Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log


  • This topic is locked This topic is locked
11 replies to this topic

#1 hiya mans

hiya mans

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 11 March 2007 - 12:20 AM

ok trojan pops up on avg every 5 minutes... cant find were there coming from and im never on the interent when it happens? or when i am heres log
Logfile of HijackThis v1.99.1
Scan saved at 12:11:56 AM, on 3/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.finderg.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {1EB27C5E-3DF4-41E2-B51A-D80F812D561D} - C:\WINDOWS\system32\nnnmlmk.dll
O2 - BHO: (no name) - {658815CE-4819-4672-BD68-D8A8B4C5BF47} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P ] Need for Speed Carbon
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\ipnwatyq.dll",setvm
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mljgg - C:\WINDOWS\
O20 - Winlogon Notify: nnnmlmk - C:\WINDOWS\SYSTEM32\nnnmlmk.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

BC AdBot (Login to Remove)

 


#2 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:11:03 PM

Posted 11 March 2007 - 04:21 AM

Hi and welcome. My name is Kairis and I will be helping you.
You have some crap there! But don't worry; we'll get you cleaned up!
Please follow my steps in the right order...
We'll start with this:
Let's run some cleaning and diagnostic scans:

You should be able to disable AVG Anti-Spyware guard like this:
  • Open AVG Anti-Spyware by double-clicking it's icon in the system tray.
  • In the 'Your security status' section, toggle the AVG Anti-Spyware Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'.
  • When you reboot, AVG Anti-Spyware will prompt you as to whether you would like to "Restart the guard?".
  • Reply 'No' and set it to 'inactive'
**''**''**''**''**''**''**''**''**''**''**''**''**''**''**''**''**''**''**''**
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a fresh HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from
"Click the Scan for Vundo button." when VundoFix appears at reboot.
**''**''**''**''**''**''**''**''**''**''**''**''**''**''**''**''**''**''**''**
Download ComboFix from Here or Here to your Desktop.
  • Double click ComboFix.exe and follow the prompts.
  • When finished, it shall produce a log for you.
    Post that log in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

~Kairis~

Edited by kairis, 11 March 2007 - 04:22 AM.


#3 hiya mans

hiya mans
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 12 March 2007 - 05:04 PM

"maintenance" - 07-03-12 17:51:15 Service Pack 2
ComboFix 07-03-13.3 - Running from: "C:\Documents and Settings\maintenance\My Documents"

((((((((((((((((((((((((((((((( Files Created from 2007-02-12 to 2007-03-12 ))))))))))))))))))))))))))))))))))


