Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Adware: Popads123.com, Searchfeed.com, Dianaid.net


  • This topic is locked This topic is locked
8 replies to this topic

#1 sbt

sbt

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 16 June 2008 - 03:51 PM

I have cleaned it with everything I can except a-squared. NOD32, Adaware, & SpyBot S&D all say it is clean, but it will start up a browser in a minute after connecting my full time Internet to the network port and then it tries open sites like: popads123.com, cartoonhotspot.com, dianaed.net, and searchfeed.com.
Here's the main.txt

Deckard's System Scanner v20071014.68
Run by k on 2008-06-16 13:29:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
7: 2008-06-16 19:29:21 UTC - RP557 - Deckard's System Scanner Restore Point
6: 2008-06-16 18:59:48 UTC - RP556 - a-squared
5: 2008-06-16 18:32:43 UTC - RP555 - Installed Windows XP Service Pack 3.
4: 2008-06-16 18:23:04 UTC - RP554 - SP3
3: 2008-06-16 16:45:34 UTC - RP553 - ComboFix created restore point


-- First Restore Point --
1: 2008-06-16 16:44:53 UTC - RP551 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as k.exe) ---------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:05 PM, on 6/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\GetPack\GetPack18.exe
C:\Program Files\GetModule\GetModule18.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\k\Desktop\dss.exe
C:\DOCUME~1\k\Desktop\k.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.ispwest.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B77F7F7D-9895-9864-BC9F-B1FEDBFC02B4} - C:\WINDOWS\System32\fsaaotv.dll (file missing)
O4 - HKLM\..\Run: [Win32 USB2 Driver] good.exe
O4 - HKLM\..\Run: [Internet Explorer] hqjpkson.EXE
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [Microsoft upnp Update] msie.exe
O4 - HKLM\..\Run: [Symantec AntiVirus] nav.exe
O4 - HKLM\..\Run: [Windows Messenger] msmsgs.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] good.exe
O4 - HKLM\..\RunServices: [Internet Explorer] hqjpkson.EXE
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunServices: [Microsoft upnp Update] msie.exe
O4 - HKLM\..\RunServices: [Symantec AntiVirus] nav.exe
O4 - HKLM\..\RunServices: [Windows Messenger] msmsgs.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] good.exe
O4 - HKCU\..\Run: [Internet Explorer] hqjpkson.EXE
O4 - HKCU\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\Run: [Symantec AntiVirus] nav.exe
O4 - HKCU\..\Run: [GetPack18] "C:\Program Files\GetPack\GetPack18.exe"
O4 - HKCU\..\Run: [GetModule18] "C:\Program Files\GetModule\GetModule18.exe"
O4 - HKUS\S-1-5-18\..\Run: [Win32 USB2 Driver] good.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Internet Explorer] pzualzke.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Win32 System Spool] spoolsvc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Symantec AntiVirus] nav.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Messenger] msmsgs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Win32 USB2 Driver] good.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Win32 USB2 Driver] good.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Win32 USB2 Driver] good.exe (User 'Default user')
O4 - Startup: jcxp.lnk = D:\tech\Clean Temp JCXP\jcxp.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\k\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/late...2ie06041001.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7786 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R3 E1000 (Intel® PRO/1000 Adapter Driver) - c:\windows\system32\drivers\e1000325.sys <Not Verified; Intel Corporation; Intel® PRO/1000 Adapter>
R3 SMBios (Intel ® System Managment BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel ® System Managment BIOS Driver>
R3 wlanndi5 (wlanndi5 NDIS Protocol Driver) - c:\windows\system32\wlanndi5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S3 catchme - c:\combofix\catchme.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe

S2 AOLService (AOL Spyware Protection Service) - c:\progra~1\common~1\aol\aolspy~1\\aolserv.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-16 and 2008-06-16 -----------------------------

