Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • This topic is locked This topic is locked
8 replies to this topic

#1 Johnhazen

Johnhazen

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 31 March 2007 - 01:13 PM

Logfile of HijackThis v1.99.1
Scan saved at 10:49:33 AM, on 3/31/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wfxsnt40.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\UPS\UOWS\Messages\WSDMessaging.exe
C:\Program Files\Microsoft Office 97\Office\OSA.EXE
C:\Program Files\Microsoft Office XP\Office10\msoffice.exe
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\NOTEDAD.EXE
C:\My Downloads\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mossfoam.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\System32\tmpF1.tmp.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {ae5b59e5-b58d-422a-9f83-cc30c0bd5862} - C:\WINDOWS\system32\kbdR35.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\fccdde.dll",setvm
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office 97\Office\OSA.EXE
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\UOWS\Messages\WSDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI01DA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://ezgreets.aavalue.com/EZG/Toolbar/EZG-toolbar.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175141749921
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: kbdR35 - C:\WINDOWS\SYSTEM32\kbdR35.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:57 PM

Posted 31 March 2007 - 04:05 PM

Hello,

Your system is terribly infected.
Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.
Also, I want to make you aware of the fact that all your passwords are known, so I strongly recommend you change all your passwords once this system is "clean" again. Don't change them yet since as long malware is present, they will gather the new passwords as well.

Please make sure you follow the next instructions in exactly the way I describe without missing any step and in the right order!!

Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon. Read the disclaimer and click OK.
  • Click on the Scan button.
  • Place a checkmark next to the following entries if they are appearing:

    .txt
    .bat
    .ini
    .reg


  • Click the Fix button.
  • Re-scan and save a logfile. By default, it will save as daft.txt.
* Please download VundoFix.exe to your C:\.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • In case it says that nothing was found, Right click the list box (white box) in the main VundoFix window.
  • Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINDOWS\SYSTEM32\kbdR35.dll
  • Copy and paste next in the second field: C:\WINDOWS\System32\tmpF1.tmp.dll
  • Click the “Add Files” button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

After reboot,

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CLASSES_ROOT\.dbt]

[-HKEY_CLASSES_ROOT\DBTFILE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\NOTEDAD.EXE]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

* Please download, install, and update AVG Anti-Spyware
  • Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Do not run the scan yet.
* Reboot into Safe Mode: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\System32\tmpF1.tmp.dll
O2 - BHO: (no name) - {ae5b59e5-b58d-422a-9f83-cc30c0bd5862} - C:\WINDOWS\system32\kbdR35.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\fccdde.dll",setvm
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://ezgreets.aavalue.com/EZG/Toolbar/EZG-toolbar.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: kbdR35 - C:\WINDOWS\SYSTEM32\kbdR35.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Delete next files if still present:

C:\WINDOWS\NOTEDAD.EXE <== watch the spelling - this is NOT notepad.exe, so don't delete notepad.exe!
C:\WINDOWS\System32\IExplorer.dll .dbt
C:\WINDOWS\system32\lsasss.exe <== watch the spelling - this is NOT the legit lsass.exe, so don't delete lsass.exe!!
C:\WINDOWS\fccdde.dll

* Start AVG Antispyware.
  • Click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close AVG Anti-Spyware.
Reboot back to normal mode...

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

* Please download the following file to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Run the file. This will open a log.

Post the next logs in your following reply:

* Log from AVG Antispyware
* Log from Combofix
* Log from FindAWF
* New HijackThislog
* Log from Daft

You may need more than one reply to post the logs.

Edited by miekiemoes, 31 March 2007 - 04:07 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Johnhazen

Johnhazen
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 01 April 2007 - 12:20 PM

I posted this reply to a new message, guess I should have just added it to the original one. Sorry


BleepingComputer.com RulesDonate
BlogsChat HelpSearchMembers RSS

[X]My AssistantLoading. Please Wait...

Logged in as: Johnhazen ( Log Out )
My Topics· My Controls · View New Posts · My Assistant · 0 New Messages · Create a Blog!


Have a problem and would like to ask us for help? To learn how to ask your question Click Here!
Do you have popups or other malware infecting your computer? If so, Start Here!
Are you having trouble using this site? Then you should visit the New User Orientation Center!

BleepingComputer.com > Security > HijackThis Logs and Analysis
Forum Guidelines
Read this topic before posting a log.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.



