Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis log please help diagnose


  • This topic is locked This topic is locked
8 replies to this topic

#1 tito_023

tito_023

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 11 December 2008 - 05:58 PM

k my computer has just been acting extremely sluggish lately.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:48:44 PM, on 12/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Kiwee Toolbar\2.8.167\kwtbaim.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for deluxetree[1].zip\Christmas.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for xmas[1].zip\Xmas.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for xmasspirit[1].zip\XmasSpirit.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for magictree[1].zip\MagicTree.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\AGI\common\win32\PythonService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AGSearchHook Class - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - C:\Program Files\AGI\common\agcutils.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AGSearchHook Class - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - C:\Program Files\AGI\common\agcutils.dll
O2 - BHO: Smart-Shopper - {4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [KiweeHook] "C:\Program Files\Kiwee Toolbar\2.8.167\kwtbaim.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdcxl.exe] C:\WINDOWS\system32\kdcxl.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Deluxe Tree] C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for deluxetree[1].zip\Christmas.exe
O4 - HKCU\..\Run: [Xmas Tree] C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for xmas[1].zip\Xmas.exe
O4 - HKCU\..\Run: [Christmas spirit] C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for xmasspirit[1].zip\XmasSpirit.exe
O4 - HKCU\..\Run: [Magic Tree] C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for magictree[1].zip\MagicTree.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/dow...llerControl.cab
O16 - DPF: {0713E8A2-850A-101B-AFC0-4210102A8DA7} (Microsoft TreeView Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/shared/C...22/ComCtl32.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u...ows-i586-jc.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O21 - SSODL: Urlanmic - {E4BBF94E-A247-4DC8-A013-9D053C47D133} - (no file)
O21 - SSODL: Autapreg - {C0AF8432-8BA6-46CD-AAF5-E429ADE2A2D2} - C:\WINDOWS\system32\sndemcab.dll
O23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\AGI\common\win32\PythonService.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 10911 bytes

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,946 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:21 PM

Posted 20 December 2008 - 11:59 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 tito_023

tito_023
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 20 December 2008 - 05:29 PM

ok here are the two repots it constructed:


DDS (Version 1.1.0) - NTFSx86
Run by Owner at 15:24:58.46 on Sat 12/20/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.563 [GMT -7:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Kiwee Toolbar\2.8.167\kwtbaim.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\AGI\common\win32\PythonService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Documents and Settings\Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://msn.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Kiwee Toolbar: {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - c:\program files\kiwee toolbar\2.8.167\KiweeIEToolbar.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: Kiwee Toolbar: {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - c:\program files\kiwee toolbar\2.8.167\KiweeIEToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [CHotkey] zHotkey.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [KiweeHook] "c:\program files\kiwee toolbar\2.8.167\kwtbaim.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uPolicies-explorer: RestrictRun = 0 (0x0)
uPolicies-system: NoSecCPL = 0 (0x0)
uPolicies-system: NoDevMgrPage = 0 (0x0)
uPolicies-system: NoConfigPage = 0 (0x0)
uPolicies-system: NoVirtMemPage = 0 (0x0)
uPolicies-system: NoFileSysPage = 0 (0x0)
uPolicies-system: NoNetSetup = 0 (0x0)
uPolicies-system: NoNetSetupIDPage = 0 (0x0)
uPolicies-system: NoNetSetupSecurityPage = 0 (0x0)
uPolicies-system: NoWorkgroupContents = 0 (0x0)
uPolicies-system: NoEntireNetwork = 0 (0x0)
uPolicies-system: NoFileSharingControl = 0 (0x0)
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
SSODL: Autapreg - {C0AF8432-8BA6-46CD-AAF5-E429ADE2A2D2} - c:\windows\system32\sndemcab.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;\??\c:\program files\avira\antivir personaledition classic\avgio.sys [2008-12-16 11840]
R2 AGWinService;AG Windows Service;"c:\program files\agi\common\win32\PythonService.exe" [2008-10-8 10240]
R2 AntiVirScheduler;Avira AntiVir Personal Free Antivirus Scheduler;"c:\program files\avira\antivir personaledition classic\sched.exe" [2008-12-16 68865]
R2 AntiVirService;Avira AntiVir Personal Free Antivirus Guard;"c:\program files\avira\antivir personaledition classic\avguard.exe" [2008-12-16 147201]
R2 CX88XBAR;AVerMedia AVerTV MPEG Crossbar (Dual-Input);c:\windows\system32\drivers\A88BarBB.sys [2008-8-7 10112]
R3 avgntflt;avgntflt;\??\c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-12-16 49472]
R3 CXAVSAUD;AVerMedia AVerTV AvStream Audio Capture;c:\windows\system32\drivers\A88AudBB.sys [2008-8-7 9216]
S3 PAC207;Webcam;c:\windows\system32\drivers\PFC027.SYS [2007-6-12 508416]

