Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Uhh Ohh


  • Please log in to reply
10 replies to this topic

#1 lostneedhelp

lostneedhelp

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 05 February 2007 - 08:53 PM

Okay so I came home for my brother to tell me that aVast had found a virus. I ran scan after scn but my computer still seems slow and it shuts down during scans. My desktop hasn't shown up in months because of a virus scan I ran a long time ago and it took it away and now it is back. So here is my HJT log that I just ran. Hope someone out there can help me out in some way. :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 8:49:08 PM, on 2/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\X3DCTL.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=8116
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {87185e78-a61b-4db3-965a-3235bbd7a622} - (no file)
O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file)
O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file)
O2 - BHO: ASGP32.ASGP - {FA5B9933-1AE8-4A8D-9822-B20A6CA2B5EC} - C:\WINDOWS\System32\asgp32.dll
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143062618\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [H3DCTL] C:\WINDOWS\System32\X3DCTL.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136156960734
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - AppInit_DLLs:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 06 February 2007 - 11:17 AM

Hi, I would like to take a look at this log for you
and will get back you you as soon as I can.

Thank You.

#3 lostneedhelp

lostneedhelp
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 06 February 2007 - 01:43 PM

Thanks! =)

edit...

New update. As of right now the computer shuts down whenever it wants to. Most of the time it is after I have signed on to my AOL or have been on the internet for more than 10 minutes. Thought you should know.

Edited by lostneedhelp, 06 February 2007 - 03:41 PM.


#4 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 07 February 2007 - 10:26 AM

lostneedhelp :thumbsup:

Copy and Paste this post into a new text document

Please Download the latest SmitfraudFix by S!Ri from either of these mirrors to your desktop:

http://siri.urz.free.fr/Fix/SmitfraudFix.zip
http://siri.geekstogo.com/SmitfraudFix.zip

Right click SmitfraudFix.zip and Extract (unzip) the SmitfraudFix folder inside to your desktop.

Please Reboot your System into Safe Mode
Shut down your system, then Restart your computer as soon as it starts booting up again continuously tap F8. from the menu select the option to enter Safe Mode

open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Re-scan with HijackThis and post

1/ The new HJT log
2/ The C:\rapport.txt

Thank you.

#5 lostneedhelp

lostneedhelp
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 07 February 2007 - 01:22 PM

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:18:49 PM, on 2/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\X3DCTL.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {87185e78-a61b-4db3-965a-3235bbd7a622} - (no file)
O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file)
O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file)
O2 - BHO: ASGP32.ASGP - {FA5B9933-1AE8-4A8D-9822-B20A6CA2B5EC} - C:\WINDOWS\System32\asgp32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143062618\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [H3DCTL] C:\WINDOWS\System32\X3DCTL.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136156960734
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - AppInit_DLLs:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

rapport:

SmitFraudFix v2.81

Scan done at 13:14:08.79, Wed 02/07/2007
Run from C:\Documents and Settings\Mom\My Documents\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\system32\dlh9jkdq?.exe Deleted
C:\WINDOWS\system32\kernels64.exe Deleted
C:\WINDOWS\system32\msvol.tlb Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\vxgamet?.exe Deleted
C:\WINDOWS\system32\vxh8jkdq?.exe Deleted
C:\WINDOWS\system32\winmuse.exe Deleted
C:\WINDOWS\system32\zlbw.dll Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#6 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 07 February 2007 - 05:17 PM

lostneedhelp :thumbsup:

Copy and Paste this post into a new text document

Step 1

Like to recommend Uninstall both 'Microsoft AntiSpyware' and 'ewido anti-spyware' from your system as these are now a little outdated
Go to Start | Control Panel | Add/Remove Programs to Uninstall them


I would also like to ask for information about your Firewall and Anti-Virus software you are using to protect your system
As I can see entries for Trend Micro Internet Security 2005, avast!, Symantec
and we need to ensure you use just One Anti-Virus and One Software Firewall installed and running


Can you please Scan with HijackThis again and place a checkmark in the boxes before the following entries:

O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file)
O2 - BHO: (no name) - {87185e78-a61b-4db3-965a-3235bbd7a622} - (no file)
O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file)
O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file)
O2 - BHO: ASGP32.ASGP - {FA5B9933-1AE8-4A8D-9822-B20A6CA2B5EC} - C:\WINDOWS\System32\asgp32.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - AppInit_DLLs:

Close any Explorer windows which may be open and click the "Fix Checked" button.