2007-03-12 16:34 <DIR> d-------- C:\VundoFix Backups
2007-03-11 01:40 <DIR> d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-10 19:52 <DIR> d-------- C:\Program Files\a-squared Free
2007-03-10 19:45 <DIR> d-------- C:\WINDOWS\Registration
2007-03-10 19:36 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-03-10 19:26 <DIR> d-------- C:\WINDOWS\CSC
2007-03-10 19:24 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-03-10 15:53 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-03-10 13:32 <DIR> d-------- C:\Program Files\Lavasoft
2007-03-10 13:32 <DIR> d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\Lavasoft
2007-03-10 13:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-03-10 13:05 <DIR> d-------- C:\Program Files\IObit
2007-03-09 20:01 <DIR> d-------- C:\DOCUME~1\Lee&Amy\APPLIC~1\Google
2007-03-09 18:53 <DIR> d-------- C:\Program Files\MSN Messenger
2007-03-09 16:36 <DIR> d-------- C:\Program Files\Common Files\DirectX
2007-03-09 02:56 1,100 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-03-08 19:40 <DIR> d--h----- C:\DBBackup
2007-03-08 19:11 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-03-08 19:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-03-07 16:06 123,412 --------- C:\WINDOWS\system32\ipnwatyq.dll
2007-03-07 16:06 1,153,763 --ahs---- C:\WINDOWS\system32\ggjlm.bak1
2007-03-07 15:02 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-03-07 15:00 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-03-07 15:00 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-03-04 02:55 <DIR> d-------- C:\WINDOWS\.file_store_32
2007-03-03 13:36 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-02 21:18 <DIR> d-------- C:\Program Files\SCAR 2.03
2007-03-02 19:10 <DIR> d-------- C:\Program Files\No-IP
2007-02-27 23:51 0 --a------ C:\WINDOWS\nsreg.dat
2007-02-27 21:46 <DIR> d-------- C:\Program Files\Google
2007-02-27 21:46 <DIR> d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\Google
2007-02-27 21:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-02-27 21:05 <DIR> d-------- C:\Program Files\Yahoo!
2007-02-27 20:59 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-02-27 17:29 <DIR> d-------- C:\DOCUME~1\MAINTE~1\.java
2007-02-27 01:28 <DIR> d-------- C:\Program Files\EliteSwitch
2007-02-26 20:45 <DIR> d-------- C:\Program Files\mIRC
2007-02-25 00:45 <DIR> d-------- C:\DOCUME~1\kids\Shared
2007-02-25 00:45 <DIR> d-------- C:\DOCUME~1\kids\Incomplete
2007-02-25 00:44 <DIR> d-------- C:\DOCUME~1\kids\APPLIC~1\LimeWire
2007-02-19 12:25 <DIR> d-------- C:\Program Files\MAIET
2007-02-19 04:19 <DIR> d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\Artweaver
2007-02-19 04:08 <DIR> d-------- C:\DOCUME~1\kids\APPLIC~1\WinRAR
2007-02-19 01:21 <DIR> d-------- C:\DOCUME~1\MAINTE~1\Shared
2007-02-19 01:21 <DIR> d-------- C:\DOCUME~1\MAINTE~1\Incomplete
2007-02-17 01:33 212,480 --------- C:\WINDOWS\pcdlib32.dll
2007-02-17 01:33 <DIR> d-------- C:\Program Files\Serif
2007-02-17 01:30 <DIR> d-------- C:\Program Files\Painter
2007-02-17 01:28 <DIR> d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\Ambient Design
2007-02-17 01:17 <DIR> d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\Ulead Systems
2007-02-17 00:15 <DIR> d-------- C:\DOCUME~1\kids\Contacts
2007-02-16 23:59 <DIR> d-------- C:\DOCUME~1\kids\APPLIC~1\Blueberry
2007-02-16 01:00 4,608 --a------ C:\WINDOWS\system32\bbchlp.dll
2007-02-16 01:00 27,776 --a------ C:\WINDOWS\system32\bbcap.dll
2007-02-16 01:00 2,944 --a------ C:\WINDOWS\system32\drivers\bbcap.sys
2007-02-16 01:00 <DIR> d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\Blueberry
2007-02-16 01:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Blueberry
2007-02-15 22:33 <DIR> d-------- C:\DOCUME~1\MAINTE~1\Contacts
2007-02-15 22:32 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-12 15:47 -------- d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\avg7
2007-03-11 01:41 -------- d-------- C:\Program Files\superantispyware
2007-03-11 01:41 -------- d-------- C:\Program Files\java
2007-03-08 19:47 -------- d-------- C:\Program Files\Common Files\installshield