=============== Created Last 30 ================

2008-12-16 13:18 <DIR> --d----- c:\program files\Avira
2008-12-16 12:57 <DIR> a-dshr-- C:\cmdcons
2008-12-16 12:56 161,792 a------- c:\windows\SWREG.exe
2008-12-16 12:56 98,816 a------- c:\windows\sed.exe
2008-12-11 15:48 <DIR> --d----- c:\program files\Trend Micro
2008-12-11 08:01 239,104 a------- c:\windows\system32\objanmak.dll
2008-12-10 07:30 247,326 -c------ c:\windows\system32\dllcache\strmdll.dll
2008-11-25 08:21 118 a------- c:\windows\system32\MRT.INI
2008-11-24 15:01 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-24 15:01 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-23 11:56 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2008-11-23 11:56 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-23 11:56 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-23 11:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-11-23 11:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-11-23 11:31 11,246 a------- c:\windows\wininit.ini
2008-11-23 10:03 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-23 10:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2008-12-19 08:00 14,707 a------- c:\windows\system32\txtewbot.dll
2008-10-24 04:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 05:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 13:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-08 15:02 2,117,632 a------- c:\windows\system32\python25.dll
2008-10-08 15:02 339,968 a------- c:\windows\system32\pythoncom25.dll
2008-10-08 15:02 114,688 a------- c:\windows\system32\pywintypes25.dll
2008-10-03 03:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-08-07 11:33 0 a------- c:\docume~1\owner\applic~1\wklnhst.dat

============= FINISH: 15:25:16.33 ===============










UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/7/2008 11:32:27 AM
System Uptime: 12/19/2008 10:14:22 AM (29 hours ago)