Double-click on My Computer, Double-click on Local Disk
and navigate to then Right Click on and Delete these Bold entries

C:\WINDOWS\System32\asgp32.dll


Step 2

Like to recommend that you Download AVG Anti-Spyware 7.5
this is the newer version of the ewido anti-spyware software

The program should launch automatically after installation. If not, double-click the desktop icon.

Deactivate the "Resident Shield" as this may prevent changes to the registry.
To do this, click "Change State" to the right of the Resident Shield option in the main window.
You will clearly see the status change to Inactive if you have done this correctly.

Now Update AVG Anti-Spyware 7.5
click the "Update" icon from the main menu.
Then click the "Start Update" button.
When you receive the "Update successful" prompt, close AVG AS.
Note: If you have any problems with the updater, you can Update AVG Anti-Spyware 7.5 Manually.
Do not Scan with this yet!

Please Reboot your System into Safe Mode Shut down your system, then Restart your computer
as soon as it starts booting up again continuously tap F8 from the menu select the option to enter Safe Mode

Reopen AVG Anti-Spyware 7.5 and click the "Scanner" icon from the main menu.
Click "Complete System Scan" to start scanning.
When the scan completes, click "Recommended action" beneath the results window and select "Quarantine".
Then click the "Apply all actions" button to quarantine everything detected.
Then click Save report > Save report as and save the AVG Report-Scan.txt to your desktop.
Then Reboot back into Normal Mode

Please Re-Scan with Hijack This and post

1/ The new HijackThis log
2/ The AVG Anti-Spyware 7.5 Report-Scan.txt
3/ & Information on your Anti-virus & Firewall

Thank you.

#7 lostneedhelp

lostneedhelp
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 07 February 2007 - 08:37 PM

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:26:17 PM 2/7/2007

+ Scan result:



C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\Program Files\Common Files\AOL\1143062618\ee\AOLSoftware.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\Program Files\Yahoo!\Messenger\ypager.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP282\A0087498.rbf -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP282\A0087593.rbf -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hphmon05.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\WINDOWS\system\hpsysdrv.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\WINDOWS\system32\umeofzob.exe -> Downloader.VB.ajp : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wincom32.sys -> Dropper.Agent.bbv : Cleaned with backup (quarantined).
C:\WINDOWS\system32\YadioStubInstaller.exe -> Dropper.Agent.hz : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts -> Proxy.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Mom\Cookies\mom@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\system32\intr32.dll -> Trojan.AntiSpySoldier.a : Cleaned with backup (quarantined).
C:\WINDOWS\IA\KE.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\msmapi32.exe -> Trojan.VB.atw : Cleaned with backup (quarantined).


::Report end


This came up while I was tryin to check those on the HJT:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: )
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.


Logfile of HijackThis v1.99.1
Scan saved at 8:34:12 PM, on 2/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\X3DCTL.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=8116
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143062618\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [H3DCTL] C:\WINDOWS\System32\X3DCTL.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136156960734
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


And as of right now our main virus protection is Avast! We started out with Trend Micro but we didn't like it very well so we let it run out. I think the Symantec was a trial we got when we bought the computer a year ago. Hope that helps. =)

#8 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 09 February 2007 - 10:29 AM

lostneedhelp :thumbsup:

Copy and Paste this post into a new text document

Step 1

Go to Start | Control Panel | Add/Remove Programs
If listed Uninstall anything related to Trend Micro & Symantec

Click on: Start > Run and type in: services.msc Click OK
In the Services window find:

SymWMI Service

Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK

Scan with HijackThis again and place a checkmark in the boxes before the following entries:

O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Close any Explorer windows which may be open and click the "Fix Checked" button.


Please Hold Down The Windows Key + E to Open Windows Explorer,
Navigate to then Right Click on and Delete these Bold folder

C:\Program Files\Common Files\Symantec Shared


Step 2

I would like to recommend that you install a Software Firewall please choose One of these good free firewalls below to fully protect your system
anyone of these will give you Full control over everything that requests Internet access

ZoneAlarm
Kerio Personal Firewall
OutPost Firewall Free
Sygate Personal Firewall


Step 3

Please now Download FindAWF

Save to desktop and run. Output is to awf.txt

If a DOS window does not stay open throughout the search (approx a minute) you need to change how the program runs. Heres how:


1. Locate the file
2. Right-click and select Properties
3. Select Compatibility and select Run this program in compatibility mode for: Windows 98/Windows ME and click OK.
4. The tool should now work.


------------------------

Re-scan with HijackThis and post

1/ The new HijackThis log.
2/ The awf.txt log

Thank you.

