Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fresh Hijackthis Log


  • Please log in to reply
7 replies to this topic

#1 abckid24

abckid24

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 16 June 2006 - 01:38 AM

Hey. I've noticed my system has been acting up recently.. so I decided to run HijackThis. Any help would be great!

Logfile of HijackThis v1.99.1
Scan saved at 2:25:30 AM, on 6/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\user\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aimtoday.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: run=C:\WINDOWS\inet20003\winlogon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [ReleaseRAM] C:\Program Files\R-RAM\RRAM.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CashFiesta] C:\Documents and Settings\user\Desktop\Cashfiesta.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://www.classlink2000.com/sites/FILES/wfica.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127525503187
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92A35924-7A09-4F55-B264-16801DF5784F}: NameServer = 167.206.3.219,167.206.3.154
O17 - HKLM\System\CCS\Services\Tcpip\..\{D53A0F5E-610E-4A19-961E-9F1E998A3F24}: NameServer = 167.206.3.220,167.206.3.219
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\System32\msctl32.dll (file missing)
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 16 June 2006 - 09:34 AM

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...&rc=4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 abckid24

abckid24
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 16 June 2006 - 12:00 PM

Hey, thanks for the help!

SpySweeper Log:
********
11:41 AM: | Start of Session, Friday, June 16, 2006 |
11:41 AM: Spy Sweeper started
11:41 AM: Sweep initiated using definitions version 700
11:41 AM: Starting Memory Sweep
11:53 AM: Memory Sweep Complete, Elapsed Time: 00:11:56
11:53 AM: Starting Registry Sweep
11:53 AM: Found Adware: exact cashback/bargain buddy
11:53 AM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\bargain buddy\ (2 subtraces) (ID = 104023)
11:53 AM: Found Adware: navexcel navhelper
11:53 AM: HKCR\appid\nhelper.dll\ (1 subtraces) (ID = 135511)
11:53 AM: HKLM\software\classes\appid\nhelper.dll\ (1 subtraces) (ID = 135525)
11:53 AM: Found Adware: websearch toolbar
11:53 AM: HKCR\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\ (16 subtraces) (ID = 146339)
11:53 AM: HKCR\clsid\{cabcf5e7-0c79-4f1c-909d-b9cf68fed746}\ (10 subtraces) (ID = 146342)
11:53 AM: HKCR\clsid\{fb45c451-b0e9-4407-bb6a-9361013f3e9a}\ (9 subtraces) (ID = 146347)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\ (16 subtraces) (ID = 146402)
11:53 AM: HKLM\software\classes\clsid\{cabcf5e7-0c79-4f1c-909d-b9cf68fed746}\ (10 subtraces) (ID = 146405)
11:53 AM: HKLM\software\classes\clsid\{fb45c451-b0e9-4407-bb6a-9361013f3e9a}\ (9 subtraces) (ID = 146410)
11:53 AM: HKLM\software\classes\typelib\{db9a4e78-35df-4a54-b6c5-c5190ceaf949}\ (9 subtraces) (ID = 146449)
11:53 AM: HKLM\software\classes\wsg.wsgobj\ (3 subtraces) (ID = 146450)
11:53 AM: HKCR\typelib\{db9a4e78-35df-4a54-b6c5-c5190ceaf949}\ (9 subtraces) (ID = 146539)
11:53 AM: HKCR\wsg.wsgobj\ (3 subtraces) (ID = 146540)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\ (16 subtraces) (ID = 155047)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\localserver32\ (2 subtraces) (ID = 155049)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\implemented categories\ (5 subtraces) (ID = 155058)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\implemented categories\{7dd95801-9882-11cf-9fa9-00aa006c42c4}\ (1 subtraces) (ID = 155060)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\implemented categories\{7dd95802-9882-11cf-9fa9-00aa006c42c4}\ (1 subtraces) (ID = 155062)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\localserver32\ || threadingmodel (ID = 393216)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\progid\ (1 subtraces) (ID = 393217)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\typelib\ (1 subtraces) (ID = 393219)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\version\ (1 subtraces) (ID = 393221)
11:53 AM: Found Trojan Horse: trojan-backdoor-superbgirlz
11:53 AM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {4f141cba-1457-6cca-03a7-7aa21b61ea0f} (ID = 954575)
11:53 AM: Found Trojan Horse: manwithnoname_spamrelayer
11:53 AM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\msctl32.dll\ (4 subtraces) (ID = 1021403)
11:53 AM: Found Trojan Horse: trojan-downloader-hochladen
11:53 AM: HKLM\system\currentcontrolset\services\i386p\ (12 subtraces) (ID = 1021419)
11:54 AM: HKU\WRSS_Profile_S-1-5-21-606747145-1682526488-725345543-1006\software\microsoft\internet explorer\toolbar\shellbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146462)
11:54 AM: HKU\WRSS_Profile_S-1-5-21-606747145-1682526488-725345543-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464)
11:54 AM: HKU\WRSS_Profile_S-1-5-21-606747145-1682526488-725345543-1006\software\toolbar\ (28 subtraces) (ID = 146513)
11:54 AM: HKU\WRSS_Profile_S-1-5-21-606747145-1682526488-725345543-1006\software\wintools\ (11 subtraces) (ID = 146514)
11:54 AM: Found Adware: websearch.com hijack
11:54 AM: HKU\WRSS_Profile_S-1-5-21-606747145-1682526488-725345543-1006\software\microsoft\internet explorer\main\ || search bar (ID = 146561)
11:54 AM: HKU\WRSS_Profile_S-1-5-21-606747145-1682526488-725345543-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934)
11:54 AM: HKU\WRSS_Profile_S-1-5-21-606747145-1682526488-725345543-1006\software\toolbar\ (28 subtraces) (ID = 646239)
11:54 AM: HKU\WRSS_Profile_S-1-5-21-606747145-1682526488-725345543-1006\software\wintools\ (11 subtraces) (ID = 646241)
