Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log


  • This topic is locked This topic is locked
13 replies to this topic

#1 klucyk

klucyk

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 03 December 2006 - 06:18 PM

Here is my log file. I get pop ups. I run ad aware, spybot and edwido. Clean what they find and minutes later I get different popups. It cleans one and another moves in!

******************88

Logfile of HijackThis v1.99.1
Scan saved at 5:11:08 PM, on 12/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Compaq_Owner\Desktop\Hijack This and Other Good Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164572667109
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D38D40E3-2FB3-47FA-8F43-4AD2D3C777AA}: NameServer = 142.161.2.155 142.161.130.155
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:31 AM

Posted 03 December 2006 - 07:25 PM

Download and run Silent Runners.vbs from HERE

It generates a log, please post the information back in this thread
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 klucyk

klucyk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 03 December 2006 - 10:47 PM

Thanks for taking the time to look over my log and share your knowledge.

Heres the SilentRunner log:

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = "C:\Program Files\Google\Gmail Notifier\gnotify.exe" ["Google Inc."]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider"
\StubPath = "rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{183AA0D4-F4C0-4E14-8F07-E89A5F8F3A77}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\ttdmpwiv.dll" [null data]
{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\gskbyiqt.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{D264F393-E65A-42B3-AED8-9BB29A51B72F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\security\Database\rdvva.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "c:\Program Files\Sonic RecordNow!\shlext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\Office\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\Office\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"stera" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> imyddalc\DLLName = "imyddalc.dll" [file not found]
<<!>> lvkrijbl\DLLName = "lvkrijbl.dll" [file not found]
<<!>> mllvnegc\DLLName = "mllvnegc.dll" [file not found]
<<!>> rdvva\DLLName = "C:\WINDOWS\security\Database\rdvva.dll" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

Edited by klucyk, 03 December 2006 - 10:50 PM.


#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:31 AM

Posted 04 December 2006 - 02:20 AM

Do this for me. Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 klucyk

klucyk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 04 December 2006 - 08:56 AM

As requested:

VundFix Log:

VundoFix V5.1.4

Checking Java version...

Java version is 1.4.2.3

Scan started at 5:57:26 PM 7/20/2006

Listing files found while scanning....

C:\windows\system32\cbxvstr.dll
C:\WINDOWS\system32\Drivers\DP.sys

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\cbxvstr.dll
C:\windows\system32\cbxvstr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\Drivers\DP.sys
C:\WINDOWS\system32\Drivers\DP.sys Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Scan started at 7:30:05 AM 12/4/2006

Listing files found while scanning....

C:\WINDOWS\security\Database\rdvva.dll
C:\WINDOWS\security\Database\avvdr.ini
C:\WINDOWS\security\Database\avvdr.bak1
C:\WINDOWS\security\Database\avvdr.bak2
C:\WINDOWS\system32\kudnphhp.dll
C:\WINDOWS\system32\arlwihrj.exe
C:\WINDOWS\system32\awhebugg.exe
C:\WINDOWS\system32\dxpjwkgf.exe
C:\WINDOWS\system32\fxdrulkp.exe
C:\WINDOWS\system32\imwxmycd.exe
C:\WINDOWS\system32\kqgphmaj.exe
C:\WINDOWS\system32\orsavsao.exe
C:\WINDOWS\system32\pmualuxl.exe
C:\WINDOWS\system32\qsaxminq.exe
C:\WINDOWS\system32\qvsuhnyc.exe
C:\WINDOWS\system32\snchbfyk.exe
C:\WINDOWS\system32\vsnhjhuo.exe
C:\WINDOWS\system32\ysrolmeq.exe
C:\WINDOWS\security\Database\rdvva.dll
C:\WINDOWS\security\Database\avvdr.ini
C:\WINDOWS\security\Database\avvdr.bak1
C:\WINDOWS\security\Database\avvdr.bak2
C:\WINDOWS\security\Database\avvdr.ini
C:\WINDOWS\security\Database\avvdr.bak1
C:\WINDOWS\security\Database\avvdr.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\security\Database\rdvva.dll
C:\WINDOWS\security\Database\rdvva.dll Has been deleted!

Attempting to delete C:\WINDOWS\security\Database\avvdr.ini
C:\WINDOWS\security\Database\avvdr.ini Has been deleted!