#9 lostneedhelp

lostneedhelp
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 12 February 2007 - 05:58 PM

Find AWF report by noahdfear 2006


21504 byte files found
~~~~~~~~~~~~~

21504 "C:\hijackthis\backups\backup-20070207-183138-530.dll"
21504 "C:\Program Files\Virtools\3D Life Player\managers\dx7soundmanager.dll"


21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM\BAK

04/12/2004 01:39 PM 61,440 aim.exe
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MIAF83~1\BAK

11/15/2005 12:12 PM 473,928 gcasServ.exe
1 File(s) 473,928 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\EHOME\BAK

11/12/2003 01:54 PM 48,128 ehtray.exe
1 File(s) 48,128 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 07:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

05/23/2003 05:55 AM 483,328 hphmon05.exe
01/12/2006 03:40 PM 155,648 NeroCheck.exe
2 File(s) 638,976 bytes

Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK

09/25/2006 10:42 AM 108,160 ashDisp.exe
1 File(s) 108,160 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

08/12/2003 08:10 PM 335,872 atiptaxx.exe
1 File(s) 335,872 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

01/12/2005 02:54 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/16/2005 11:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

05/09/2005 02:32 PM 135,168 mm_tray.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\BAK

11/25/2005 08:51 PM 819,262 pccguide.exe
1 File(s) 819,262 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

12/08/2005 12:55 PM 3,096,576 ypager.exe
1 File(s) 3,096,576 bytes

Directory of C:\PROGRA~1\COMMON~1\AHEAD\LIB\BAK

02/01/2006 04:45 PM 98,304 NMBgMonitor.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/05/2005 06:26 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 11:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

05/03/2006 01:56 AM 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/06/2005 10:46 PM 57,344 apdproxy.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\114306~1\EE\BAK

11/02/2005 10:01 PM 50,792 AOLSoftware.exe
1 File(s) 50,792 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

03/23/2004 03:05 AM 172,032 hpztsb10.exe
1 File(s) 172,032 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

67112 Aug 1 2006 "C:\Program Files\AIM\aim.exe"
61440 Apr 12 2004 "C:\Program Files\AIM\bak\aim.exe"
473928 Nov 15 2005 "C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
48128 Nov 12 2003 "C:\WINDOWS\eHome\ehtray.exe"
48128 Nov 12 2003 "C:\WINDOWS\eHome\bak\ehtray.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
483328 May 23 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jan 12 2006 "C:\WINDOWS\system32\bak\NeroCheck.exe"
108160 Jan 15 2007 "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
108160 Sep 25 2006 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
335872 Aug 12 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
135168 May 9 2005 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
110592 Sep 3 2005 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
819262 Nov 25 2005 "C:\Program Files\Trend Micro\Internet Security 2005\bak\pccguide.exe"
3096576 Dec 8 2005 "C:\Program Files\Yahoo!\Messenger\bak\ypager.exe"
94208 Dec 16 2005 "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
98304 Feb 1 2006 "C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe"
180269 Sep 5 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
36975 May 3 2006 "C:\Program Files\Java\jre1.5.0_07\bin\bak\jusched.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"
50736 Sep 25 2006 "C:\Program Files\AIM6\aolsoftware.exe"
50792 Nov 2 2005 "C:\Program Files\Common Files\AOL\1143062618\ee\bak\AOLSoftware.exe"
172032 Mar 23 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb10.exe"


end of report


Logfile of HijackThis v1.99.1
Scan saved at 5:56:40 PM, on 2/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\X3DCTL.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=8116
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143062618\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [H3DCTL] C:\WINDOWS\System32\X3DCTL.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136156960734
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#10 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 13 February 2007 - 04:06 PM

lostneedhelp :thumbsup:

Copy and Paste this post into a new text document

Open Notepad!
Copy and Paste everything from the Quote box into Notepad:


@echo off

if exist "C:\Program Files\AIM\aim.exe" del /q "C:\Program Files\AIM\aim.exe"
copy /y "C:\Program Files\AIM\bak\aim.exe" "C:\Program Files\AIM\aim.exe"

if exist "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" del /q "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
copy /y "C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe" "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

if exist "C:\WINDOWS\eHome\ehtray.exe" del /q "C:\WINDOWS\eHome\ehtray.exe"
copy /y "C:\WINDOWS\eHome\bak\ehtray.exe" "C:\WINDOWS\eHome\ehtray.exe"

if exist "C:\WINDOWS\system\hpsysdrv.exe" del /q "C:\WINDOWS\system\hpsysdrv.exe"
copy /y "C:\WINDOWS\system\bak\hpsysdrv.exe" "C:\WINDOWS\system\hpsysdrv.exe"

if exist "C:\WINDOWS\system32\hphmon05.exe" del /q "C:\WINDOWS\system32\hphmon05.exe"
copy /y "C:\WINDOWS\system32\bak\hphmon05.exe" "C:\WINDOWS\system32\hphmon05.exe"

if exist "C:\WINDOWS\system32\NeroCheck.exe" del /q "C:\WINDOWS\system32\NeroCheck.exe"
copy /y "C:\WINDOWS\system32\bak\NeroCheck.exe" "C:\WINDOWS\system32\NeroCheck.exe"

if exist "C:\Program Files\Alwil Software\Avast4\ashDisp.exe" del /q "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
copy /y "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe" "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"

if exist "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" del /q "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
copy /y "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe" "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