2007-03-08 19:46 -------- d--h----- C:\Program Files\installshield installation information
2007-03-07 18:17 -------- d-------- C:\Program Files\altiris
2007-02-28 16:33 -------- d---s---- C:\DOCUME~1\MAINTE~1\APPLIC~1\microsoft
2007-02-27 23:51 -------- d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\mozilla
2007-02-24 14:25 775680 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-02-24 14:25 27776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-02-24 14:25 19392 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-02-08 00:17 0 --a------ C:\WINDOWS\system32\cmmgr32.exe
2007-02-07 14:09 -------- d-------- C:\Program Files\javasoft
2007-02-05 17:17 -------- d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\winrar
2007-02-05 17:05 -------- d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\macromedia
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-03 20:42 417792 --a------ C:\WINDOWS\system32\msrepl35.dll
2007-01-03 20:42 36864 --a------ C:\WINDOWS\system32\msjter35.dll
2007-01-03 20:42 294912 --a------ C:\WINDOWS\system32\msxbse35.dll
2007-01-03 20:42 262144 --a------ C:\WINDOWS\system32\msrd2x35.dll
2007-01-03 20:42 262144 --a------ C:\WINDOWS\system32\msexcl35.dll
2007-01-03 20:42 176128 --a------ C:\WINDOWS\system32\mstext35.dll
2007-01-03 20:42 139264 --a------ C:\WINDOWS\system32\msjint35.dll
2007-01-03 20:42 1056768 --a------ C:\WINDOWS\system32\msjet35.dll
2007-01-03 20:35 0 -rahs---- C:\MSDOS.SYS
2007-01-03 20:35 0 -rahs---- C:\IO.SYS
2007-01-03 20:30 5364 --a------ C:\DOCUME~1\MAINTE~1\APPLIC~1\gdiplusupgrade_msiapproach_wrapper.log
2007-01-03 20:30 1117 --a------ C:\DOCUME~1\MAINTE~1\APPLIC~1\bestmodepatch_rubenmain.log
2007-01-03 20:25 103509 --a------ C:\WINDOWS\hpoins04.dat
2007-01-03 20:17 12218319 --------- C:\AVG7QT.DAT
2006-12-24 21:15 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-12-24 21:15 348160 --a------ C:\WINDOWS\system32\msvcr71.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"DrvLsnr"="C:\\Program Files\\Analog Devices\\SoundMAX\\DrvLsnr.exe"
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"SetRefresh"="C:\\Program Files\\Compaq\\SetRefresh\\SetRefresh.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"I downloaded pirated Software from P2P "="Need for Speed Carbon"
"2chkdsk"="rundll32.exe \"C:\\WINDOWS\\system32\\ipnwatyq.dll\",setvm"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{1EB27C5E-3DF4-41E2-B51A-D80F812D561D}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At3.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\system.sav\CPQDONE.EXE 90112 bytes
C:\system.sav\cpqide.cfg 72 bytes
C:\system.sav\CTO.TXT 4096 bytes
C:\system.sav\CTOHW.TXT 128 bytes
C:\system.sav\DETECTED.LST 4096 bytes
C:\system.sav\DEVCHECK.LOG 4096 bytes
C:\system.sav\FAVTOOL.LOG 472 bytes
C:\system.sav\highgost.flg 32 bytes
C:\system.sav\INFO.BOM 8192 bytes
C:\system.sav\NTFS.log 40 bytes
C:\system.sav\phonbook.ini 57344 bytes
C:\system.sav\REBOOT.ME 48 bytes
C:\system.sav\REGFLUSH.LOG 4096 bytes
C:\system.sav\RES.DLL 827392 bytes
C:\system.sav\suptphon.exe 40960 bytes
C:\system.sav\util
C:\system.sav\util\AppEvBk1.old 65536 bytes
C:\system.sav\util\ATLEAST.LOG 200 bytes
C:\system.sav\util\CIA.INI 69632 bytes
C:\system.sav\util\cpqci.dll 126976 bytes
C:\system.sav\util\delcia.flg 32 bytes
C:\system.sav\util\deldir.log 4096 bytes
C:\system.sav\util\dmiuia.cmd 144 bytes
C:\system.sav\util\DotNet_Logs_US
C:\system.sav\util\Family.htm 4096 bytes
C:\system.sav\util\INSTALL.LOG 237568 bytes
C:\system.sav\util\make_rtr.flg 136 bytes
C:\system.sav\util\MININT-JVC.htm 4096 bytes
C:\system.sav\util\oca_log.txt 4096 bytes
C:\system.sav\util\oobe.min 136 bytes
C:\system.sav\util\oobe.wpe 272 bytes
C:\system.sav\util\osexclude.txt 176 bytes
C:\system.sav\util\postoobe
C:\system.sav\util\postproc.ini 536 bytes
C:\system.sav\util\random.ini 32 bytes
C:\system.sav\util\SecEvBk2.old 65536 bytes
C:\system.sav\util\SUNJAVA.log 20480 bytes
C:\system.sav\util\SysEvBk1.old 65536 bytes
C:\system.sav\util\SysEvBk2.old 65536 bytes
C:\system.sav\util\uiautil.exe 61440 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 40