Attempting to delete C:\WINDOWS\security\Database\avvdr.bak1
C:\WINDOWS\security\Database\avvdr.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\security\Database\avvdr.bak2
C:\WINDOWS\security\Database\avvdr.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\kudnphhp.dll
C:\WINDOWS\system32\kudnphhp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\arlwihrj.exe
C:\WINDOWS\system32\arlwihrj.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\awhebugg.exe
C:\WINDOWS\system32\awhebugg.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\dxpjwkgf.exe
C:\WINDOWS\system32\dxpjwkgf.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\fxdrulkp.exe
C:\WINDOWS\system32\fxdrulkp.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\imwxmycd.exe
C:\WINDOWS\system32\imwxmycd.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\kqgphmaj.exe
C:\WINDOWS\system32\kqgphmaj.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\orsavsao.exe
C:\WINDOWS\system32\orsavsao.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmualuxl.exe
C:\WINDOWS\system32\pmualuxl.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\qsaxminq.exe
C:\WINDOWS\system32\qsaxminq.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\qvsuhnyc.exe
C:\WINDOWS\system32\qvsuhnyc.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\snchbfyk.exe
C:\WINDOWS\system32\snchbfyk.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\vsnhjhuo.exe
C:\WINDOWS\system32\vsnhjhuo.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ysrolmeq.exe
C:\WINDOWS\system32\ysrolmeq.exe Has been deleted!

Performing Repairs to the registry.
Done!


***********************************************

HiJackThis Log:

**********************************************

Logfile of HijackThis v1.99.1
Scan saved at 7:49:11 AM, on 12/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Compaq_Owner\Desktop\Hijack This and Other Good Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {183AA0D4-F4C0-4E14-8F07-E89A5F8F3A77} - C:\WINDOWS\system32\ttdmpwiv.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\gskbyiqt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D264F393-E65A-42B3-AED8-9BB29A51B72F} - C:\WINDOWS\security\Database\rdvva.dll (file missing)
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164572667109
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D38D40E3-2FB3-47FA-8F43-4AD2D3C777AA}: NameServer = 142.161.2.155 142.161.130.155
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: imyddalc - imyddalc.dll (file missing)
O20 - Winlogon Notify: lvkrijbl - lvkrijbl.dll (file missing)
O20 - Winlogon Notify: mllvnegc - mllvnegc.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)


#6 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:31 AM

Posted 04 December 2006 - 02:48 PM

Hmm.. do this for me. Please download SUPERAntiSpyware Home Edition (free version)
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
  • Please paste that information here for me with a new HijackThis log.

Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#7 klucyk

klucyk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 04 December 2006 - 08:29 PM

Thank you again, your a big help!

Here is the SUPERAntiSpyware scan:

SUPERAntiSpyware Scan Log
Generated 12/04/2006 at 06:51 PM

Application Version : 3.3.1020

Core Rules Database Version : 3141
Trace Rules Database Version: 1157

Scan type : Complete Scan
Total Scan Time : 00:21:05

Memory items scanned : 268
Memory threats detected : 0
Registry items scanned : 5149
Registry threats detected : 47
File items scanned : 24224
File threats detected : 209