Motherboard: MSI | | MS-6741
Processor: AMD Athlon™ 64 Processor 3400+ | Socket-754 | 2400/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 182 GiB total, 125.442 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 1.619 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP54: 9/21/2008 5:11:10 PM - System Checkpoint
RP55: 9/22/2008 5:56:53 PM - System Checkpoint
RP56: 9/23/2008 3:08:59 PM - Logitech QuickCam v11.80.1048
RP57: 9/24/2008 5:19:12 PM - System Checkpoint
RP58: 9/25/2008 7:02:15 PM - System Checkpoint
RP59: 9/26/2008 7:44:18 PM - System Checkpoint
RP60: 9/27/2008 9:00:41 PM - System Checkpoint
RP61: 9/28/2008 9:45:37 PM - System Checkpoint
RP62: 9/30/2008 7:53:41 AM - System Checkpoint
RP63: 10/1/2008 9:21:21 AM - System Checkpoint
RP64: 10/2/2008 2:48:26 PM - System Checkpoint
RP65: 10/3/2008 3:20:51 PM - System Checkpoint
RP66: 10/4/2008 3:29:39 PM - System Checkpoint
RP67: 10/5/2008 4:29:36 PM - System Checkpoint
RP68: 10/6/2008 5:26:14 PM - System Checkpoint
RP69: 10/7/2008 6:41:58 PM - System Checkpoint
RP70: 10/8/2008 8:41:32 PM - System Checkpoint
RP71: 10/10/2008 9:16:58 AM - System Checkpoint
RP72: 10/11/2008 10:22:32 AM - System Checkpoint
RP73: 10/12/2008 11:08:35 AM - System Checkpoint
RP74: 10/13/2008 5:14:43 PM - System Checkpoint
RP75: 10/14/2008 5:35:36 PM - System Checkpoint
RP76: 10/15/2008 8:58:53 PM - System Checkpoint
RP77: 10/16/2008 9:33:18 AM - Software Distribution Service 3.0
RP78: 10/17/2008 9:57:31 AM - System Checkpoint
RP79: 10/18/2008 11:23:16 AM - System Checkpoint
RP80: 10/19/2008 12:17:10 PM - System Checkpoint
RP81: 10/20/2008 4:45:43 PM - System Checkpoint
RP82: 10/21/2008 4:46:32 PM - System Checkpoint
RP83: 10/22/2008 4:59:34 PM - System Checkpoint
RP84: 10/23/2008 5:21:47 PM - System Checkpoint
RP85: 10/24/2008 8:39:46 AM - Software Distribution Service 3.0
RP86: 10/25/2008 1:24:17 PM - System Checkpoint
RP87: 10/26/2008 5:48:34 PM - System Checkpoint
RP88: 10/26/2008 9:04:39 PM - Removed McAfee AntiSpyware
RP89: 10/28/2008 12:37:25 AM - System Checkpoint
RP90: 10/28/2008 10:52:07 AM - Software Distribution Service 3.0
RP91: 10/29/2008 8:51:05 AM - Avira AntiVir Personal - 10/29/2008 8:51
RP92: 10/29/2008 8:55:49 AM - Avira AntiVir Personal - 10/29/2008 8:55
RP93: 10/30/2008 9:21:41 AM - System Checkpoint
RP94: 10/31/2008 11:30:58 AM - System Checkpoint
RP95: 11/1/2008 12:28:18 PM - System Checkpoint
RP96: 11/2/2008 12:55:23 PM - System Checkpoint
RP97: 11/3/2008 2:40:52 PM - System Checkpoint
RP98: 11/4/2008 2:54:49 PM - System Checkpoint
RP99: 11/5/2008 4:34:58 PM - System Checkpoint
RP100: 11/6/2008 5:45:14 PM - System Checkpoint
RP101: 11/7/2008 6:11:19 PM - System Checkpoint
RP102: 11/9/2008 11:17:28 AM - System Checkpoint
RP103: 11/10/2008 4:40:38 PM - System Checkpoint
RP104: 11/11/2008 4:47:32 PM - System Checkpoint
RP105: 11/12/2008 6:15:40 PM - System Checkpoint
RP106: 11/13/2008 7:19:08 PM - Removed Windows Live Messenger
RP107: 11/13/2008 7:19:30 PM - Removed Windows Live Sign-in Assistant
RP108: 11/13/2008 7:20:41 PM - Restore Operation
RP109: 11/14/2008 8:10:27 PM - System Checkpoint
RP110: 11/15/2008 9:44:42 PM - System Checkpoint
RP111: 11/17/2008 9:09:07 AM - System Checkpoint
RP112: 11/18/2008 3:44:36 PM - System Checkpoint
RP113: 11/19/2008 4:28:28 PM - System Checkpoint
RP114: 11/21/2008 8:14:57 AM - System Checkpoint
RP115: 11/22/2008 9:14:35 AM - System Checkpoint
RP116: 11/23/2008 12:26:27 PM - System Checkpoint
RP117: 11/24/2008 3:25:27 PM - System Checkpoint
RP118: 11/25/2008 8:20:11 AM - Software Distribution Service 3.0
RP119: 11/26/2008 8:44:34 AM - System Checkpoint
RP120: 12/1/2008 10:49:45 AM - System Checkpoint
RP121: 12/2/2008 2:03:47 PM - System Checkpoint
RP122: 12/3/2008 5:37:59 PM - System Checkpoint
RP123: 12/4/2008 6:26:10 PM - System Checkpoint
RP124: 12/6/2008 10:08:22 AM - System Checkpoint
RP125: 12/11/2008 3:00:15 AM - Software Distribution Service 3.0
RP126: 12/12/2008 3:00:16 AM - Software Distribution Service 3.0
RP127: 12/13/2008 6:34:46 AM - System Checkpoint
RP128: 12/14/2008 1:15:13 PM - System Checkpoint
RP129: 12/15/2008 5:27:44 PM - System Checkpoint
RP130: 12/16/2008 12:57:07 PM - ComboFix created restore point
RP131: 12/16/2008 1:10:20 PM - ComboFix created restore point
RP132: 12/16/2008 1:14:54 PM - Avira AntiVir Personal - 12/16/2008 13:14
RP133: 12/16/2008 1:18:00 PM - Avira AntiVir Personal - 12/16/2008 13:17
RP134: 12/17/2008 2:49:22 PM - System Checkpoint
RP135: 12/18/2008 7:58:48 AM - Software Distribution Service 3.0
RP136: 12/19/2008 8:15:04 AM - System Checkpoint
RP137: 12/20/2008 8:31:08 AM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Reader 6.0
AOL Toolbar
AOL You've Got Pictures Screensaver
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal Free Antivirus
BigFix
Bonjour
Digital Media Reader
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
IC 435C Webcam
iTunes
Java 2 Runtime Environment, SE v1.4.2
Java™ 6 Update 7
Kiwee Toolbar
Learn2 Player (Uninstall Only)
LimeWire 4.18.6
Logitech Desktop Messenger
Logitech Legacy USB Camera Driver Package
Logitech QuickCam
Logitech QuickCam Driver Package
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007 (Beta)
Microsoft Office Excel MUI (English) 2007 (Beta)
Microsoft Office InfoPath MUI (English) 2007 (Beta)
Microsoft Office Outlook MUI (English) 2007 (Beta)
Microsoft Office PowerPoint MUI (English) 2007 (Beta)
Microsoft Office Professional 2007 (Beta)
Microsoft Office Professional Edition 2003
Microsoft Office Professional Plus 2007 (Beta)
Microsoft Office Proof (English) 2007 (Beta)
Microsoft Office Proof (French) 2007 (Beta)
Microsoft Office Proof (Spanish) 2007 (Beta)
Microsoft Office Publisher MUI (English) 2007 (Beta)
Microsoft Office Shared MUI (English) 2007 (Beta)
Microsoft Office Word MUI (English) 2007 (Beta)
Microsoft Picture It! Photo Premium 9
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MobileMe Control Panel
Move Networks Media Player for Internet Explorer
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Multimedia Keyboard Driver
Nero BurnRights
Nero OEM
NVIDIA Drivers
oobeFlagNetscape0
OpenOffice.org Installer 1.0
PowerDVD
PQ DVD to iPod Video Suite (remove only)
QuickTime
RealPlayer Basic
Realtek AC'97 Audio
rss_upd
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SoftV92 Data Fax Modem with SmartCP
Sonic Encoders
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VIA Rhine-Family Fast Ethernet Adapter
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

