Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Believe I have been hijacked, strange things going on


  • This topic is locked This topic is locked
98 replies to this topic

#1 cajunbk

cajunbk

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 12 April 2009 - 06:47 PM

Hi, I have been having problems for a few weeks now. My browser keeps beeing redirected to bogus sites when I try to go to download.com, my clock keeps changing, my internet properties change, unable to search for files with the search assistant, pc freezes up, and also unable to download any antimalware software. I know that this sounds like a lot but do you think its all related? I am using Avast antivirus,
Malware Bytes antimalware, HJT, even though I dont know what to look for and also have CCleaner which I am afraid to use due to lack of knowledge of it. I have IE and then started using Firefox because I heard it was safer. Nothing ever shows up with Avast ( free version), or MBam. Can someone please help me fix this?

Windows XP sp3
All updates are up to date except for 1-

Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847) x86
Download size: 248.4 MB , less than 1 minute
Microsoft .NET Framework 3.5 Service Pack 1 is a full cumulative update that contains many new features building incrementally upon .NET Framework 2.0, 3.0, 3.5, and includes cumulative servicing updates to the .NET Framework 2.0 and .NET Framework 3.0 subcomponents. The .NET Framework 3.5 Family Update provides important application compatibility updates.

Should I try to download this update with sp3?

I really would appreciate your support on this problem.

Thank you
cajunbk

Here is a HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:00 PM, on 4/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ltmsg.exe
C:\WINDOWS\SM1BG.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Juno\exec.exe
C:\Program Files\Juno\exec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://my.juno.com/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://my.juno.com/s/sp?r=al&cf=sp&...0770c1c50c68934

4e/cajunbb02:juno.com/1219506258/30/sss.1.79604/&ts=48b03052&A=693355020000079&B=1205

996400000&C=1205996400000&D=0&I=A0859DJ.&N=PL&O=I&UT=companion
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page =

http://go.microsoft.com/fwlink/?LinkId=54843
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} -

C:\Program Files\Juno\SearchEnh1.dll
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program

Files\Juno\qsacc\X1IEBHO.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} -

C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -

C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program

Files\Juno\Toolbar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

-startup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\exec.exe regrun
O8 - Extra context menu item: Display All Images with Full Quality -

"res://C:\Program Files\Juno\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program

Files\Juno\qsacc\appres.dll/227"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BK
O17 - HKLM\Software\..\Telephony: DomainName = BK
O17 - HKLM\System\CCS\Services\Tcpip\..\{832EB336-5859-4B87-ADCD-7094A47191A7}:

NameServer = 64.136.44.74 64.136.52.74
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BK
O17 - HKLM\System\CS1\Services\Tcpip\..\{832EB336-5859-4B87-ADCD-7094A47191A7}:

NameServer = 64.136.44.74 64.136.52.74
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program

Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil

Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil

Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil

Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner -

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner -

C:\WINDOWS\System32\ImapiRox.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc.

- C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common

Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation -

C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6858 bytes

Hope I did all this the right way!

Edited by cajunbk, 13 April 2009 - 01:09 PM.


BC AdBot (Login to Remove)

 


#2 cajunbk

cajunbk
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 21 April 2009 - 04:15 PM

Has this topic been overlooked, or does it usually take this long for help?
It has been 10 days sense I posted. Guess I will wait a little longer, hope to hear from someone soon!!

Long time waiting,
cajunbk

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:11:26 PM

Posted 26 April 2009 - 12:02 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 cajunbk

cajunbk
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 27 April 2009 - 02:10 PM

Hello, first of all I thank you for your help.
I have this problem and have no idea how to solve it. I think I am infected,or hijacked in some way. My clock keeps changing, the internet property settings changes, my brouser is being redirected to other random sites, and popups even though I have popup blocker in IE7. I have tried to download antispyware, antimalware tools and just not working. I really appreciate your expertise in this matter.
I just saw your reply today so I will follow your instructions and get back to you.