Followup, after doing your instructions Options

Track this topic
Email this topic
Print this topic
Download this topic
Subscribe to this forum
Display Modes
Switch to: Outline
Standard
Switch to: Linear+ Johnhazen Yesterday, 08:24 PM Post #1


New Member


Group: Members
Posts: 2
Joined: Yesterday, 12:56 PM
Member No.: 121162



Logfile of HijackThis v1.99.1
Scan saved at 6:19:51 PM, on 3/31/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wfxsnt40.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\UPS\UOWS\Messages\WSDMessaging.exe
C:\Program Files\Microsoft Office 97\Office\OSA.EXE
C:\Program Files\Microsoft Office XP\Office10\msoffice.exe
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\notepad.exe
C:\WINDOWS\System32\notepad.exe
C:\My Downloads\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mossfoam.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office 97\Office\OSA.EXE
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\UOWS\Messages\WSDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI01DA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175141749921
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


"John Hazen" - 07-03-31 18:13:29 Service Pack 1
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\John Hazen\Desktop"

/wow section - STAGE #3

((((((((((((((((((((((((((((((( Files Created from 2007-02-28 to 2007-03-31 ))))))))))))))))))))))))))))))))))


2007-03-31 15:43 <DIR> d-------- C:\VundoFix Backups
2007-03-31 10:38 106,539 --a------ C:\WINDOWS\fccdde.dll
2007-03-29 18:49 454,656 --a------ C:\WINDOWS\ssndii.exe
2007-03-29 18:49 44,544 --a------ C:\WINDOWS\SYSTEM32\msxml4a.dll
2007-03-29 18:49 21,776 --a------ C:\WINDOWS\SYSTEM32\msxml2a.dll
2007-03-29 18:49 <DIR> d-------- C:\WINDOWS\Samsung
2007-03-29 18:47 57,344 --a------ C:\WINDOWS\SYSTEM32\SUGO3CI.dll
2007-03-29 18:47 151,552 --a------ C:\WINDOWS\SYSTEM32\SUGO3CI.exe
2007-03-28 21:27 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-03-28 21:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\PreInstall
2007-03-28 21:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2007-03-28 20:30 <DIR> d-------- C:\7c995415af88527d0ec856149e
2007-03-28 20:15 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-03-28 16:37 <DIR> d-------- C:\DOCUME~1\JOHNHA~1\.housecall6.6
2007-03-28 15:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-03-28 14:51 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-03-28 13:36 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-03-26 18:26 31,366 --a------ C:\WINDOWS\Trojan9129837.exe
2007-03-24 13:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-03-24 10:21 32,768 --a------ C:\WINDOWS\SYSTEM32\mp43.exe
2007-03-24 10:21 32,768 --a------ C:\WINDOWS\NOTEDAD.EXE
2007-03-22 16:15 <DIR> d-------- C:\DOCUME~1\JOHNHA~1\APPLIC~1\Screenshot Sender
2007-03-20 09:25 32,768 --a------ C:\WINDOWS\SYSTEM32\svchtoost.exe
2007-03-17 15:26 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-03-17 14:51 <DIR> d-------- C:\DOCUME~1\JOHNHA~1\APPLIC~1\Musicmatch
2007-03-17 14:41 966,144 --a------ C:\WINDOWS\SYSTEM32\NCTAudioInformation2.dll
2007-03-17 14:41 877,568 --a------ C:\WINDOWS\SYSTEM32\NCTAudioFile2.dll
2007-03-17 14:41 724,992 --a------ C:\WINDOWS\SYSTEM32\ebCrypt.dll
2007-03-17 14:41 253,952 --a------ C:\WINDOWS\SYSTEM32\SkinBoxer43.dll
2007-03-17 14:16 <DIR> d-------- C:\Program Files\One-click CD Converter
2007-03-17 03:07 <DIR> d-------- C:\moody
2007-03-17 02:41 <DIR> d-------- C:\Program Files\MediaMonkey
2007-03-17 02:24 <DIR> d-------- C:\New Folder
2007-03-17 01:17 <DIR> d-------- C:\Program Files\APE To MP3 Plus
2007-03-16 23:56 <DIR> d-------- C:\Program Files\BitTorrent
2007-03-16 23:56 <DIR> d-------- C:\DOCUME~1\JOHNHA~1\APPLIC~1\BitTorrent
2007-03-16 23:01 27,110 --a------ C:\WINDOWS\SYSTEM32\jkhhi.exe
2007-03-16 22:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\bak
2007-03-14 21:53 5,767,168 --a------ C:\DOCUME~1\JOHNHA~1\ntuser.dat
2007-03-13 15:02 9,584 --a------ C:\WINDOWS\SYSTEM32\LMImirr2.dll
2007-03-13 15:02 8,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\LMImirr.sys
2007-03-13 15:02 23,024 --a------ C:\WINDOWS\SYSTEM32\LMImirr.dll
2007-03-13 15:02 11,504 --a------ C:\WINDOWS\SYSTEM32\LMIinit.dll
2007-03-13 15:01 <DIR> d-------- C:\Program Files\LogMeIn
2007-03-13 14:58 <DIR> d-------- C:\LMI
2007-03-09 09:57 27,376 --a------ C:\WINDOWS\SYSTEM32\SBBD.exe
2007-02-28 17:07 <DIR> d-------- C:\DOCUME~1\JOHNHA~1\APPLIC~1\ZoomBrowser EX
2007-02-28 16:57 <DIR> d-------- C:\Program Files\Common Files\Canon
2007-02-28 16:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ZoomBrowser


