Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fresh Hijackthis Log


  • Please log in to reply
7 replies to this topic

#1 abckid24

abckid24

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 16 June 2006 - 01:38 AM

Hey. I've noticed my system has been acting up recently.. so I decided to run HijackThis. Any help would be great!

Logfile of HijackThis v1.99.1
Scan saved at 2:25:30 AM, on 6/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\user\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aimtoday.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: run=C:\WINDOWS\inet20003\winlogon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [ReleaseRAM] C:\Program Files\R-RAM\RRAM.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CashFiesta] C:\Documents and Settings\user\Desktop\Cashfiesta.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://www.classlink2000.com/sites/FILES/wfica.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127525503187
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92A35924-7A09-4F55-B264-16801DF5784F}: NameServer = 167.206.3.219,167.206.3.154
O17 - HKLM\System\CCS\Services\Tcpip\..\{D53A0F5E-610E-4A19-961E-9F1E998A3F24}: NameServer = 167.206.3.220,167.206.3.219
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\System32\msctl32.dll (file missing)
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 16 June 2006 - 09:34 AM

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...&rc=4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 abckid24

abckid24
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 16 June 2006 - 12:00 PM

Hey, thanks for the help!

SpySweeper Log:
********
11:41 AM: | Start of Session, Friday, June 16, 2006 |
11:41 AM: Spy Sweeper started
11:41 AM: Sweep initiated using definitions version 700
11:41 AM: Starting Memory Sweep
11:53 AM: Memory Sweep Complete, Elapsed Time: 00:11:56
11:53 AM: Starting Registry Sweep
11:53 AM: Found Adware: exact cashback/bargain buddy
11:53 AM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\bargain buddy\ (2 subtraces) (ID = 104023)
11:53 AM: Found Adware: navexcel navhelper
11:53 AM: HKCR\appid\nhelper.dll\ (1 subtraces) (ID = 135511)
11:53 AM: HKLM\software\classes\appid\nhelper.dll\ (1 subtraces) (ID = 135525)
11:53 AM: Found Adware: websearch toolbar
11:53 AM: HKCR\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\ (16 subtraces) (ID = 146339)
11:53 AM: HKCR\clsid\{cabcf5e7-0c79-4f1c-909d-b9cf68fed746}\ (10 subtraces) (ID = 146342)
11:53 AM: HKCR\clsid\{fb45c451-b0e9-4407-bb6a-9361013f3e9a}\ (9 subtraces) (ID = 146347)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\ (16 subtraces) (ID = 146402)
11:53 AM: HKLM\software\classes\clsid\{cabcf5e7-0c79-4f1c-909d-b9cf68fed746}\ (10 subtraces) (ID = 146405)
11:53 AM: HKLM\software\classes\clsid\{fb45c451-b0e9-4407-bb6a-9361013f3e9a}\ (9 subtraces) (ID = 146410)
11:53 AM: HKLM\software\classes\typelib\{db9a4e78-35df-4a54-b6c5-c5190ceaf949}\ (9 subtraces) (ID = 146449)
11:53 AM: HKLM\software\classes\wsg.wsgobj\ (3 subtraces) (ID = 146450)
11:53 AM: HKCR\typelib\{db9a4e78-35df-4a54-b6c5-c5190ceaf949}\ (9 subtraces) (ID = 146539)
11:53 AM: HKCR\wsg.wsgobj\ (3 subtraces) (ID = 146540)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\ (16 subtraces) (ID = 155047)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\localserver32\ (2 subtraces) (ID = 155049)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\implemented categories\ (5 subtraces) (ID = 155058)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\implemented categories\{7dd95801-9882-11cf-9fa9-00aa006c42c4}\ (1 subtraces) (ID = 155060)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\implemented categories\{7dd95802-9882-11cf-9fa9-00aa006c42c4}\ (1 subtraces) (ID = 155062)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\localserver32\ || threadingmodel (ID = 393216)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\progid\ (1 subtraces) (ID = 393217)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\typelib\ (1 subtraces) (ID = 393219)
11:53 AM: HKLM\software\classes\clsid\{af8b3c81-cd19-45fb-b6be-160d27711de8}\version\ (1 subtraces) (ID = 393221)
11:53 AM: Found Trojan Horse: trojan-backdoor-superbgirlz
11:53 AM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {4f141cba-1457-6cca-03a7-7aa21b61ea0f} (ID = 954575)
11:53 AM: Found Trojan Horse: manwithnoname_spamrelayer
11:53 AM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\msctl32.dll\ (4 subtraces) (ID = 1021403)
11:53 AM: Found Trojan Horse: trojan-downloader-hochladen
11:53 AM: HKLM\system\currentcontrolset\services\i386p\ (12 subtraces) (ID = 1021419)
11:54 AM: HKU\WRSS_Profile_S-1-5-21-606747145-1682526488-725345543-1006\software\microsoft\internet explorer\toolbar\shellbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146462)
11:54 AM: HKU\WRSS_Profile_S-1-5-21-606747145-1682526488-725345543-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146464)
11:54 AM: HKU\WRSS_Profile_S-1-5-21-606747145-1682526488-725345543-1006\software\toolbar\ (28 subtraces) (ID = 146513)
11:54 AM: HKU\WRSS_Profile_S-1-5-21-606747145-1682526488-725345543-1006\software\wintools\ (11 subtraces) (ID = 146514)
11:54 AM: Found Adware: websearch.com hijack
11:54 AM: HKU\WRSS_Profile_S-1-5-21-606747145-1682526488-725345543-1006\software\microsoft\internet explorer\main\ || search bar (ID = 146561)
11:54 AM: HKU\WRSS_Profile_S-1-5-21-606747145-1682526488-725345543-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 392934)
11:54 AM: HKU\WRSS_Profile_S-1-5-21-606747145-1682526488-725345543-1006\software\toolbar\ (28 subtraces) (ID = 646239)
11:54 AM: HKU\WRSS_Profile_S-1-5-21-606747145-1682526488-725345543-1006\software\wintools\ (11 subtraces) (ID = 646241)