12/16/2008 12:56:50 PM, error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
12/14/2008 3:11:50 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.103 with the system having network hardware address 00:1F:3C:84:E0:2A. Network operations on this system may be disrupted as a result.

==== End Of File ===========================

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 21 December 2008 - 11:41 PM

Hello tito_023. I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable Avira:
  • Navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
View Point Program
Viewpoint Manager and Viewpoint Media Player are considered as foistware instead of malware since it is installed without users approval, but does not have malicious effects. This changed from what we know in 2006 read this article.

I suggest you remove the program(s) through Add and Remove Programs.

While you are there, you may also want to remove Kiwee toolbar, which is considered by some to be adware.

Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "Autapreg"=-
    
    :processes
    explorer.exe
    
    :files
    c:\windows\system32\sndemcab.dll
    c:\windows\system32\objanmak.dll
    c:\windows\system32\txtewbot.dll
    :commands
    [Reboot]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Install and Run CCleaner
We will user CCleaner by Piriform to remove temporary files.
  • Please download CCleanerSetup from this page to your desktop. Select the Download Latest Version at the top right of the page.
  • Double click the setup file. Follow the prompts to install the program. I suggest you uncheck the option for Yahoo! toolbar. Otherwise, adjust options as you please.
  • Open CCleaner to the Cleaner section.
  • Check all items in Internet Explorer, Windows Explorer, and System. You can leave "Auto Completely Form History" unchecked if desired.
  • Under the Advanced section, check, unless otherwise desired:
    • Old Prefetch data
    • Menu Cache order
    • Tray Notifications Cache (settings for items in the area beside the clock)
    • User Assist History
    • IIS Log Files
    • Hotfix uninstallers
  • Click Run Cleaner. Close out when finished.
Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Please re-enable your protection at this time.

Post back with:
-the OTMoveIt log
-the Kaspersky scan log
-a new DDS log (only DDS.txt)

Any improvement in performance?

With Regards,
The Panda

#5 tito_023

tito_023
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 22 December 2008 - 08:21 PM

ok i did a search for kiwee toolbar and found a ton of its contents but i couldn't find it in the "add and remove programs" list. should i just do the search again and delete everything?
also i completed the OTMoveIT thing but it restarted my computer before i got a chance to copy and paste everything in the log. should i do that again?

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 22 December 2008 - 08:29 PM

Hello.

You should find the log in the OTScanIt folder. It's the one with the numbers in the name.

We'll remove the Kiwee toolbar with OTScanIt next round then.

Please continue with the other steps.