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-29 18:49 -------- d--h----- C:\Program Files\installshield installation information
2007-03-29 17:12 -------- d-------- C:\Program Files\winfax
2007-03-28 18:14 -------- d--h----- C:\Program Files\microsoft word
2007-03-28 11:02 -------- d-------- C:\Program Files\quicktime
2007-03-22 16:14 -------- d-------- C:\Program Files\messenger plus! live
2007-03-17 14:50 28256 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MxlW2k.sys
2007-02-28 16:59 -------- d-------- C:\Program Files\canon
2007-01-15 10:32 689280 --a------ C:\WINDOWS\SYSTEM32\aswboot.exe
2007-01-15 10:23 90112 --a------ C:\WINDOWS\SYSTEM32\avastss.scr


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PopUpStopperFreeEdition"="C:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSFree.exe"
"IESet"="IExplorer.dll .dbt"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WinFaxAppPortStarter"="wfxsnt40.exe"
"Samsung PanelMgr"="C:\\WINDOWS\\Samsung\\PanelMgr\\SSMMgr.exe /autorun"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Ulead Photo Express 4.0 SE Calendar Checker .lnk"
"backup"="C:\\WINDOWS\\pss\\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ULEADS~1\\ULEADP~1.0SE\\CalCheck.exe "
"item"="Ulead Photo Express 4.0 SE Calendar Checker "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^John Hazen^Start Menu^Programs^Startup^BJ Status Monitor Canon i860.lnk]
"path"="C:\\Documents and Settings\\John Hazen\\Start Menu\\Programs\\Startup\\BJ Status Monitor Canon i860.lnk"
"backup"="C:\\WINDOWS\\pss\\BJ Status Monitor Canon i860.lnkStartup"
"location"="Startup"
"command"="C:\\DOCUME~1\\JOHNHA~1\\CNMSSC~1.EXE LPT1:;Canon i860;cnmss Canon i860 (Local).exe;BJ Status Monitor Canon i860.lnk"
"item"="BJ Status Monitor Canon i860"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^John Hazen^Start Menu^Programs^Startup^SUPPORT.GID]
"path"="C:\\Documents and Settings\\John Hazen\\Start Menu\\Programs\\Startup\\SUPPORT.GID"
"backup"="C:\\WINDOWS\\pss\\SUPPORT.GIDStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\John Hazen\\Start Menu\\Programs\\Startup\\SUPPORT.GID"
"item"="SUPPORT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^John Hazen^Start Menu^Programs^Startup^symdiag.GID]
"path"="C:\\Documents and Settings\\John Hazen\\Start Menu\\Programs\\Startup\\symdiag.GID"
"backup"="C:\\WINDOWS\\pss\\symdiag.GIDStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\John Hazen\\Start Menu\\Programs\\Startup\\symdiag.GID"
"item"="symdiag"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^John Hazen^Start Menu^Programs^Startup^{4BAA3DC1-DCB0-11D2-9E6B-00805FCDA91F}.MSI]
"path"="C:\\Documents and Settings\\John Hazen\\Start Menu\\Programs\\Startup\\{4BAA3DC1-DCB0-11D2-9E6B-00805FCDA91F}.MSI"
"backup"="C:\\WINDOWS\\pss\\{4BAA3DC1-DCB0-11D2-9E6B-00805FCDA91F}.MSIStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\John Hazen\\Start Menu\\Programs\\Startup\\{4BAA3DC1-DCB0-11D2-9E6B-00805FCDA91F}.MSI"
"item"="{4BAA3DC1-DCB0-11D2-9E6B-00805FCDA91F}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2chkdsk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="efddcy"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\efddcy.dll\",setvm"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bittorrent"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Clipboard Buddy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CLIPBO~1"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\CLIPBO~1\\CLIPBO~1.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSAgnt"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfswctrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark_X79-55]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lsasss"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\lsasss.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LocationFinder"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft Location Finder\\LocationFinder.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCMService"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBCSTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SBCSTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\SBCSTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ssqpmn"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\ssqpmn.dll\",setvm"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"IESet"="IExplorer.dll .dbt"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SBCSSvc