Thanks again,
cajunbk

Here is the log you requested:

info.txt logfile of random's system information tool 1.06 2009-04-27 13:46:08

======Uninstall list======

-->C:\Program Files\Creative\SBLive\Program\Upddrv2k.EXE
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\News\CTNews.isu"
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\AudioHQ.isu"
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\CTMixer.isu"
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\HTML.isu"
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Midi.isu"
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\PlayCenter2\Player2.isu"
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Recorder\Recorder.isu"
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\Restore.isu"
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\SoundFont.isu"
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\SBLive\WaveStudio\Wstudio.isu"
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Uninstall\Installer.isu"
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
AOL Connectivity Services-->C:\PROGRA~1\COMMON~1\AOL\ACS\AcsUninstall.exe /c
ArcSoft PhotoStudio 5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{03F1CC67-5BD8-4C36-8394-76311B2AE69A}\setup.exe" -l0x9 -uninst
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI DVD Decoder 2.2.0.0-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{D3661269-10B6-495F-B4EE-539ABE3F9AA9} /l1033
ATI HydraVision-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
ATI Multimedia Center 8.1.0.0-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{28ADA52D-B7AF-442C-8B7F-CEB9ECC28078} /l1033
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Cypress USB Mass Storage Driver Installation-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0695EE-ED29-4D96-BD77-2A9A17EDF0D6}\Setup.exe" -l0x9 NotFirstInstall
DAO-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{438D221C-5B5B-4E4B-B7BD-A86512E5B6C1}
DAO-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
Dell ResourceCD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Dell Solution Center-->MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
DellTouch-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{706D5382-7381-4680-9DD0-161832578252}\setup.exe"
GTK+ Runtime 2.6.9 rev a (remove only)-->C:\Program Files\Common Files\GTK\2.0\uninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel® PRO Network Connections Drivers-->Prounstl.exe
Intel® PROSet II-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Intel\PROSet\PROUnins.isu" -c"C:\Program Files\Intel\PROSet\PROInst.DLL"
Juno Internet-->"C:\Program Files\Juno\JunoUninstaller.exe"
Lucent Win Modem-->C:\WINDOWS\System32\ltremove.exe -s
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework (English) v1.0.3705-->C:\WINDOWS\Microsoft.NET\Framework\Install.exe /u /p Microsoft .NET Framework Full v1.0.3705 (1033)
Microsoft .NET Framework (English)-->MsiExec.exe /X{B43357AA-3A6D-4D94-B56E-43C44D09E548}
Microsoft .NET Framework 1.0 Hotfix (KB928367)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Updates\M928367\M928367Uninstall.msp"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Encarta Encyclopedia Standard 2002-->MsiExec.exe /I{01001202-823E-46CD-A70E-BEE818F97169}
Microsoft Excel Viewer 97-->C:\Program Files\XLView\setup\setup.exe
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Money 2002 System Pack-->MsiExec.exe /I{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}
Microsoft Money 2002-->MsiExec.exe /I{E7298FD5-1386-11D5-8D6C-0050DAD32D95}
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Picture It! Photo 2002-->MsiExec.exe /I{C769A271-7E1C-48F9-B331-474600DD4C06}
Microsoft Streets and Trips 2002-->MsiExec.exe /I{12BDDF23-B1DB-49C8-92D3-3E6841CCED61}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Word 2002-->MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2002 Setup Launcher-->C:\Program Files\Microsoft Works Suite 2002\Setup\Launcher.exe D:\
Microsoft Works 6.0-->MsiExec.exe /I{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}
Microsoft Works Suite Add-in for Microsoft Word-->MsiExec.exe /I{C3A439E4-7303-491F-A678-CEA36A87D517}
Modem Helper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\SETUP.EXE" ControlPanel
Mozilla Firefox (3.0.9)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML4 Parser-->MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Windows 2000/XP Display Drivers-->rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nv4_disp.inf
PhoneTools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3436EE2-D5CB-4249-840B-3A0140CC34C1}\setup.exe" ControlPanel
PIXELA ImageMixer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{13413C6C-C640-40B8-917E-CA3062826B18}\setup.exe"
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Encoder (KB954156)-->"C:\WINDOWS\$NtUninstallKB954156_WM9L$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Sound Blaster Live! Value-->C:\Program Files\Creative\Uninstall\CTUNINST.EXE /U:UNINST1.INI
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
USB Storage Adapter FX (SM1)-->SM1UN.EXE SM1FX_AT
WinAce Archiver-->C:\Program Files\WinAce\SXUNINST.EXE C:\Program Files\WinAce\SXUNINST.INI
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Media Encoder 9 Series-->msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series-->MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
XviD MPEG-4 Video Codec-->"C:\Program Files\XviD\unins000.exe"