********************************************************************

Completion time: 07-03-12 17:52:38

#4 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:11:03 PM

Posted 13 March 2007 - 01:20 AM

Hi.
You should be able to disable AVG Anti-Spyware guard like this:
  • Open AVG Anti-Spyware by double-clicking it's icon in the system tray.
  • In the 'Your security status' section, toggle the AVG Anti-Spyware Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'.
  • When you reboot, AVG Anti-Spyware will prompt you as to whether you would like to "Restart the guard?".
  • Reply 'No' and set it to 'inactive'
Where is Vundofix??

#5 hiya mans

hiya mans
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 13 March 2007 - 07:01 PM

cant find it.... look... Posted Image

and vundo is accidently in my documents

#6 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:11:03 PM

Posted 14 March 2007 - 12:48 AM

Okey.
I think it's the best way, that you uninstall AVG Anti-Spyware now and reinstall when we are ready.
Please send me the Vundofix log and fresh HJT-log, thanks.

#7 hiya mans

hiya mans
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 14 March 2007 - 03:40 PM

======================================================VUNDO FOUND NOTHING=====================
==============================================

"maintenance" - 07-03-14 16:34:45 Service Pack 2
ComboFix 07-03-13.3 - Running from: "C:\Documents and Settings\maintenance\My Documents"

((((((((((((((((((((((((((((((( Files Created from 2007-02-14 to 2007-03-14 ))))))))))))))))))))))))))))))))))