11:54 AM: Found Adware: cashfiesta
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\cashfiesta\cashfiesta\config\ || startmode (ID = 105401)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\cashfiesta\cashfiesta\config\ || autostart (ID = 105402)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\cashfiesta\cashfiesta\config\ || fading (ID = 105403)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\cashfiesta\cashfiesta\config\ || ypos (ID = 105404)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\cashfiesta\cashfiesta\install\ (1 subtraces) (ID = 105405)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\cashfiesta\cashfiesta\update\ (ID = 105406)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\cashfiesta\ (24 subtraces) (ID = 105407)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\microsoft\windows\currentversion\run\ || cashfiesta (ID = 105408)
11:54 AM: Found Adware: coolwebsearch (cws)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\microsoft\internet explorer\sites\ (139 subtraces) (ID = 109822)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\microsoft\internet explorer\toolbar\shellbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146462)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\classes\clsid\{4f141cba-1457-6cca-03a7-7aa21b61ea0f}\ (3 subtraces) (ID = 954563)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\microsoft\windows nt\currentversion\windows\ || run (ID = 1062376)
11:54 AM: Found Trojan Horse: trojan-backdoor-us15info
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\microsoft\windows\currentversion\run\ || Shell (ID = 1375273)
11:54 AM: HKU\S-1-5-18\software\toolbar\ (ID = 146513)
11:54 AM: HKU\S-1-5-18\software\toolbar\ (ID = 646239)
11:54 AM: Registry Sweep Complete, Elapsed Time:00:01:08
11:54 AM: Starting Cookie Sweep
11:54 AM: Found Spy Cookie: atwola cookie
11:54 AM: user@ar.atwola[1].txt (ID = 2256)
11:54 AM: Found Spy Cookie: atlas dmt cookie
11:54 AM: user@atdmt[2].txt (ID = 2253)
11:54 AM: user@atwola[1].txt (ID = 2255)
11:54 AM: Found Spy Cookie: did-it cookie
11:54 AM: user@did-it[1].txt (ID = 2523)
11:54 AM: Found Spy Cookie: questionmarket cookie
11:54 AM: user@questionmarket[2].txt (ID = 3217)
11:54 AM: Cookie Sweep Complete, Elapsed Time: 00:00:01
11:54 AM: Starting File Sweep
11:54 AM: Found Adware: spediabar
11:54 AM: c:\spedia (178 subtraces) (ID = -2147472333)
11:54 AM: Found Adware: whenu
11:54 AM: c:\documents and settings\user\start menu\programs\whenu (3 subtraces) (ID = -2147480383)
11:54 AM: Found Adware: shopathomeselect
11:54 AM: c:\windows\system32\sahimages (2 subtraces) (ID = -2147480329)
11:54 AM: Found Trojan Horse: komforochka smtp relay
11:54 AM: c:\windows\inet20003 (2 subtraces) (ID = -2147463021)
11:56 AM: setup.exe (ID = 182333)
11:59 AM: Found Adware: spysheriff
11:59 AM: spysheriff.lnk (ID = 143527)
12:00 PM: fpfntdat.bin (ID = 76255)
12:02 PM: gah95on6.ini (ID = 75741)
12:03 PM: spedia.fon (ID = 125522)
12:11 PM: xfrmygaa.exe (ID = 110321)
12:16 PM: Found Adware: dialerfactory
12:16 PM: cdrom1.ico (ID = 58272)
12:17 PM: ictp1uth.exe (ID = 110321)
12:28 PM: xja7fbv6.exe (ID = 110321)
12:34 PM: barres.dat (ID = 76254)
12:34 PM: spedia.exe (ID = 76259)
12:37 PM: spediabar.lnk (ID = 76260)
12:40 PM: 3.00.13.dll (ID = 220754)
12:44 PM: spextdll.dll (ID = 76261)
12:44 PM: Found Adware: netpal
12:44 PM: big fish games.url (ID = 70885)
12:44 PM: flyordie games.url (ID = 70890)
12:44 PM: gamehouse games.url (ID = 70891)
12:44 PM: big fish games.url (ID = 70885)
12:44 PM: flyordie games.url (ID = 70890)
12:44 PM: gamehouse games.url (ID = 70891)
12:44 PM: bln02nqv.ini (ID = 75683)
12:44 PM: 70tovmto.ini (ID = 75621)
12:45 PM: Warning: Unhandled Archive Type
12:52 PM: Warning: Unhandled Archive Type
12:55 PM: Warning: Unhandled Archive Type
12:55 PM: Warning: Invalid Stream
12:55 PM: spediabar.lnk (ID = 76259)
12:55 PM: File Sweep Complete, Elapsed Time: 01:01:21
12:55 PM: Full Sweep has completed. Elapsed time 01:14:36
12:55 PM: Traces Found: 652
12:57 PM: Removal process initiated
12:57 PM: Quarantining All Traces: komforochka smtp relay
12:57 PM: Quarantining All Traces: trojan-backdoor-us15info
12:57 PM: Quarantining All Traces: websearch toolbar
12:57 PM: Quarantining All Traces: coolwebsearch (cws)
12:57 PM: coolwebsearch (cws) is in use. It will be removed on reboot.
12:57 PM: 3.00.13.dll is in use. It will be removed on reboot.
12:57 PM: Quarantining All Traces: manwithnoname_spamrelayer
12:57 PM: Quarantining All Traces: shopathomeselect
12:57 PM: Quarantining All Traces: spediabar
12:57 PM: spediabar is in use. It will be removed on reboot.
12:57 PM: spediabar.lnk is in use. It will be removed on reboot.
12:57 PM: Quarantining All Traces: spysheriff
12:57 PM: Quarantining All Traces: trojan-backdoor-superbgirlz
12:57 PM: Quarantining All Traces: trojan-downloader-hochladen
12:57 PM: Quarantining All Traces: cashfiesta
12:57 PM: Quarantining All Traces: dialerfactory
12:57 PM: Quarantining All Traces: exact cashback/bargain buddy
12:57 PM: Quarantining All Traces: navexcel navhelper
12:57 PM: Quarantining All Traces: netpal
12:57 PM: Quarantining All Traces: websearch.com hijack
12:57 PM: Quarantining All Traces: atlas dmt cookie
12:57 PM: Quarantining All Traces: atwola cookie
12:57 PM: Quarantining All Traces: did-it cookie
12:57 PM: Quarantining All Traces: questionmarket cookie
12:57 PM: Quarantining All Traces: whenu
12:58 PM: Removal process completed. Elapsed time 00:01:07
********
11:39 AM: | Start of Session, Friday, June 16, 2006 |
11:39 AM: Spy Sweeper started
11:40 AM: Your spyware definitions have been updated.
11:41 AM: | End of Session, Friday, June 16, 2006 |

HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 1:00:44 PM, on 6/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aimtoday.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [ReleaseRAM] C:\Program Files\R-RAM\RRAM.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://www.classlink2000.com/sites/FILES/wfica.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127525503187
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92A35924-7A09-4F55-B264-16801DF5784F}: NameServer = 167.206.3.219,167.206.3.154
O17 - HKLM\System\CCS\Services\Tcpip\..\{D53A0F5E-610E-4A19-961E-9F1E998A3F24}: NameServer = 167.206.3.220,167.206.3.219
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 16 June 2006 - 12:26 PM

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). We’ll get them next step.
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
===============================

Fix this with HJT – mark it, close IE, click fix checked

O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 abckid24

abckid24
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 16 June 2006 - 03:03 PM

SmitFraudFix v2.61

Scan done at 16:02:19.79, Fri 06/16/2006
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://photos-016.facebook.com/n6/016/n21803708_30019016_8197.jpg"
"SubscribedURL"="http://photos-016.facebook.com/n6/016/n21803708_30019016_8197.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 16 June 2006 - 03:20 PM

Fix this with HJT – mark it close IE, click fix checked

O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)




How ar things now???
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 abckid24

abckid24
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 16 June 2006 - 05:19 PM

The PC is overall faster. However, I feel that it still has potential to go even faster. For example, my computer tends to lag when I play computer games.. even though the PC requirements are always met. Thanks alot for the help. And I'd be glad to follow any other ideas you have. :thumbsup:

Edited by abckid24, 16 June 2006 - 05:21 PM.


#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 16 June 2006 - 05:22 PM

You ned to examine the O4 exe's to see which are not needed - as example

realsched.exe

http://www.liutilities.com/products/wintas...rary/realsched/


Maybe this will help

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
· Install ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido
· It will prompt you to update click the OK button and it will go to the main screen
· On the left side of the main screen click update
· Click on Start and let it update.
· DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:
(Start tapping F8 at the first black screen after power up)

Run Ewido:
· Click on scanner
· Click Complete System Scan and the scan will begin.
· During the scan it will prompt you to clean files, click OK
· When the scan is finished, look at the bottom of the screen and click the Save report button.
· Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
Post that log and a new HiJack log
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users