=====HijackThis Backups=====

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Accelerated&userName=cajunbb02&firstName=Barbara&qs=ADABBPLAHGCJBAOECHDJHPOIJDJBKMAAFEFOOIPDHBNHKAIIHEIPAEPGAKBALBFOLIFGKLBHJCBAFKPBPDJAENJFHGEJAMMDMNPGOGDHJMACLEFCIDEHMMPCIBGICCIH|BPMPFABGDGNMCNOPADEEAAGOBAFDFELJC [2009-03-15]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Accelerated&userName=cajunbb02&firstName=Barbara&qs=ADABBPLAHGCJBAOECHDJHPOIJDJBKMAAFEFOOIPDHBNHKAIIHEIPAEPGAKBALBFOLIFGKLBHJCBAFKPBPDJAENJFHGEJAMMDMNPGOGDHJMACLEFCIDEHMMPCIBGICCIH|BPMPFABGDGNMCNOPADEEAAGOBAFDFELJC [2009-03-15]
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) [2009-03-15]
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r [2009-03-19]
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install [2009-03-19]
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe [2009-03-19]
O17 - HKLM\System\CCS\Services\Tcpip\..\{832EB336-5859-4B87-ADCD-7094A47191A7}: NameServer = 64.136.52.73 64.136.44.73 [2009-03-22]
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BK [2009-03-22]
O17 - HKLM\System\CS1\Services\Tcpip\..\{832EB336-5859-4B87-ADCD-7094A47191A7}: NameServer = 64.136.52.73 64.136.44.73 [2009-03-22]
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) [2009-03-22]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BK [2009-03-22]
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BK [2009-03-22]
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing) [2009-03-22]
O17 - HKLM\Software\..\Telephony: DomainName = BK [2009-03-22]
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll [2009-03-26]
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\Juno\SearchEnh1.dll [2009-03-26]
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll [2009-03-26]
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll [2009-03-26]
O17 - HKLM\System\CCS\Services\Tcpip\..\{832EB336-5859-4B87-ADCD-7094A47191A7}: NameServer = 64.136.44.74 64.136.52.74 [2009-03-26]
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BK [2009-03-26]
O17 - HKLM\System\CS1\Services\Tcpip\..\{832EB336-5859-4B87-ADCD-7094A47191A7}: NameServer = 64.136.44.74 64.136.52.74 [2009-03-26]
O17 - HKLM\Software\..\Telephony: DomainName = BK [2009-03-26]
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BK [2009-03-26]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BK [2009-03-26]
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing) [2009-03-26]
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe [2009-03-26]
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [2009-03-29]
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) [2009-04-05]
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe [2009-04-09]

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: avast! antivirus 4.8.1335 [VPS 090427-0]

======System event log======

Computer Name: BARBARA
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 7175
Source Name: Service Control Manager
Time Written: 20090326125141.000000-420
Event Type: error
User:

Computer Name: BARBARA
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 7172
Source Name: Service Control Manager
Time Written: 20090326125141.000000-420
Event Type: error
User:

Computer Name: BARBARA
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 7169
Source Name: Service Control Manager
Time Written: 20090326125141.000000-420
Event Type: error
User:

Computer Name: BARBARA
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 7166
Source Name: Service Control Manager
Time Written: 20090326125141.000000-420
Event Type: error
User:

Computer Name: BARBARA
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 7163
Source Name: Service Control Manager
Time Written: 20090326125141.000000-420
Event Type: error
User:

=====Application event log=====

Computer Name: BARBARA
Event Code: 1003
Message: TraceFileName parameter not located in registry;
Default trace file used is .