2008-06-16 13:00:21 0 d-------- C:\Program Files\a2 free
2008-06-16 12:53:29 0 d-------- C:\WINDOWS\Prefetch
2008-06-16 12:43:09 0 d-------- C:\Program Files\Messenger
2008-06-16 12:42:33 0 d-------- C:\WINDOWS\provisioning
2008-06-16 12:42:31 0 d-------- C:\WINDOWS\system32\scripting
2008-06-16 12:42:26 0 d-------- C:\WINDOWS\l2schemas
2008-06-16 12:42:24 0 d-------- C:\WINDOWS\system32\en
2008-06-16 12:42:24 0 d-------- C:\WINDOWS\system32\bits
2008-06-16 12:42:23 0 d-------- C:\WINDOWS\peernet
2008-06-16 12:38:54 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-16 12:35:34 0 d-------- C:\WINDOWS\network diagnostic
2008-06-16 12:28:17 0 d-------- C:\WINDOWS\EHome
2008-06-16 11:48:49 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-06-16 11:47:31 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-06-16 10:44:18 68096 --a------ C:\WINDOWS\zip.exe
2008-06-16 10:44:18 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-16 10:44:18 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 10:44:18 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-16 10:44:18 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-16 10:44:18 98816 --a------ C:\WINDOWS\sed.exe
2008-06-16 10:44:18 80412 --a------ C:\WINDOWS\grep.exe
2008-06-16 10:44:18 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-13 17:05:20 260272 -r-hs---- C:\cmldr
2008-06-13 17:05:02 0 dr-hs---- C:\cmdcons
2008-06-13 17:05:00 0 d-------- C:\WINDOWS\setup.pss
2008-06-13 17:04:47 0 d-------- C:\WINDOWS\setupupd
2008-06-11 16:11:53 0 d-------- C:\Program Files\Lavasoft
2008-06-11 16:11:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-11 16:11:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-11 14:37:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-11 12:27:46 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-11 12:15:26 0 d-------- C:\Program Files\GetModule
2008-06-11 12:15:24 0 d-------- C:\Program Files\iCheck
2008-06-11 12:15:24 0 d-------- C:\Program Files\GetPack


-- Find3M Report ---------------------------------------------------------------

2008-06-16 13:21:22 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-16 12:42:27 0 d-------- C:\Program Files\Movie Maker
2008-06-16 12:38:27 0 d-------- C:\Program Files\Windows NT
2008-06-16 11:47:29 0 d--h----- C:\Program Files\WindowsUpdate
2008-06-16 10:45:55 0 d-------- C:\Program Files\Common Files
2008-06-11 13:30:10 0 d-------- C:\Program Files\QuickTime
2008-06-11 13:29:48 0 d-------- C:\Program Files\Picasa2
2008-06-11 13:27:12 0 d-------- C:\Program Files\iTunes


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B77F7F7D-9895-9864-BC9F-B1FEDBFC02B4}]
C:\WINDOWS\System32\fsaaotv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Win32 USB2 Driver"="good.exe" []
"Internet Explorer"="hqjpkson.EXE" []
"Win32 System Spool"="spoolsvc.exe" []
"Microsoft upnp Update"="msie.exe" []
"Symantec AntiVirus"="nav.exe" []
"Windows Messenger"="msmsgs.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [11/14/2007 03:05 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Win32 USB2 Driver"="good.exe" []
"Internet Explorer"="hqjpkson.EXE" []
"Win32 System Spool"="spoolsvc.exe" []
"Symantec AntiVirus"="nav.exe" []
"GetPack18"="C:\Program Files\GetPack\GetPack18.exe" [06/10/2008 03:08 AM]
"GetModule18"="C:\Program Files\GetModule\GetModule18.exe" [06/09/2008 03:40 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Win32 USB2 Driver"=good.exe
"Internet Explorer"=hqjpkson.EXE
"Win32 System Spool"=spoolsvc.exe
"Microsoft upnp Update"=msie.exe
"Symantec AntiVirus"=nav.exe
"Windows Messenger"=msmsgs.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Win32 USB2 Driver"=good.exe
"Win32 System Spool"=spoolsvc.exe
"Windows Messenger"=msmsgs.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Win32 USB2 Driver"=good.exe
"Internet Explorer"=pzualzke.EXE
"Win32 System Spool"=spoolsvc.exe
"Symantec AntiVirus"=nav.exe
"Windows Messenger"=msmsgs.exe

C:\Documents and Settings\k\Start Menu\Programs\Startup\
jcxp.lnk - D:\tech\Clean Temp JCXP\jcxp.exe [11/29/2003 5:49:29 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [1/23/2005 6:15:32 PM]
AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe [1/23/2005 6:16:44 PM]
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [8/18/2005 5:09:58 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 2:05:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{62AECA0F-CEB9-44E8-D89D-FD1245C0E5B9}"= C:\WINDOWS\System32\qfiot32.dll [ ]
"{7DA699FB-0222-4DD2-8B9B-D993FDD0CEB2}"= C:\WINDOWS\System32\bgnuqm32.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"Messenger"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8724 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-16 13:33:02 ------------