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-31 18:15:15




Full Edit
Quick Edit « Next Oldest · HijackThis Logs and Analysis · Next Newest »



1 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
1 Members: Johnhazen


Fast Reply



Enable email notification of replies | Enable Smilies | Enable Signature




Forum Home Search Help Operating Systems |-- Windows 95/98*Grinler |-- Windows XP Home and Professional |-- Windows NT/2000/2003 |-- Windows Vista |-- Linux & Unix |---- Live Linux |-- Apple/DOS/PDA/Other Software and Hardware |-- Business Applications |-- Games |-- All other Applications |-- Hardware |-- Tips and Tricks |-- Graphics Design and Photo Editing |-- Audio and Video |-- Programming Internet & Networking |-- Web Browsing/Email and Other Internet Applications |-- Networking |-- Web Site Development Security |-- AntiVirus, Firewall and Privacy Products and Protection Methods |-- Windows Defender |-- Am I infected? What do I do? |-- Breaking Virus & Security News |-- Security Updates |-- HijackThis Logs and Analysis |-- Spyware and Malware Removal Guides and Reading Room Bleeping Computer Applications and Guides |-- Tutorials |-- Windows Startup Programs Database |-- Mini guides and how-tos - Simple answers to common questions |---- Audio and Video |---- Email |---- Images, Image Editing, Image Viewing |---- Internet Applications |---- Linux |---- Networking |---- Security |---- Web Browsers |---- Microsoft Windows |---- Programming and Web Design General Topics |-- General Chat |-- Introductions |-- New User Orientation |-- The Speak Easy |-- Forum Games |-- News |-- Photo Albums, Images, and Videos |-- Bleeping Computer Announcements, Comments, & Suggestions |-- Tests and Scribbles


Display Mode: Standard · Switch to: Linear+ · Switch to: Outline


Track this topic · Email this topic · Print this topic · Subscribe to this forum


English Lo-Fi Version Time is now: 1st April 2007 - 12:19 PM



Advertise | About Us | Terms of Use | Privacy Policy | Contact Us | Support Bleeping Computer | Site Map | Chat | Tutorials | Uninstall List
Discussion Forums | The Computer Glossary | Resources | Spyware/HJ Detector | RSS Feeds | Startups | The File Database | Add Mozilla Sidebar


Invision Power Board v2.1.7 © 2007 IPS, Inc.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:57 PM

Posted 01 April 2007 - 03:37 PM

Hi,

I see you didn't really perform all my steps I asked..

I asked you this:

Post the next logs in your following reply:

* Log from AVG Antispyware
* Log from Combofix
* Log from FindAWF
* New HijackThislog
* Log from Daft


You only posted the Hijackthislog and the Combofixlog. Next logs are missing:

* AVG Antispyware
* Log from FindAwf
* Log from DAFT

I don't see you even installed AVG Antispyware. How am I supposed to help you if you don't follow my steps?

I also see you didn't delete all the files I asked you to delete.. so to make things easier for and to be sure, do next:

* Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Where it says: "Paste List of Files/Folders to be Moved", copy and paste next bold part into that Window:

    C:\WINDOWS\fccdde.dll
    C:\WINDOWS\ssndii.exe
    C:\WINDOWS\Trojan9129837.exe
    C:\WINDOWS\SYSTEM32\mp43.exe
    C:\WINDOWS\NOTEDAD.EXE
    C:\WINDOWS\SYSTEM32\svchtoost.exe
    C:\WINDOWS\SYSTEM32\jkhhi.exe



  • Then click the red Moveit! button below.
  • This will display the results in the right windows where it says "Results" on top
  • Copy and paste everything present in the Results window (right window) and save these results in notepad and save it on your desktop, because I need to see those results afterwards.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

* Please perform the steps aftwerwards with DAFT!