Record Number: 15
Source Name: EvntAgnt
Time Written: 20090208124345.000000-480
Event Type: warning
User:

Computer Name: BARBARA
Event Code: 1517
Message: Windows saved user BARBARA\Barbara Kornegay registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 9
Source Name: Userenv
Time Written: 20090207215030.000000-480
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: BARBARA
Event Code: 1015
Message: TraceLevel parameter not located in registry;
Default trace level used is 32.

Record Number: 8
Source Name: EvntAgnt
Time Written: 20090207214849.000000-480
Event Type: warning
User:

Computer Name: BARBARA
Event Code: 1003
Message: TraceFileName parameter not located in registry;
Default trace file used is .

Record Number: 7
Source Name: EvntAgnt
Time Written: 20090207214849.000000-480
Event Type: warning
User:

Computer Name: BARBARA
Event Code: 1517
Message: Windows saved user BARBARA\Barbara Kornegay registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1
Source Name: Userenv
Time Written: 20090207214652.000000-480
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Adobe\AGL
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0204
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------

#5 cajunbk

cajunbk
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 30 April 2009 - 01:34 PM

Hi, I will be patient and wait for further instructions...

Thanks
cajunbk

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:26 PM

Posted 01 May 2009 - 05:01 PM

Hello cajunbk,

suebaby41 has been called away, so I will step in an help you.

Please be patient while I review your log.

Edited by SifuMike, 01 May 2009 - 06:36 PM.
spelling

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:26 PM

Posted 01 May 2009 - 05:28 PM

Hi cajunbk

Which browser are you using when you are hijackthed? Firefox or IE? Or is it both being hijacked?


You posted the contents of the RSIT linfo.txt but not the log.txt
Please post the log.txt.

**************

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

**************

Also, please post the Malwarebytes log so I can see what it is finding.

Edited by SifuMike, 01 May 2009 - 05:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 cajunbk

cajunbk
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 01 May 2009 - 06:36 PM

Hello SifoMike, thank you for your help.
Was there suppose to be more than one log for RSIT, or was I to do a HJT log also??
Yes, I am being hijacked in both IE7 an firefox.
Maybe I misunderstood how to on RSIT. I will follow your instructions and get back to you.
Please be patient with me, I am not a computer wiz by no means.

Thanks
cajunbk

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:26 PM

Posted 01 May 2009 - 06:43 PM

No, the RSIT Info.txt will include a hijackthis log. No need to run Hijackthis.


Once RSIT has finished, two logs will open.
Please post the contents of both log.txt (<<will be maximized)
You already postedd the info.txt(<<will be minimized) so no need to post it


No need to rush, as I am patient guy. :thumbup2:

Edited by SifuMike, 01 May 2009 - 06:46 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 cajunbk

cajunbk
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 01 May 2009 - 07:12 PM