With Regards,
The Panda

#7 tito_023

tito_023
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 29 December 2008 - 09:06 PM

DDS (Version 1.1.0) - NTFSx86
Run by Owner at 19:02:45.81 on Mon 12/29/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.459 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Kiwee Toolbar\2.8.167\kwtbaim.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\AGI\common\win32\PythonService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://msn.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Kiwee Toolbar: {6638a9de-0745-4292-8a2e-ae530e7b9b3f} - c:\program files\kiwee toolbar\2.8.167\KiweeIEToolbar.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Kiwee Toolbar: {6638a9de-0745-4292-8a2e-ae530e7b9b3f} - c:\program files\kiwee toolbar\2.8.167\KiweeIEToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [CHotkey] zHotkey.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [KiweeHook] "c:\program files\kiwee toolbar\2.8.167\kwtbaim.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uPolicies-explorer: RestrictRun = 0 (0x0)
uPolicies-system: NoSecCPL = 0 (0x0)
uPolicies-system: NoDevMgrPage = 0 (0x0)
uPolicies-system: NoConfigPage = 0 (0x0)
uPolicies-system: NoVirtMemPage = 0 (0x0)
uPolicies-system: NoFileSysPage = 0 (0x0)
uPolicies-system: NoNetSetup = 0 (0x0)
uPolicies-system: NoNetSetupIDPage = 0 (0x0)
uPolicies-system: NoNetSetupSecurityPage = 0 (0x0)
uPolicies-system: NoWorkgroupContents = 0 (0x0)
uPolicies-system: NoEntireNetwork = 0 (0x0)
uPolicies-system: NoFileSharingControl = 0 (0x0)
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;\??\c:\program files\avira\antivir personaledition classic\avgio.sys [2008-12-22 11840]
R2 AGWinService;AG Windows Service;"c:\program files\agi\common\win32\PythonService.exe" [2008-10-8 10240]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;"c:\program files\avira\antivir personaledition classic\sched.exe" [2008-12-22 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;"c:\program files\avira\antivir personaledition classic\avguard.exe" [2008-12-22 151297]
R2 CX88XBAR;AVerMedia AVerTV MPEG Crossbar (Dual-Input);c:\windows\system32\drivers\A88BarBB.sys [2008-8-7 10112]
R3 avgntflt;avgntflt;\??\c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-12-22 52032]
R3 CXAVSAUD;AVerMedia AVerTV AvStream Audio Capture;c:\windows\system32\drivers\A88AudBB.sys [2008-8-7 9216]
S2 gupdate1c9696a9cd8d03f;Google Update Service (gupdate1c9696a9cd8d03f);"c:\program files\google\update\GoogleUpdate.exe" /svc [2008-12-28 119280]
S3 PAC207;Webcam;c:\windows\system32\drivers\PFC027.SYS [2007-6-12 508416]

=============== Created Last 30 ================

2008-12-23 17:02 <DIR> --d----- c:\program files\CCleaner
2008-12-22 18:34 <DIR> --d----- c:\program files\Avira
2008-12-22 18:20 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-22 18:12 <DIR> --d----- C:\_OTMoveIt
2008-12-16 12:57 <DIR> a-dshr-- C:\cmdcons
2008-12-16 12:56 161,792 a------- c:\windows\SWREG.exe
2008-12-16 12:56 98,816 a------- c:\windows\sed.exe
2008-12-11 15:48 <DIR> --d----- c:\program files\Trend Micro
2008-12-10 07:30 247,326 -c------ c:\windows\system32\dllcache\strmdll.dll

==================== Find3M ====================

2008-12-20 17:35 14,707 a------- c:\windows\system32\txtewbot.dll
2008-10-23 05:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 13:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-08 15:02 2,117,632 a------- c:\windows\system32\python25.dll
2008-10-08 15:02 339,968 a------- c:\windows\system32\pythoncom25.dll
2008-10-08 15:02 114,688 a------- c:\windows\system32\pywintypes25.dll
2008-10-03 03:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-08-07 11:33 0 a------- c:\docume~1\owner\applic~1\wklnhst.dat

============= FINISH: 19:03:14.96 ===============







otmoveit log:

========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\Autapreg deleted successfully.
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder c:\windows\system32\sndemcab.dll not found.
LoadLibrary failed for c:\windows\system32\objanmak.dll
c:\windows\system32\objanmak.dll NOT unregistered.
c:\windows\system32\objanmak.dll moved successfully.
File/Folder c:\windows\system32\txtewbot.dll not found.
========== COMMANDS ==========

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12222008_181215

Edited by tito_023, 29 December 2008 - 09:09 PM.


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 30 December 2008 - 07:33 AM

Hello.

This should remove the Kiwee toolbar.

Run Fix with OTScanIt
We will run OTScanIt again, but the directions are slightly different. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Custom Items]
    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"=-
    "{6638a9de-0745-4292-8a2e-ae530e7b9b3f}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "KiweeHook"=-
    :files
    c:\program files\kiwee toolbar\
    c:\windows\system32\txtewbot.dll
    :end
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.

Take a new DDS log after please.

With Regards,
The Panda

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 PM

Posted 04 January 2009 - 11:04 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users