Trojan.Downloader-WNA
HKLM\Software\Classes\CLSID\{013A653B-49A6-4f76-8B68-E4875EA6BA54}
HKCR\CLSID\{013A653B-49A6-4F76-8B68-E4875EA6BA54}
HKCR\CLSID\{013A653B-49A6-4F76-8B68-E4875EA6BA54}\InprocServer32
HKCR\CLSID\{013A653B-49A6-4F76-8B68-E4875EA6BA54}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VRVQVOGI.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjkookdpalp.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjlieidjclq.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjnyoldzahq.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@stattrack[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@vhost.oddcast[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@media-offer[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@cgi-bin[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@zscript[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@s.clickability[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adultreviews[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adbrite[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mysafetrip[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@fastclick[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www2.adultreviews[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@xiti[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjl4oldzslo.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@msnprod.oberon-media[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adv.webmd[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wfkicgdpafo.stats.esomniture[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@paypal.112.2o7[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjkowkdzsgq.stats.esomniture[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@lsmtracker[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@2o7[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjlicnc5ikq.stats.esomniture[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@clicksor[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjl4uicpgkp.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.incentaclick[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjlokjcjolo.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjmiqhdpedo.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.ticketsnow[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.ticketsnow2[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@roiservice[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@aia.122.2o7[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@cgi-bin[6].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@online-games[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@qnsr[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@cbs.112.2o7[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@click-fr[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atwola[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adopt.specificclick[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wfk4soajkhq.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@stats1.reliablestats[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@questionmarket[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@enhance[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wfkoskdzekp.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjk4gjajgdo.stats.esomniture[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@m1.webstats4u[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wgkiwoczoeo.stats.esomniture[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@optimost[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.xctrk[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@heavycom.122.2o7[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wfkokmcpcao.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@findwhat[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@partner2profit[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tacoda[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@anad.tacoda[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@indexstats[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@webstats4u[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wflyoiczodo.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mmm.elitemediagroup[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.stephensmedia[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mediaplex[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wfmiagcjkao.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adopt.euroclick[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjnycgd5oap.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@banner.monacogoldcasino[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wgliondjkkp.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@leeenterprises.112.2o7[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wfkyuodjwhp.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjmiupd5sdq.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@interclick[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@cpvfeed[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjkykpd5iaq.stats.esomniture[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@v7.stats.load[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6whlicgazmlp.stats.esomniture[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@counter2.hitslink[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wfkisjazifo.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.drivecleaner[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.upspiral[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@statcounter[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adverticum[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.lsmtracker[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@gettyimages.122.2o7[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@nextstat[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@oddcast[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjlisgdpogq.stats.esomniture[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@stat.dealtime[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjkyagdpkap.stats.esomniture[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mb[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@kanoodle[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6whl4qjdzsko.stats.esomniture[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wfliaidzsfq.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@nextag[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@html[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.burstnet[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.clickxchange[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@epilot[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.mlclick[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wfkoujdpeho.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wflyohd5ifo.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wfkoomcjseq.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wgmyonczwbo.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@webstat[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@reunioncom.112.2o7[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjlioocpilp.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wgmyklajmbp.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.as4x.tmcs.ticketmaster[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.yieldmanager[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@drivecleaner[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjkowndjkep.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@revsci[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wfkiugazacp.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@91338698[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@partygaming.122.2o7[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@data2.perf.overture[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.winantiviruspro[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjliwpcziko.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wglikgcpkbp.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ticketsnow[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mediaservices.myspace[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjlicodjolo.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@sonycorporate.122.2o7[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@realmedia[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@goclick[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@banners.nbcupromotes[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@overture[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@S144915[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@30297[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@stat.www[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@creative.clicksor[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@theadvertiser[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.monster[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@upspiral[3].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.precisioncounter[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wfkoencpsko.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6whmywpdjadp.stats.esomniture[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@m[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wflysiczchp.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@media.hotels[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@vitecmedia[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@37763871[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.belointeractive[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.upspiral[3].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjny-1sdjgk.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.admedian[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@stats.drivecleaner[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@advertising[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@wpni.112.2o7[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@bizrate[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adultadworld[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@counter.inkfrog[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adserver.midrange[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adknowledge[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@msnservices.112.2o7[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adinterax[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjkogncjgko.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adcentriconline[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@data3.perf.overture[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mb[4].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjkyepdpefp.stats.esomniture[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@media.funpic[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.realtechnetwork[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@1072738140[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@dealtime[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6whlywiazakp.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@cgi-bin[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mb[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.pointroll[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@upspiral[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wjliemc5odo.stats.esomniture[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.searchadnetwork[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.1001skins[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adlegend[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@searchadnetwork[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@1070593416[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tribalfusion[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@e-2dj6wflislazeeq.stats.esomniture[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@counter.auctionworks[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www.precisioncounter[2].txt

Unclassified.Unknown Origin
HKCR\CLSID\{013A653B-49A6-4F76-8B68-E4875EA6BA54}
HKCR\CLSID\{1DAEFCB9-06C8-47C6-8F20-3FB54B244DAA}
HKCR\CLSID\{1DAEFCB9-06C8-47C6-8F20-3FB54B244DAA}\InprocServer32
HKCR\CLSID\{1DAEFCB9-06C8-47C6-8F20-3FB54B244DAA}\InprocServer32#ThreadingModel
HKCR\CLSID\{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}
HKCR\CLSID\{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}\InprocServer32
HKCR\CLSID\{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}\InprocServer32#ThreadingModel
HKCR\CLSID\{F18F04B0-9CF1-4B93-B004-77A288BEE28B}
HKCR\CLSID\{F18F04B0-9CF1-4B93-B004-77A288BEE28B}\InprocServer32
HKCR\CLSID\{F18F04B0-9CF1-4B93-B004-77A288BEE28B}\InprocServer32#ThreadingModel

Trojan.WinAntiSpyware/WinAntiVirus 2006
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Driver
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Driver
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FWSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FWSVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FWSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FWSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FWSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FWSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FWSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FWSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FWSVC\0000#DeviceDesc
C:\WINDOWS\system32\av.cpl

Trojan.Downloader-SpyTool
C:\DOCUMENTS AND SETTINGS\COMPAQ_OWNER\LOCAL SETTINGS\TEMP\OWHBLABL.DLL
C:\WINDOWS\SYSTEM32\NRHRRUGR.DLL
C:\WINDOWS\SYSTEM32\WYKFBVPV.DLL

Adware.VSToolbar
C:\DOCUMENTS AND SETTINGS\COMPAQ_OWNER\LOCAL SETTINGS\TEMP\TEMP.FR9625\VSADD-IN.DLL

Malware.DriveCleaner
C:\DOCUMENTS AND SETTINGS\COMPAQ_OWNER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\CXKLUJ0L\INSTALLDRIVECLEANERSTART[1].EXE