Logfile of random's system information tool 1.06 (written by random/random)
Run by Barbara Kornegay at 2009-05-01 18:42:17
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 30 GB (80%) free of 38 GB
Total RAM: 511 MB (18% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:29 PM, on 5/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ltmsg.exe
C:\WINDOWS\SM1BG.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Juno\exec.exe
C:\Program Files\Juno\exec.exe
C:\Documents and Settings\Barbara Kornegay\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Barbara Kornegay.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.juno.com/s/sp?r=al&cf=sp&...mp;UT=companion
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\Juno\SearchEnh1.dll
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\Juno\qsacc\X1IEBHO.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\Toolbar.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Juno_uoltray] C:\Program Files\Juno\exec.exe regrun
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\Juno\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\Juno\qsacc\appres.dll/227"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BK
O17 - HKLM\Software\..\Telephony: DomainName = BK
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BK
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6310 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52706EF7-D7A2-49AD-A615-E903858CF284}]
Pop-up Blocker - C:\Program Files\Juno\qsacc\X1IEBHO.dll [2007-08-09 211464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - JunoBar - C:\Program Files\Juno\Toolbar.dll [2008-05-19 325136]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"=C:\WINDOWS\Updreg.exe [2000-05-10 90112]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-09-29 344064]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-06-14 81920]
"AOLDialer"=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [2004-04-07 496752]
"LTWinModem1"=ltmsg.exe 9 []
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-06-14 221184]
"AHQInit"=C:\Program Files\Creative\SBLive\Program\AHQInit.exe [2001-03-27 102400]
"ViewMgr"= []
"SM1BG"=C:\WINDOWS\SM1BG.EXE [2003-08-27 94208]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MSMSGS"= []
"Sonic RecordNow!"= []
"Juno_uoltray"=C:\Program Files\Juno\exec.exe [2008-05-06 1701376]
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTouch]
C:\WINDOWS\DELLMMKB.EXE [2001-09-23 163840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-02-21 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SYMTDI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=5F000000
""=

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Disabled:AOL Loader"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Disabled:America Online 9.0"
"C:\Program Files\AIM95\aim.exe"="C:\Program Files\AIM95\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Disabled:Yahoo! FT Server"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"
"C:\WINDOWS\Network Diagnostic\xpnetdiag.exe"="C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Dell\SolutionCenter\DellSC.exe"="C:\Program Files\Dell\SolutionCenter\DellSC.exe:*:Disabled:Solution Center"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe"="C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe:*:Disabled:Acrobat Reader 5.0"
"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe"="C:\Program Files\Trend Micro\HijackThis\HijackThis.exe:*:Disabled:HijackThis"
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Disabled:Malwarebytes' Anti-Malware"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Disabled:AOL"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer"
"C:\WINDOWS\SYSTEM32\mmc.exe"="C:\WINDOWS\SYSTEM32\mmc.exe:*:Disabled:Microsoft Management Console"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Disabled:Java™ Platform SE binary"
"C:\Program Files\Juno\exec.exe"="C:\Program Files\Juno\exec.exe:*:Disabled:Juno Internet"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM95\aim.exe"="C:\Program Files\AIM95\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"

======List of files/folders created in the last 1 months======

2009-04-28 21:09:09 ----D---- C:\Program Files\Panda Security
2009-04-27 13:45:44 ----D---- C:\rsit
2009-04-17 11:43:55 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-04-16 14:23:58 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-04-16 14:23:49 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-04-16 14:23:39 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-04-16 14:23:31 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-04-16 14:23:16 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-04-16 14:19:16 ----N---- C:\WINDOWS\system32\xpsp4res.dll
2009-04-03 10:00:15 ----A---- C:\WINDOWS\system32\aswBoot.exe
2009-04-03 10:00:12 ----D---- C:\Program Files\Alwil Software
2009-04-02 21:39:37 ----D---- C:\Program Files\CCleaner