2007-03-14 15:57 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-12 16:34 <DIR> d-------- C:\VundoFix Backups
2007-03-11 01:40 <DIR> d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-10 19:52 <DIR> d-------- C:\Program Files\a-squared Free
2007-03-10 19:45 <DIR> d-------- C:\WINDOWS\Registration
2007-03-10 19:36 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-03-10 19:26 <DIR> d-------- C:\WINDOWS\CSC
2007-03-10 19:24 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-03-10 15:53 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-03-10 13:32 <DIR> d-------- C:\Program Files\Lavasoft
2007-03-10 13:32 <DIR> d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\Lavasoft
2007-03-10 13:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-03-10 13:05 <DIR> d-------- C:\Program Files\IObit
2007-03-09 20:01 <DIR> d-------- C:\DOCUME~1\Lee&Amy\APPLIC~1\Google
2007-03-09 18:53 <DIR> d-------- C:\Program Files\MSN Messenger
2007-03-09 16:36 <DIR> d-------- C:\Program Files\Common Files\DirectX
2007-03-09 02:56 1,100 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-03-08 19:40 <DIR> d--h----- C:\DBBackup
2007-03-08 19:11 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-03-08 19:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-03-07 16:06 123,412 --------- C:\WINDOWS\system32\ipnwatyq.dll
2007-03-07 16:06 1,153,763 --ahs---- C:\WINDOWS\system32\ggjlm.bak1
2007-03-07 15:02 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-03-07 15:00 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-03-07 15:00 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-03-04 02:55 <DIR> d-------- C:\WINDOWS\.file_store_32
2007-03-03 13:36 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-02 21:18 <DIR> d-------- C:\Program Files\SCAR 2.03
2007-03-02 19:10 <DIR> d-------- C:\Program Files\No-IP
2007-02-27 23:51 0 --a------ C:\WINDOWS\nsreg.dat
2007-02-27 21:46 <DIR> d-------- C:\Program Files\Google
2007-02-27 21:46 <DIR> d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\Google
2007-02-27 21:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-02-27 21:05 <DIR> d-------- C:\Program Files\Yahoo!
2007-02-27 20:59 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-02-27 17:29 <DIR> d-------- C:\DOCUME~1\MAINTE~1\.java
2007-02-27 01:28 <DIR> d-------- C:\Program Files\EliteSwitch
2007-02-26 20:45 <DIR> d-------- C:\Program Files\mIRC
2007-02-25 00:45 <DIR> d-------- C:\DOCUME~1\kids\Shared
2007-02-25 00:45 <DIR> d-------- C:\DOCUME~1\kids\Incomplete
2007-02-25 00:44 <DIR> d-------- C:\DOCUME~1\kids\APPLIC~1\LimeWire
2007-02-19 12:25 <DIR> d-------- C:\Program Files\MAIET
2007-02-19 04:19 <DIR> d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\Artweaver
2007-02-19 04:08 <DIR> d-------- C:\DOCUME~1\kids\APPLIC~1\WinRAR
2007-02-19 01:21 <DIR> d-------- C:\DOCUME~1\MAINTE~1\Shared
2007-02-19 01:21 <DIR> d-------- C:\DOCUME~1\MAINTE~1\Incomplete
2007-02-17 01:33 212,480 --------- C:\WINDOWS\pcdlib32.dll
2007-02-17 01:33 <DIR> d-------- C:\Program Files\Serif
2007-02-17 01:30 <DIR> d-------- C:\Program Files\Painter
2007-02-17 01:28 <DIR> d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\Ambient Design
2007-02-17 01:17 <DIR> d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\Ulead Systems
2007-02-17 00:15 <DIR> d-------- C:\DOCUME~1\kids\Contacts
2007-02-16 23:59 <DIR> d-------- C:\DOCUME~1\kids\APPLIC~1\Blueberry
2007-02-16 01:00 4,608 --a------ C:\WINDOWS\system32\bbchlp.dll
2007-02-16 01:00 27,776 --a------ C:\WINDOWS\system32\bbcap.dll
2007-02-16 01:00 2,944 --a------ C:\WINDOWS\system32\drivers\bbcap.sys
2007-02-16 01:00 <DIR> d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\Blueberry
2007-02-16 01:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Blueberry
2007-02-15 22:33 <DIR> d-------- C:\DOCUME~1\MAINTE~1\Contacts
2007-02-15 22:32 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-14 15:50 -------- d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\avg7
2007-03-13 20:02 -------- d-------- C:\Program Files\superantispyware
2007-03-11 01:41 -------- d-------- C:\Program Files\java
2007-03-08 19:47 -------- d-------- C:\Program Files\Common Files\installshield
2007-03-08 19:46 -------- d--h----- C:\Program Files\installshield installation information
2007-03-07 18:17 -------- d-------- C:\Program Files\altiris
2007-02-28 16:33 -------- d---s---- C:\DOCUME~1\MAINTE~1\APPLIC~1\microsoft
2007-02-27 23:51 -------- d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\mozilla
2007-02-24 14:25 775680 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-02-24 14:25 27776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-02-24 14:25 19392 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-02-08 00:17 0 --a------ C:\WINDOWS\system32\cmmgr32.exe
2007-02-07 14:09 -------- d-------- C:\Program Files\javasoft
2007-02-05 17:17 -------- d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\winrar
2007-02-05 17:05 -------- d-------- C:\DOCUME~1\MAINTE~1\APPLIC~1\macromedia
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-03 20:42 417792 --a------ C:\WINDOWS\system32\msrepl35.dll
2007-01-03 20:42 36864 --a------ C:\WINDOWS\system32\msjter35.dll
2007-01-03 20:42 294912 --a------ C:\WINDOWS\system32\msxbse35.dll
2007-01-03 20:42 262144 --a------ C:\WINDOWS\system32\msrd2x35.dll
2007-01-03 20:42 262144 --a------ C:\WINDOWS\system32\msexcl35.dll
2007-01-03 20:42 176128 --a------ C:\WINDOWS\system32\mstext35.dll
2007-01-03 20:42 139264 --a------ C:\WINDOWS\system32\msjint35.dll
2007-01-03 20:42 1056768 --a------ C:\WINDOWS\system32\msjet35.dll
2007-01-03 20:35 0 -rahs---- C:\MSDOS.SYS
2007-01-03 20:35 0 -rahs---- C:\IO.SYS
2007-01-03 20:30 5364 --a------ C:\DOCUME~1\MAINTE~1\APPLIC~1\gdiplusupgrade_msiapproach_wrapper.log
2007-01-03 20:30 1117 --a------ C:\DOCUME~1\MAINTE~1\APPLIC~1\bestmodepatch_rubenmain.log
2007-01-03 20:25 103509 --a------ C:\WINDOWS\hpoins04.dat
2007-01-03 20:17 12218319 --------- C:\AVG7QT.DAT
2006-12-24 21:15 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-12-24 21:15 348160 --a------ C:\WINDOWS\system32\msvcr71.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"DrvLsnr"="C:\\Program Files\\Analog Devices\\SoundMAX\\DrvLsnr.exe"
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"SetRefresh"="C:\\Program Files\\Compaq\\SetRefresh\\SetRefresh.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"I downloaded pirated Software from P2P "="Need for Speed Carbon"
"2chkdsk"="rundll32.exe \"C:\\WINDOWS\\system32\\ipnwatyq.dll\",setvm"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1EB27C5E-3DF4-41E2-B51A-D80F812D561D}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVG_ANTI-SPYWARE_GUARD


