbH) {A155339D-CCCD-4714-85EB-3754B804C9DF}
* c:\program files\malwarebytes' anti-malware\mbamext.dll (Malwarebytes) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}

225 HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers
------------------------------------------------------------
c:\program files\a-squared free\a2freecontmenu.dll (Emsi Software GmbH) {A155339D-CCCD-4714-85EB-3754B804C9DF}
c:\program files\a-squared free\a2freecontmenu.dll (Emsi Software GmbH) {A155339D-CCCD-4714-85EB-3754B804C9DF}
C:\WINDOWS\system32\layout.dll (Microsoft) {19F500E0-9964-11cf-B63D-08002B317C03}
C:\WINDOWS\system32\layout.dll (Microsoft) {19F500E0-9964-11cf-B63D-08002B317C03}
c:\program files\ati multimedia\mlibrary\mlshell.dll (ATI Technologies Inc.) {54F51408-DD44-4a12-82EF-519AD2A80DE9}
c:\program files\ati multimedia\mlibrary\mlshell.dll (ATI Technologies Inc.) {54F51408-DD44-4a12-82EF-519AD2A80DE9}
* c:\program files\malwarebytes' anti-malware\mbamext.dll (Malwarebytes) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
* c:\program files\malwarebytes' anti-malware\mbamext.dll (Malwarebytes) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
c:\program files\avira\antivir personaledition classic\shlext.dll (Avira GmbH) {45AC2688-0253-4ED8-97DE-B5370FA7D48A}
c:\program files\avira\antivir personaledition classic\shlext.dll (Avira GmbH) {45AC2688-0253-4ED8-97DE-B5370FA7D48A}
c:\program files\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
c:\program files\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
c:\program files\ws_ftp pro\wsftpsi.dll (Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421) {797F3885-5429-11D4-8823-0050DA59922B}
c:\program files\ws_ftp pro\wsftpsi.dll (Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421) {797F3885-5429-11D4-8823-0050DA59922B}

227 HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
---------------------------------------------------------------
GUID / CLSID not found
c:\program files\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}

231 HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
-------------------------------------------------------
c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll (Adobe Systems, Inc.) PDF Column Info

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:20 AM

Posted 15 April 2008 - 06:08 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
I apologize for the delay getting to your log, the helpers here are very busy.

If you still need help, please post a fresh Hijackthis log, in this thread, so I can help you with your malware problems.
If you have resolved this issue please let us know.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 c1cdj

c1cdj
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Location:Jacksonville, FL
  • Local time:10:20 AM

Posted 16 April 2008 - 10:55 AM

Hi, Sam,
I don't know if I've fixed the problem or not but I uninstalled HiJack This. I'm having problems with getting the new Avira AntiVir Personal Edition to update after installing the new version 8. In my previous logs it showed 2 files that could not be scanned. one was C:\hiberfil.sys which I changed the settings to disable hibernation and C:\pagefile.sys which I did a system defrag and ran PageDefrag to fix on reboot. I then ran another system defrag and it was supposed to have moved my Page File to a better place on the disk but it didn't do it.
Do you have any ideas about these issues?
Thank you for your help.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:20 AM

Posted 16 April 2008 - 05:14 PM

In my previous logs it showed 2 files that could not be scanned. one was C:\hiberfil.sys which I changed the settings to disable hibernation and C:\pagefile.sys which I did a system defrag and ran PageDefrag to fix on reboot.

That's completely normal and not indicative of malware in any way. Nothing to worry about. :thumbsup:

I'm not sure about your other issues. I'm not sure why you would want to move your pagefile to any place but the default location. If you can't get your antivirus program to update, you should contact their support techs for help, or get another antivirus.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:20 AM

Posted 13 May 2008 - 09:24 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users