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Post the following logs in your next reply:

* Log from AVG Antispyware
* Log from Daft
* Log from FindAWF
* Log from OTMoveit
* New Hijackthislog
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Johnhazen

Johnhazen
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 01 April 2007 - 05:50 PM

avg found trojan 9129837.exe
and moved it
Daft says all associations are ok

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

09/06/2005 04:23 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\WINFAX\BAK

12/12/2002 05:45 AM 28,160 WFXSWTCH.exe
1 File(s) 28,160 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

04/06/2003 11:07 PM 114,688 hkcmd.exe
04/06/2003 11:19 PM 155,648 igfxtray.exe
2 File(s) 270,336 bytes

Directory of C:\PROGRA~1\PANICW~1\POP-UP~1\BAK

10/29/2003 11:01 AM 524,288 PSFree.exe
1 File(s) 524,288 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 01:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\FEDEX\SHIPMA~1\RATE\COMP\BAK

02/27/2007 04:42 PM 383,663 050543082
03/26/2007 08:42 AM 106 051543082
02/12/2007 11:19 AM 288,603 150543082
12/18/2006 09:33 AM 288,571 151543082
05/23/2005 05:19 PM 123 350543082
5 File(s) 961,066 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

77824 Sep 6 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
28160 Dec 12 2002 "C:\Program Files\WinFax\bak\WFXSWTCH.exe"
114688 Apr 6 2003 "C:\DRIVERS\VIDEO\HKCMD.EXE"
114688 Apr 6 2003 "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe"
155648 Apr 6 2003 "C:\DRIVERS\VIDEO\IGFXTRAY.EXE"
155648 Apr 6 2003 "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe"
536576 Mar 17 2005 "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
524288 Oct 29 2003 "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\bak\PSFree.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
383663 Feb 27 2007 "C:\Program Files\FedEx\ShipManager\Rate\comp\bak\050543082"
106 Mar 26 2007 "C:\Program Files\FedEx\ShipManager\Rate\comp\bak\051543082"
288603 Feb 12 2007 "C:\Program Files\FedEx\ShipManager\Rate\comp\bak\150543082"
288571 Dec 18 2006 "C:\Program Files\FedEx\ShipManager\Rate\comp\bak\151543082"
123 May 23 2005 "C:\Program Files\FedEx\ShipManager\Rate\comp\bak\350543082"


end of report

Logfile of HijackThis v1.99.1
Scan saved at 3:47:01 PM, on 4/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wfxsnt40.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\UPS\UOWS\Messages\WSDMessaging.exe
C:\Program Files\Microsoft Office 97\Office\OSA.EXE
C:\Program Files\Microsoft Office XP\Office10\msoffice.exe
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\My Downloads\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mossfoam.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office 97\Office\OSA.EXE
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\UOWS\Messages\WSDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI01DA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1175141749921
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:57 PM

Posted 01 April 2007 - 06:24 PM

Hi,

we'll have to restore some files which were infected and deleted by your scanner and replace it with a copy. Some files are already replaced properly or you already reinstalled some programs. For the ones that are still missing, do next:

* Open notepad and copy and paste next present in the quotebox in it:

copy /y "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe" "C:\WINDOWS\SYSTEM32"
copy /y "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe" "C:\WINDOWS\SYSTEM32"
copy /y "C:\Program Files\WinFax\bak\WFXSWTCH.exe" "C:\Program Files\WinFax"
copy /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime"

Save this as replace.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
(In case you are unsure how to create a bat file, take a look here with screenshots.)

Doubleclick replace.bat to run it.

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Reboot back to normal mode.

* download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop
right click the file and select install, that will reset the zone settings that have been altered

and also

* Download: ResetProtocolDefaults.reg
http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg

Locate "ResetProtocolDefaults.reg"
Right-click and select: Merge (Ok the prompt)

let me know in your next reply how things are now.

As a sidenote.. I guess you didnt really read my instructions... I see you installed AVG Antivirus instead of AVG Antispyware.
You were not supposed to install AVG Antivirus.
Never install more than one Antivirus! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So uninstall AVG Antivirus again.

Edited by miekiemoes, 01 April 2007 - 06:28 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Johnhazen

Johnhazen
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 02 April 2007 - 10:41 AM

when I try to run cleanmgr, it starts to run, shows three progress dots and hangs. Then later I get a scan service encounted and error and needs to close. Not sure if these are related, but it sounds like it. It does seem the popup ads have stopped. Thanks for that and all your help.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:57 PM

Posted 02 April 2007 - 10:50 AM

For cleanmgr, this happens frequently when it compresses old files.

Download this regfix to your desktop:

http://www.kellys-korner-xp.com/regs_edits...essoldfiles.reg

Doubleclick it and answer yes when it asks to merge.

The malware problem should be gone now though.
Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:57 PM

Posted 04 April 2007 - 05:56 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users