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At3.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\system.sav\CPQDONE.EXE 90112 bytes
C:\system.sav\cpqide.cfg 72 bytes
C:\system.sav\CTO.TXT 4096 bytes
C:\system.sav\CTOHW.TXT 128 bytes
C:\system.sav\DETECTED.LST 4096 bytes
C:\system.sav\DEVCHECK.LOG 4096 bytes
C:\system.sav\FAVTOOL.LOG 472 bytes
C:\system.sav\highgost.flg 32 bytes
C:\system.sav\INFO.BOM 8192 bytes
C:\system.sav\NTFS.log 40 bytes
C:\system.sav\phonbook.ini 57344 bytes
C:\system.sav\REBOOT.ME 48 bytes
C:\system.sav\REGFLUSH.LOG 4096 bytes
C:\system.sav\RES.DLL 827392 bytes
C:\system.sav\suptphon.exe 40960 bytes
C:\system.sav\util
C:\system.sav\util\AppEvBk1.old 65536 bytes
C:\system.sav\util\ATLEAST.LOG 200 bytes
C:\system.sav\util\CIA.INI 69632 bytes
C:\system.sav\util\cpqci.dll 126976 bytes
C:\system.sav\util\delcia.flg 32 bytes
C:\system.sav\util\deldir.log 4096 bytes
C:\system.sav\util\dmiuia.cmd 144 bytes
C:\system.sav\util\DotNet_Logs_US
C:\system.sav\util\Family.htm 4096 bytes
C:\system.sav\util\INSTALL.LOG 237568 bytes
C:\system.sav\util\make_rtr.flg 136 bytes
C:\system.sav\util\MININT-JVC.htm 4096 bytes
C:\system.sav\util\oca_log.txt 4096 bytes
C:\system.sav\util\oobe.min 136 bytes
C:\system.sav\util\oobe.wpe 272 bytes
C:\system.sav\util\osexclude.txt 176 bytes
C:\system.sav\util\postoobe
C:\system.sav\util\postproc.ini 536 bytes
C:\system.sav\util\random.ini 32 bytes
C:\system.sav\util\SecEvBk2.old 65536 bytes
C:\system.sav\util\SUNJAVA.log 20480 bytes
C:\system.sav\util\SysEvBk1.old 65536 bytes
C:\system.sav\util\SysEvBk2.old 65536 bytes
C:\system.sav\util\uiautil.exe 61440 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 40

********************************************************************

Completion time: 07-03-14 16:35:54
C:\ComboFix2.txt ... 07-03-12 17:52

#8 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:11:03 PM

Posted 15 March 2007 - 05:02 AM

Please send fresh HJT-log, thanks.

#9 hiya mans

hiya mans
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 15 March 2007 - 11:23 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:21:01 AM, on 3/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {1EB27C5E-3DF4-41E2-B51A-D80F812D561D} - C:\WINDOWS\system32\nnnmlmk.dll (file missing)
O2 - BHO: (no name) - {260F83C5-E2DF-4836-B5C5-90342E836040} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {658815CE-4819-4672-BD68-D8A8B4C5BF47} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P ] Need for Speed Carbon
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\ipnwatyq.dll",setvm
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mljgg - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

#10 hiya mans

hiya mans
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 16 March 2007 - 10:35 AM

bumper

#11 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:11:03 PM

Posted 17 March 2007 - 01:36 AM

Hi. Sorry for the delay..
You still have vundo-infection.
let's get rid of it:

Did you unistall AVG A-S?

With all other windows closed, start your HijackThis and Click "Do a System Scan Only"
Click in the check-box to the left of each of the following entries, if found:

O2 - BHO: (no name) - {1EB27C5E-3DF4-41E2-B51A-D80F812D561D} - C:\WINDOWS\system32\nnnmlmk.dll (file missing)
O2 - BHO: (no name) - {260F83C5-E2DF-4836-B5C5-90342E836040} - C:\WINDOWS\system32\mljjh.dll (file missing)
O2 - BHO: (no name) - {658815CE-4819-4672-BD68-D8A8B4C5BF47} - (no file)
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P ] Need for Speed Carbon
Select Fix Checked

Please download VirtumundoBeGone

() Save it to your Desktop
() Reboot your System
() Close all running programs (including your Internet Browser)
() Double-click VirtumundoBeGone.exe on the desktop
() Follow the directions as indicated

Please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.

VirtumundoBeGone generates a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here together with a new hijackthislog.

#12 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:11:03 PM

Posted 26 March 2007 - 05:16 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users