======List of files/folders modified in the last 1 months======

2009-05-01 18:42:23 ----AC---- C:\WINDOWS\ModemLog_Lucent Win Modem.txt
2009-05-01 18:08:29 ----D---- C:\Program Files\Mozilla Firefox
2009-05-01 13:34:14 ----D---- C:\WINDOWS\Temp
2009-04-30 20:18:08 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-29 09:31:09 ----D---- C:\WINDOWS
2009-04-28 21:39:46 ----D---- C:\WINDOWS\system32\DRIVERS
2009-04-28 21:39:33 ----HD---- C:\WINDOWS\INF
2009-04-28 21:09:09 ----AD---- C:\Program Files
2009-04-25 18:53:21 ----D---- C:\Program Files\WinAce
2009-04-25 18:41:14 ----SHD---- C:\WINDOWS\Installer
2009-04-25 18:41:14 ----HDC---- C:\Config.Msi
2009-04-25 18:40:51 ----D---- C:\WINDOWS\SYSTEM32
2009-04-22 12:05:52 ----A---- C:\WINDOWS\imsins.BAK
2009-04-22 11:21:12 ----D---- C:\WINDOWS\Help
2009-04-21 19:36:39 ----AC---- C:\WINDOWS\ntbtlog.txt
2009-04-19 18:42:14 ----D---- C:\Program Files\Windows Media Player
2009-04-19 18:42:13 ----D---- C:\Program Files\Rio
2009-04-19 18:42:12 ----D---- C:\Program Files\Microsoft Streets & Trips
2009-04-19 18:42:12 ----D---- C:\Program Files\Microsoft Picture It! 2002
2009-04-19 18:42:11 ----D---- C:\Program Files\HP
2009-04-19 18:42:09 ----D---- C:\Program Files\Dell
2009-04-19 18:42:09 ----D---- C:\Program Files\Creative
2009-04-19 18:42:09 ----D---- C:\Program Files\Common Files\Real
2009-04-19 18:42:09 ----D---- C:\Program Files\Common Files
2009-04-19 18:42:08 ----D---- C:\Program Files\Common Files\InstallShield
2009-04-18 22:01:18 ----RSHD---- C:\WINDOWS\system32\DLLCACHE
2009-04-18 22:01:14 ----D---- C:\WINDOWS\system32\en-US
2009-04-18 22:01:14 ----D---- C:\Program Files\Internet Explorer
2009-04-18 22:01:01 ----D---- C:\WINDOWS\ie7updates
2009-04-17 18:28:50 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-17 18:23:45 ----D---- C:\WINDOWS\system32\WBEM
2009-04-17 11:43:18 ----HD---- C:\WINDOWS\$hf_mig$
2009-04-17 09:08:46 ----D---- C:\WINDOWS\AppPatch
2009-04-12 23:21:47 ----A---- C:\WINDOWS\MSIOSD.INI
2009-04-06 22:19:59 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-06 07:57:24 ----AC---- C:\WINDOWS\system32\MRT.exe
2009-04-05 17:40:27 ----D---- C:\WINDOWS\system32\NtmsData
2009-04-05 17:18:03 ----D---- C:\WINDOWS\Registration
2009-04-04 18:05:28 ----A---- C:\WINDOWS\SYSTEM.INI
2009-04-04 13:26:07 ----D---- C:\WINDOWS\system32\CONFIG