Here's the extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.60GHz
Percentage of Memory in Use: 48%
Physical Memory (total/avail): 510.66 MiB / 260.73 MiB
Pagefile Memory (total/avail): 1245.71 MiB / 1030.63 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1893.04 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 58.59 GiB total, 50.94 GiB free.
D: is Fixed (NTFS) - 15.93 GiB total, 8.79 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380011A - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 58.59 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 15.93 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\k\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=UNIQUE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\k
LOGONSERVER=\\UNIQUE
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\k\LOCALS~1\Temp
TMP=C:\DOCUME~1\k\LOCALS~1\Temp
USERDOMAIN=UNIQUE
USERNAME=k
USERPROFILE=C:\Documents and Settings\k
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

k (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
a-squared free 1.5.1 --> "C:\Program Files\a2 free\unins000.exe"
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
AOL Connectivity Services --> C:\PROGRA~1\COMMON~1\AOL\ACS\AcsUninstall.exe /c
AOL Toolbar --> "C:\Program Files\AOL Toolbar\UNWISE.EXE" /u "C:\Program Files\AOL Toolbar\INSTALL.LOG"
AOL Uninstaller --> C:\Program Files\Common Files\AOL\uninstaller.exe
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Belkin Wireless Utility --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{5314FAC0-F8A5-4432-8980-251D055B2C5B}
Easy CD & DVD Creator 6 --> MsiExec.exe /I{46DDF76F-ACD4-42BC-B48F-B89C4EE2E1A9}
ESET NOD32 Antivirus --> MsiExec.exe /I{BB703122-AF65-4AD9-BCA0-273E165DABEE}
getPlus®_ocx --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2 --> "C:\Documents and Settings\k\Desktop\HijackThis.exe" /uninstall
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Internet Speed Monitor --> C:\Program Files\iCheck\Uninstall.exe
iPod Updater 2004-08-06 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D43E1D3F-CC1F-4E41-80F5-9C1D28187DE9}
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java 2 Runtime Environment, SE v1.4.2_01 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142010}
LimeWire 4.16.3 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Office 2000 Standard --> MsiExec.exe /I{00020409-78E1-11D2-B60F-006097C998E7}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Personal Ancestral File 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D94A8E22-DF2B-4107-9E51-608A60A7671D}\SETUP.EXE"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Pop-Up Stopper Free Edition --> C:\PROGRA~1\PANICW~1\POP-UP~1\UNWISE.EXE C:\PROGRA~1\PANICW~1\POP-UP~1\INSTALL.LOG
Pure Networks Port Magic --> C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe -Uninstall -ShowUI
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type26169 / Warning
Event Submitted/Written: 06/16/2008 00:43:59 PM
Event ID/Source: 63 / WinMgmt
Event Description:
A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Event Record #/Type26114 / Error
Event Submitted/Written: 06/13/2008 00:44:31 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module jpinscp.dll, version 5.0.30.7, fault address 0x00003960.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type26113 / Error
Event Submitted/Written: 06/13/2008 00:43:45 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module unknown, version 0.0.0.0, fault address 0x1f3d6d44.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type26035 / Warning
Event Submitted/Written: 06/11/2008 02:06:39 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type25872 / Error
Event Submitted/Written: 06/08/2008 04:04:13 PM
Event ID/Source: 1015 / Perflib
Event Description:
The timeout waiting for the performance data collection function "Spooler"
in the "C:\WINDOWS\System32\winspool.drv" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type17594 / Error
Event Submitted/Written: 06/16/2008 01:25:05 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The AOL Spyware Protection Service service failed to start due to the following error:
%%2

Event Record #/Type17593 / Warning
Event Submitted/Written: 06/16/2008 01:24:47 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0007E94669AE. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type17581 / Warning
Event Submitted/Written: 06/16/2008 01:15:59 PM
Event ID/Source: 27 / E1000
Event Description:
Intel® PRO/1000 CT Network Connection
Link has been disconnected.

Event Record #/Type17576 / Warning
Event Submitted/Written: 06/16/2008 01:01:54 PM
Event ID/Source: 27 / E1000
Event Description:
Intel® PRO/1000 CT Network Connection
Link has been disconnected.

Event Record #/Type17562 / Warning
Event Submitted/Written: 06/16/2008 00:54:41 PM
Event ID/Source: 20 / Print
Event Description:
Printer Driver HP DeskJet 930C/932C/935C for Windows NT x86 Version-3 was added or updated. Files:- %4.



-- End of Deckard's System Scanner: finished at 2008-06-16 13:33:02 ------------

Any help will be appreciated. Thanks.

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 16 June 2008 - 04:00 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply with a fresh HijackThis log.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 sbt

sbt
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 18 June 2008 - 05:47 PM