11:54 AM: Found Adware: cashfiesta
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\cashfiesta\cashfiesta\config\ || startmode (ID = 105401)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\cashfiesta\cashfiesta\config\ || autostart (ID = 105402)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\cashfiesta\cashfiesta\config\ || fading (ID = 105403)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\cashfiesta\cashfiesta\config\ || ypos (ID = 105404)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\cashfiesta\cashfiesta\install\ (1 subtraces) (ID = 105405)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\cashfiesta\cashfiesta\update\ (ID = 105406)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\cashfiesta\ (24 subtraces) (ID = 105407)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\microsoft\windows\currentversion\run\ || cashfiesta (ID = 105408)
11:54 AM: Found Adware: coolwebsearch (cws)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\microsoft\internet explorer\sites\ (139 subtraces) (ID = 109822)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\microsoft\internet explorer\toolbar\shellbrowser\ || {339bb23f-a864-48c0-a59f-29ea915965ec} (ID = 146462)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\classes\clsid\{4f141cba-1457-6cca-03a7-7aa21b61ea0f}\ (3 subtraces) (ID = 954563)
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\microsoft\windows nt\currentversion\windows\ || run (ID = 1062376)
11:54 AM: Found Trojan Horse: trojan-backdoor-us15info
11:54 AM: HKU\S-1-5-21-606747145-1682526488-725345543-1004\software\microsoft\windows\currentversion\run\ || Shell (ID = 1375273)
11:54 AM: HKU\S-1-5-18\software\toolbar\ (ID = 146513)
11:54 AM: HKU\S-1-5-18\software\toolbar\ (ID = 646239)
11:54 AM: Registry Sweep Complete, Elapsed Time:00:01:08
11:54 AM: Starting Cookie Sweep
11:54 AM: Found Spy Cookie: atwola cookie
11:54 AM: user@ar.atwola[1].txt (ID = 2256)
11:54 AM: Found Spy Cookie: atlas dmt cookie
11:54 AM: user@atdmt[2].txt (ID = 2253)
11:54 AM: user@atwola[1].txt (ID = 2255)
11:54 AM: Found Spy Cookie: did-it cookie
11:54 AM: user@did-it[1].txt (ID = 2523)
11:54 AM: Found Spy Cookie: questionmarket cookie
11:54 AM: user@questionmarket[2].txt (ID = 3217)
11:54 AM: Cookie Sweep Complete, Elapsed Time: 00:00:01
11:54 AM: Starting File Sweep
11:54 AM: Found Adware: spediabar
11:54 AM: c:\spedia (178 subtraces) (ID = -2147472333)
11:54 AM: Found Adware: whenu
11:54 AM: c:\documents and settings\user\start menu\programs\whenu (3 subtraces) (ID = -2147480383)
11:54 AM: Found Adware: shopathomeselect
11:54 AM: c:\windows\system32\sahimages (2 subtraces) (ID = -2147480329)
11:54 AM: Found Trojan Horse: komforochka smtp relay
11:54 AM: c:\windows\inet20003 (2 subtraces) (ID = -2147463021)
11:56 AM: setup.exe (ID = 182333)
11:59 AM: Found Adware: spysheriff
11:59 AM: spysheriff.lnk (ID = 143527)
12:00 PM: fpfntdat.bin (ID = 76255)
12:02 PM: gah95on6.ini (ID = 75741)
12:03 PM: spedia.fon (ID = 125522)
12:11 PM: xfrmygaa.exe (ID = 110321)
12:16 PM: Found Adware: dialerfactory
12:16 PM: cdrom1.ico (ID = 58272)
12:17 PM: ictp1uth.exe (ID = 110321)
12:28 PM: xja7fbv6.exe (ID = 110321)
12:34 PM: barres.dat (ID = 76254)
12:34 PM: spedia.exe (ID = 76259)
12:37 PM: spediabar.lnk (ID = 76260)
12:40 PM: 3.00.13.dll (ID = 220754)
12:44 PM: spextdll.dll (ID = 76261)
12:44 PM: Found Adware: netpal
12:44 PM: big fish games.url (ID = 70885)
12:44 PM: flyordie games.url (ID = 70890)
12:44 PM: gamehouse games.url (ID = 70891)
12:44 PM: big fish games.url (ID = 70885)
12:44 PM: flyordie games.url (ID = 70890)
12:44 PM: gamehouse games.url (ID = 70891)
12:44 PM: bln02nqv.ini (ID = 75683)
12:44 PM: 70tovmto.ini (ID = 75621)
12:45 PM: Warning: Unhandled Archive Type
12:52 PM: Warning: Unhandled Archive Type
12:55 PM: Warning: Unhandled Archive Type
12:55 PM: Warning: Invalid Stream
12:55 PM: spediabar.lnk (ID = 76259)
12:55 PM: File Sweep Complete, Elapsed Time: 01:01:21
12:55 PM: Full Sweep has completed. Elapsed time 01:14:36
12:55 PM: Traces Found: 652
12:57 PM: Removal process initiated
12:57 PM: Quarantining All Traces: komforochka smtp relay
12:57 PM: Quarantining All Traces: trojan-backdoor-us15info
12:57 PM: Quarantining All Traces: websearch toolbar
12:57 PM: Quarantining All Traces: coolwebsearch (cws)
12:57 PM: coolwebsearch (cws) is in use. It will be removed on reboot.
12:57 PM: 3.00.13.dll is in use. It will be removed on reboot.
12:57 PM: Quarantining All Traces: manwithnoname_spamrelayer
12:57 PM: Quarantining All Traces: shopathomeselect
12:57 PM: Quarantining All Traces: spediabar
12:57 PM: spediabar is in use. It will be removed on reboot.
12:57 PM: spediabar.lnk is in use. It will be removed on reboot.
12:57 PM: Quarantining All Traces: spysheriff
12:57 PM: Quarantining All Traces: trojan-backdoor-superbgirlz
12:57 PM: Quarantining All Traces: trojan-downloader-hochladen
12:57 PM: Quarantining All Traces: cashfiesta
12:57 PM: Quarantining All Traces: dialerfactory
12:57 PM: Quarantining All Traces: exact cashback/bargain buddy
12:57 PM: Quarantining All Traces: navexcel navhelper
12:57 PM: Quarantining All Traces: netpal
12:57 PM: Quarantining All Traces: websearch.com hijack
12:57 PM: Quarantining All Traces: atlas dmt cookie
12:57 PM: Quarantining All Traces: atwola cookie
12:57 PM: Quarantining All Traces: did-it cookie
12:57 PM: Quarantining All Traces: questionmarket cookie
12:57 PM: Quarantining All Traces: whenu
12:58 PM: Removal process completed. Elapsed time 00:01:07
********
11:39 AM: | Start of Session, Friday, June 16, 2006 |
11:39 AM: Spy Sweeper started
11:40 AM: Your spyware definitions have been updated.
11:41 AM: | End of Session, Friday, June 16, 2006 |

HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 1:00:44 PM, on 6/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aimtoday.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [ReleaseRAM] C:\Program Files\R-RAM\RRAM.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://www.classlink2000.com/sites/FILES/wfica.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127525503187
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92A35924-7A09-4F55-B264-16801DF5784F}: NameServer = 167.206.3.219,167.206.3.154
O17 - HKLM\System\CCS\Services\Tcpip\..\{D53A0F5E-610E-4A19-961E-9F1E998A3F24}: NameServer = 167.206.3.220,167.206.3.219
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 16 June 2006 - 12:26 PM

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Well get them next step.
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
===============================

Fix this with HJT mark it, close IE, click fix checked

O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 abckid24

abckid24
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 16 June 2006 - 03:03 PM

SmitFraudFix v2.61

Scan done at 16:02:19.79, Fri 06/16/2006
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\user\Application Data


Start Menu


C:\DOCUME~1\user\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://photos-016.facebook.com/n6/016/n21803708_30019016_8197.jpg"
"SubscribedURL"="http://photos-016.facebook.com/n6/016/n21803708_30019016_8197.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Scanning wininet.dll infection


End

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 16 June 2006 - 03:20 PM

Fix this with HJT mark it close IE, click fix checked

O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)




How ar things now???
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 abckid24

abckid24
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 16 June 2006 - 05:19 PM

The PC is overall faster. However, I feel that it still has potential to go even faster. For example, my computer tends to lag when I play computer games.. even though the PC requirements are always met. Thanks alot for the help. And I'd be glad to follow any other ideas you have. :thumbsup:

Edited by abckid24, 16 June 2006 - 05:21 PM.


#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:10:21 AM

Posted 16 June 2006 - 05:22 PM

You ned to examine the O4 exe's to see which are not needed - as example

realsched.exe

http://www.liutilities.com/products/wintas...rary/realsched/


Maybe this will help

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
Install ewido.
During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click update
Click on Start and let it update.
DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:
(Start tapping F8 at the first black screen after power up)

Run Ewido:
Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
Post that log and a new HiJack log
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users