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-02-05 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-02-05 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-02-05 51376]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 OMCI;OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [2001-08-22 13632]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-02-05 94032]
R2 PfModNT;PfModNT; \??\C:\WINDOWS\System32\PfModNT.sys []
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-02-05 23152]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2006-02-21 1505792]
R3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\System32\DRIVERS\ctljystk.sys [2001-08-17 3712]
R3 E100B;Intel® PRO Network Connection Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2005-06-13 162816]
R3 emu10k;Creative SB Live! (WDM); C:\WINDOWS\system32\drivers\emu10k1m.sys [2002-06-12 284288]
R3 emu10k1;Creative Interface Manager Driver (WDM); C:\WINDOWS\system32\drivers\ctlfacem.sys [2002-06-12 7424]
R3 hidgame;Microsoft Hid to Joystick Port Enabler; C:\WINDOWS\System32\DRIVERS\hidgame.sys [2001-08-17 8576]
R3 ltmodem5;LT Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2003-03-31 625537]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 Msikbd2k;DellTouch; C:\WINDOWS\System32\DRIVERS\msikbd2k.sys [2000-10-03 6942]
R3 NMSCFG;NIC Management Service Configuration Driver; \??\C:\WINDOWS\system32\drivers\NMSCFG.SYS []
R3 sfman;Creative SoundFont Manager Driver (WDM); C:\WINDOWS\system32\drivers\sfmanm.sys [2002-06-12 36992]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2005-08-19 2432]
S1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2005-08-19 2560]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2008-04-13 42752]
S1 pwd_2K;pwd_2K; C:\WINDOWS\system32\drivers\pwd_2K.sys []
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys [2001-06-20 4272]
S3 cdiskdun;cdiskdun; \??\C:\DOCUME~1\KEVINB~1\LOCALS~1\Temp\cdiskdun.sys []
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2006-09-19 15664]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2006-05-15 49664]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2006-05-15 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-10-21 21568]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-07-28 1341339]
S3 nv4;nv4; C:\WINDOWS\System32\DRIVERS\nv4.sys [2001-08-17 731648]
S3 RIOUNIV;Rio universal USB driver; C:\WINDOWS\System32\Drivers\RIOUNIV.sys [2004-09-25 16128]
S3 SABProcEnum;SABProcEnum; \??\C:\Program Files\Internet Explorer\SABProcEnum.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\System32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\System32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-05 18752]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-02-21 405504]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-05 138680]
R2 NMSSvc;Intel® NMS; C:\WINDOWS\System32\NMSSvc.exe [2001-07-11 1077248]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2009-03-17 69632]
R3 AOL ACS;AOL Connectivity Service; C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe [2004-04-07 1135728]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-05 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-05 352920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 ATI Smart;ATI Smart; C:\WINDOWS\SYSTEM32\ati2sgag.exe [2004-09-29 516096]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S3 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\System32\CTsvcCDA.EXE [1999-12-12 44032]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 Nhksrv;Netropa NHK Server; C:\WINDOWS\Nhksrv.exe [2001-08-06 28672]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe []
S3 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2003-07-28 77824]
S3 SNMP;SNMP Service; C:\WINDOWS\System32\snmp.exe [2008-04-13 33280]
S3 SNMPTRAP;SNMP Trap Service; C:\WINDOWS\System32\snmptrap.exe [2008-04-13 8704]
S3 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\System32\MsPMSPSv.exe [2000-06-26 53520]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

#11 cajunbk

cajunbk
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 01 May 2009 - 07:17 PM

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
avast!Antivirus
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner (remove only)
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Alwil Software Avast4 aswUpdSv.exe
Alwil Software Avast4 ashServ.exe
Alwil Software Avast4 ashMaiSv.exe
Alwil Software Avast4 ashWebSv.exe
ALWILS~1 Avast4 ashDisp.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 18 seconds.
`````````End of Log```````````

#12 cajunbk

cajunbk
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 01 May 2009 - 07:26 PM

Did I do this right this time? It looks like the same one, huh. I will get MBAM next.


cajunbk

#13 cajunbk

cajunbk
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 01 May 2009 - 07:53 PM

Malwarebytes' Anti-Malware 1.36
Database version: 2066
Windows 5.1.2600 Service Pack 3

5/1/2009 7:41:23 PM
mbam-log-2009-05-01 (19-41-23).txt

Scan type: Quick Scan
Objects scanned: 88431
Time elapsed: 6 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Hi SifuMike,
MBAM never finds anything so now what?
Do you see anything in the other ones?

cajunbk

#14 cajunbk

cajunbk
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 01 May 2009 - 08:53 PM

SifuMike,

I have to call it a night and check back with you in the morning ok. Hope I did all the logs correctly, if not I will have to do it again tomorrow ok.

Goodnight for now, have a good evening and thank you for your help,

cajunbk

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:26 PM

Posted 01 May 2009 - 08:56 PM

Hi cajunbk,

I asked to see the Malwarebytes log that found the malware and the one you posted found nothing. I look like you ran it again.

Did the first run of Malwarebytes find anything? I only need to see it if it found malware.

The logs are automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy & Paste the entire report in your next reply (only if it found malware on the first run)

Edited by SifuMike, 01 May 2009 - 09:32 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users