Trojan.Downloader-VSToolbar
C:\VUNDOFIX BACKUPS\ARLWIHRJ.EXE.BAD
C:\VUNDOFIX BACKUPS\FXDRULKP.EXE.BAD
C:\VUNDOFIX BACKUPS\IMWXMYCD.EXE.BAD
C:\VUNDOFIX BACKUPS\ORSAVSAO.EXE.BAD
C:\VUNDOFIX BACKUPS\PMUALUXL.EXE.BAD
C:\VUNDOFIX BACKUPS\QSAXMINQ.EXE.BAD
C:\VUNDOFIX BACKUPS\QVSUHNYC.EXE.BAD
C:\VUNDOFIX BACKUPS\SNCHBFYK.EXE.BAD

Trojan.Smitfraud Variant
C:\VUNDOFIX BACKUPS\AWHEBUGG.EXE.BAD
C:\VUNDOFIX BACKUPS\DXPJWKGF.EXE.BAD
C:\VUNDOFIX BACKUPS\KQGPHMAJ.EXE.BAD
C:\VUNDOFIX BACKUPS\VSNHJHUO.EXE.BAD
C:\VUNDOFIX BACKUPS\YSROLMEQ.EXE.BAD

Trojan.Downloader-DoWork
C:\VUNDOFIX BACKUPS\KUDNPHHP.DLL.BAD

Trojan.Downloader-PATDUM
C:\VUNDOFIX BACKUPS\RDVVA.DLL.BAD

Trojan.SysProtect
C:\WINDOWS\DOWNLOADED PROGRAM FILES\USYP_0002_N91M0908NETINSTALLER.EXE

Trojan.Downloader-Crew
C:\WINDOWS\SYSTEM32\VQDOAIWT.DLL


*********************

HiJackThis Log

*********************


Logfile of HijackThis v1.99.1
Scan saved at 7:25:19 PM, on 12/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Compaq_Owner\Desktop\Hijack This and Other Good Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {183AA0D4-F4C0-4E14-8F07-E89A5F8F3A77} - C:\WINDOWS\system32\ttdmpwiv.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D264F393-E65A-42B3-AED8-9BB29A51B72F} - C:\WINDOWS\security\Database\rdvva.dll (file missing)
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164572667109
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D38D40E3-2FB3-47FA-8F43-4AD2D3C777AA}: NameServer = 142.161.2.155 142.161.130.155
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: imyddalc - imyddalc.dll (file missing)
O20 - Winlogon Notify: lvkrijbl - lvkrijbl.dll (file missing)
O20 - Winlogon Notify: mllvnegc - mllvnegc.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)



#8 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:31 AM

Posted 05 December 2006 - 02:03 AM

Litle bit more to do. Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O2 - BHO: (no name) - {183AA0D4-F4C0-4E14-8F07-E89A5F8F3A77} - C:\WINDOWS\system32\ttdmpwiv.dll
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - (no file)
O2 - BHO: (no name) - {D264F393-E65A-42B3-AED8-9BB29A51B72F} - C:\WINDOWS\security\Database\rdvva.dll (file missing)
O20 - Winlogon Notify: imyddalc - imyddalc.dll (file missing)
O20 - Winlogon Notify: lvkrijbl - lvkrijbl.dll (file missing)
O20 - Winlogon Notify: mllvnegc - mllvnegc.dll (file missing)


Exit HijackThis when done. Reboot, rescan with HijackThis and post a new log here.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#9 klucyk

klucyk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 05 December 2006 - 09:13 AM

Below is the latest scan. Thanks!


Logfile of HijackThis v1.99.1
Scan saved at 8:08:50 AM, on 12/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
C:\Documents and Settings\Compaq_Owner\Desktop\Hijack This and Other Good Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164572667109
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)



#10 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:31 AM

Posted 05 December 2006 - 03:02 PM

Go to Start->Run and type Services.msc then hit Ok. Scroll down and find the service called "Security Center". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Reboot, post a final HJT log and let me know how it's running now.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#11 klucyk

klucyk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 05 December 2006 - 07:34 PM

Hi,

I did what you asked, It was already stoped. I disabled it as well. Heres the latest HJT log.

The computer seems to be running fine. but it could be to early to tell.


Logfile of HijackThis v1.99.1
Scan saved at 6:27:26 PM, on 12/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
C:\Documents and Settings\Compaq_Owner\Desktop\Hijack This and Other Good Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164572667109
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe



#12 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:31 AM

Posted 06 December 2006 - 01:53 AM

That looks good - is it still running OK?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#13 klucyk

klucyk
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 06 December 2006 - 08:20 AM

So far so good. Thanks.

#14 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:31 AM

Posted 06 December 2006 - 02:52 PM

You're welcome - glad to help :thumbsup:

To help keep you clean follow the recommendations in the article here:

So how did I get infected?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users