if exist "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" del /q "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
copy /y "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe" "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

if exist "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" del /q "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
copy /y "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe" "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

if exist "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe" del /q "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
copy /y "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe" "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"

if exist "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe" del /q "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
copy /y "C:\Program Files\Trend Micro\Internet Security 2005\bak\pccguide.exe" "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"

if exist "C:\Program Files\Yahoo!\Messenger\ypager.exe" del /q "C:\Program Files\Yahoo!\Messenger\ypager.exe"
copy /y "C:\Program Files\Yahoo!\Messenger\bak\ypager.exe" "C:\Program Files\Yahoo!\Messenger\ypager.exe"

if exist "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" del /q "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
copy /y "C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe" "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

if exist "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" del /q "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
copy /y "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

if exist "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" del /q "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
copy /y "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe" "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"

if exist "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" del /q "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
copy /y "C:\Program Files\Java\jre1.5.0_07\bin\bak\jusched.exe" "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"

if exist "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" del /q "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
copy /y "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe" "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

if exist "C:\Program Files\AIM6\aolsoftware.exe" del /q "C:\Program Files\AIM6\aolsoftware.exe"
copy /y "C:\Program Files\AIM6\bak\aolsoftware.exe" "C:\Program Files\AIM6\aolsoftware.exe"

if exist "C:\Program Files\Common Files\AOL\1143062618\ee\AOLSoftware.exe" del /q "C:\Program Files\Common Files\AOL\1143062618\ee\AOLSoftware.exe"
copy /y "C:\Program Files\Common Files\AOL\1143062618\ee\bak\AOLSoftware.exe" "C:\Program Files\Common Files\AOL\1143062618\ee\AOLSoftware.exe"

if exist "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" del /q "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe"
copy /y "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb10.exe" "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe"

Go to File > Save As
Save File name as Fix.bat
Save the file to your Desktop

On your desktop double click on the 'Fix.bat'

-------------------------------

Now Re-scan with AVG Anti-Spyware 7.5 and post the new log along with A fresh HijackThis log for me to check.

Thank you.

Attached Files

  • Attached File  fix.zip   931bytes   0 downloads


#11 lostneedhelp

lostneedhelp
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 18 February 2007 - 04:20 PM

HJT

Logfile of HijackThis v1.99.1
Scan saved at 4:18:12 PM, on 2/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\X3DCTL.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=8116
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143062618\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [H3DCTL] C:\WINDOWS\System32\X3DCTL.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:14:50 PM 2/18/2007

+ Scan result:



C:\Program Files\WinBudget\bin\crap.1169011042.old -> Adware.BHO : Cleaned.
C:\Program Files\WinBudget\bin\matrix.dll -> Adware.BHO : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087966.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087967.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087968.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087969.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087970.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087971.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087972.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087973.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087974.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087975.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087976.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087977.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087978.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087979.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087980.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087981.exe -> Backdoor.Aebot.r : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP280\A0075293.exe -> Downloader.Tibs.kj : Cleaned.
C:\WINDOWS\system32\aa.exe.exe -> Downloader.Tibs.kj : Cleaned.
C:\WINDOWS\system32\ac.exe -> Downloader.Tibs.kj : Cleaned.
C:\WINDOWS\system32\ad.exe -> Downloader.Tibs.kj : Cleaned.
C:\WINDOWS\system32\af.exe.exe -> Downloader.Tibs.kj : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087985.exe -> Downloader.VB.ajp : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087986.sys -> Dropper.Agent.bbv : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087987.exe -> Dropper.Agent.hz : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Mom\Cookies\mom@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087983.dll -> Trojan.AntiSpySoldier.a : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087982.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP284\A0087984.exe -> Trojan.VB.atw : Cleaned.


::Report end




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users