Here is the HiJackthis log but please find the Combofix.txt attached since my post was too long with it pasted in here.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:02 PM, on 6/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\GetPack\GetPack18.exe
C:\Program Files\GetModule\GetModule18.exe
C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\k\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.ispwest.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B77F7F7D-9895-9864-BC9F-B1FEDBFC02B4} - C:\WINDOWS\System32\fsaaotv.dll (file missing)
O4 - HKLM\..\Run: [Win32 USB2 Driver] good.exe
O4 - HKLM\..\Run: [Internet Explorer] hqjpkson.EXE
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [Microsoft upnp Update] msie.exe
O4 - HKLM\..\Run: [Symantec AntiVirus] nav.exe
O4 - HKLM\..\Run: [Windows Messenger] msmsgs.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] good.exe
O4 - HKLM\..\RunServices: [Internet Explorer] hqjpkson.EXE
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunServices: [Microsoft upnp Update] msie.exe
O4 - HKLM\..\RunServices: [Symantec AntiVirus] nav.exe
O4 - HKLM\..\RunServices: [Windows Messenger] msmsgs.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] good.exe
O4 - HKCU\..\Run: [Internet Explorer] hqjpkson.EXE
O4 - HKCU\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\Run: [Symantec AntiVirus] nav.exe
O4 - HKCU\..\Run: [GetPack18] "C:\Program Files\GetPack\GetPack18.exe"
O4 - HKCU\..\Run: [GetModule18] "C:\Program Files\GetModule\GetModule18.exe"
O4 - HKUS\S-1-5-18\..\Run: [Win32 USB2 Driver] good.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Internet Explorer] pzualzke.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Win32 System Spool] spoolsvc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Symantec AntiVirus] nav.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Messenger] msmsgs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Win32 USB2 Driver] good.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Win32 USB2 Driver] good.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Win32 USB2 Driver] good.exe (User 'Default user')
O4 - Startup: jcxp.lnk = D:\tech\Clean Temp JCXP\jcxp.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\k\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/late...2ie06041001.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7741 bytes


Thanks for your help.

Attached Files



#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 19 June 2008 - 04:40 PM

Hi again,
Please print off a copy of these instructions, and also save them to a Notepad file on your Desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Go to Start | Control Panel | Add/Remove Programs and remove the following (if they exist):

GetPack
GetModule


Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: (no name) - {B77F7F7D-9895-9864-BC9F-B1FEDBFC02B4} - C:\WINDOWS\System32\fsaaotv.dll (file missing)
O4 - HKLM\..\Run: [Win32 USB2 Driver] good.exe
O4 - HKLM\..\Run: [Internet Explorer] hqjpkson.EXE
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [Microsoft upnp Update] msie.exe
O4 - HKLM\..\Run: [Symantec AntiVirus] nav.exe
O4 - HKLM\..\Run: [Windows Messenger] msmsgs.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] good.exe
O4 - HKLM\..\RunServices: [Internet Explorer] hqjpkson.EXE
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunServices: [Microsoft upnp Update] msie.exe
O4 - HKLM\..\RunServices: [Symantec AntiVirus] nav.exe
O4 - HKLM\..\RunServices: [Windows Messenger] msmsgs.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] good.exe
O4 - HKCU\..\Run: [Internet Explorer] hqjpkson.EXE
O4 - HKCU\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\Run: [Symantec AntiVirus] nav.exe
O4 - HKCU\..\Run: [GetPack18] "C:\Program Files\GetPack\GetPack18.exe"
O4 - HKCU\..\Run: [GetModule18] "C:\Program Files\GetModule\GetModule18.exe"
O4 - HKUS\S-1-5-18\..\Run: [Win32 USB2 Driver] good.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Internet Explorer] pzualzke.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Win32 System Spool] spoolsvc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Symantec AntiVirus] nav.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Messenger] msmsgs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Win32 USB2 Driver] good.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Win32 USB2 Driver] good.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Win32 USB2 Driver] good.exe (User 'Default user')
O4 - Startup: jcxp.lnk = D:\tech\Clean Temp JCXP\jcxp.exe


Then close all other windows - you should only see HijackThis on your Desktop - and click the Fix checked button.

Reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Find and delete the following files (if present):

C:\WINDOWS\SYSTEM32\good.exe
C:\WINDOWS\SYSTEM32\hqjpkson.EXE
C:\WINDOWS\SYSTEM32\spoolsvc.exe
C:\WINDOWS\SYSTEM32\msie.exe
C:\WINDOWS\SYSTEM32\nav.exe
C:\WINDOWS\SYSTEM32\msmsgs.exe

And these folders:

C:\Program Files\GetPack
C:\Program Files\GetModule

Reboot into Normal Mode again.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

In your reply I'd like a new Hjt log, new Combofix log and the MBAM report.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 sbt

sbt
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 20 June 2008 - 12:11 PM

Please find the three log files attached.. Thanks for your assistance.

Attached Files



#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 20 June 2008 - 03:15 PM

The logs are starting to look clean now. How are things running for you?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 sbt

sbt
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 21 June 2008 - 12:41 PM

Yes, the main problem appears to be gone. I no longer have the browser automatically popping up trying to browse unknown sites. Thank you for the help.

:thumbsup:

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 21 June 2008 - 04:28 PM

Great job! Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

Set your system to not show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Do not show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing and running the following free programmes:
Ad-Aware 2008
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place.
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 16 July 2008 - 04:26 PM

Since this issue appears to be resolved, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users