Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log Tlc Needed For My Machine


  • This topic is locked This topic is locked
7 replies to this topic

#1 Patch-C

Patch-C

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia, Melbourne
  • Local time:10:55 AM

Posted 12 April 2007 - 05:12 AM

Heya... I got two problems.

One is that my machine is really slow. Like really really slow.. I have defragged and removed heaps of junk off my system.

Also i have a problem with SVChost. I get a pop up which says it needs to quit and one of those. If you'll tell me how i can post a screen of it. It comes with a lot of 1's and 0's in a more info thingy. I have no idea what to do. But one more thing of curiosity is that when I bring up WIN TASK MANAGER it says that i have about 6 SVCHOST.EXE in the process window. is this normal?

Also from that i have a few pop up IE windows at random times which don't seem to go away. No matter how many times i scan with AVG anti spyware.

Also i thought that i'll put this in here just to see if i can save someone their time in the games section by wasting yours but i have San Andreas and it randomly restarts my computer I have no idea but the graphics are at the lowest and the resolution is low too. It seems to work fine on my other computer which has a newer power supply. better vid card better memory and better HD. Meh just if you know...


------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:21:00 PM, on 4/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Patrick\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\pnamtbah.dll",setvm
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzix.dll,startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Azerus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160113875531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160113839140
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe (file missing)
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe (file missing)
O23 - Service: F-Secure Management Agent (FSMA) - Unknown owner - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

------------------------------------------------------

Patty Boi

Edited by Patch-C, 12 April 2007 - 05:20 AM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 12 April 2007 - 06:19 AM

Welcome to the BleepingComputer HijackThis forum Patch-C :thumbsup:

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

*****************************

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
* Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Patch-C

Patch-C
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia, Melbourne
  • Local time:10:55 AM

Posted 13 April 2007 - 02:15 AM

Yo man

HJT

Logfile of HijackThis v1.99.1
Scan saved at 5:13:08 PM, on 4/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\pnamtbah.dll",setvm
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Azerus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160113875531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160113839140
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe (file missing)
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe (file missing)
O23 - Service: F-Secure Management Agent (FSMA) - Unknown owner - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

-----------------------------------------------------

Cure It

---------------

NPMyWebS.dll;C:\Program Files\Mozilla Firefox\plugins;Adware.Msearch;;
riched20.dll;C:\Program Files\MSN Messenger;Adware.Msearch;;
F3HISTSW.DLL;C:\Program Files\MyWebSearch\bar\4.bin;Adware.Msearch;;
F3HTTPCT.DLL;C:\Program Files\MyWebSearch\bar\4.bin;Trojan.Isbar.438;Deleted.;
F3POPSWT.DLL;C:\Program Files\MyWebSearch\bar\4.bin;Adware.Funweb;;
F3PSSAVR.SCR;C:\Program Files\MyWebSearch\bar\4.bin;Adware.Msearch;;
F3RESTUB.DLL;C:\Program Files\MyWebSearch\bar\4.bin;Adware.Msearch;;
F3SCHMON.EXE;C:\Program Files\MyWebSearch\bar\4.bin;Adware.Msearch;;
F3SCRCTR.DLL;C:\Program Files\MyWebSearch\bar\4.bin;Trojan.DownLoader.7028;Deleted.;
F3WPHOOK.DLL;C:\Program Files\MyWebSearch\bar\4.bin;Adware.Msearch;;
M3IDLE.DLL;C:\Program Files\MyWebSearch\bar\4.bin;Adware.MWS;;
M3OUTLCN.DLL;C:\Program Files\MyWebSearch\bar\4.bin;Adware.Msearch;;
M3PLUGIN.DLL;C:\Program Files\MyWebSearch\bar\4.bin;Adware.Msearch;;
MWSOEMON.EXE;C:\Program Files\MyWebSearch\bar\4.bin;Adware.Websearch;;
MWSOEPLG.DLL;C:\Program Files\MyWebSearch\bar\4.bin;Adware.Websearch;;
MWSOESTB.DLL;C:\Program Files\MyWebSearch\bar\4.bin;Adware.MWS;;
NPMYWEBS.DLL;C:\Program Files\MyWebSearch\bar\4.bin;Adware.Msearch;;
A0096786.DLL;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP395;Adware.MWS;;
A0096787.dll;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP395;Trojan.Juan;Incurable.Moved.;
A0096788.DLL;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP395;Adware.MWS;;
A0118948.dll;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP437;Trojan.Popuper;Deleted.;
A0135805.exe;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP470;Tool.Prockill;;
A0135807.exe;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP470;Tool.ShutDown.11;;
A0142453.dll;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP481;Trojan.Virtumod;Deleted.;
A0144926.exe;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP485;Trojan.DownLoader.2568;Deleted.;
A0144927.exe;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP485;Trojan.DownLoader.2568;Deleted.;
A0144928.exe;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP485;Dialer.Coulomb;;
A0147146.DLL;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP488;Tool.Hatkeys;;
A0164277.dll;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP494;Trojan.Virtumod;Deleted.;
A0166902.exe;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP496;Tool.Prockill;;
A0166904.exe;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP496;Tool.ShutDown.11;;
A0167502.dll;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP496;Trojan.Fakealert.249;Deleted.;
A0167503.DLL;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP496;Tool.Hatkeys;;
A0168563.exe;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP498;Adware.ClickSpring;;
A0168829.dll;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP498;Trojan.Virtumod;Deleted.;
A0168831.dll;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP498;Trojan.Virtumod;Deleted.;
A0168832.exe;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP498;BackDoor.Insyst;Deleted.;
A0168833.exe;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP498;Trojan.Click.2172;Deleted.;
A0168835.dll;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP498;Trojan.Mezzia;Deleted.;
A0169857.DLL;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP499;Trojan.Isbar.438;Deleted.;
A0169858.DLL;C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP499;Trojan.DownLoader.7028;Deleted.;
f3PSSavr.scr;C:\WINDOWS\system32;Adware.Msearch;;
geedb.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
ihefdvck.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
njgsslxf.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
nnnmkkl.dll;C:\WINDOWS\system32;Trojan.Virtumod;Will be cured after reboot.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;
rxylfdvu.exe;C:\WINDOWS\system32;Adware.SearchColours;;
xiceupvf.exe;C:\WINDOWS\system32;Adware.SearchColours;;


Toodles

Patch-c

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 13 April 2007 - 03:30 AM

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

*******************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\pnamtbah.dll",setvm
O4 - HKLM\..\Run: [VaCtrls] v7
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000


Find and delete if present:
C:\WINDOWS\system32\pnamtbah.dll

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

*******************************

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Post the AVG Anti Spyware report,the C:\ComboFix.txt,and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#5 Patch-C

Patch-C
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia, Melbourne
  • Local time:10:55 AM

Posted 14 April 2007 - 12:42 AM

AVG AS report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:10:37 PM 4/14/2007

+ Scan result:



HKLM\SOFTWARE\AntivirusGold -> Adware.AntiVirusGolden : Cleaned with backup (quarantined).
C:\Documents and Settings\Patrick\DoctorWeb\Quarantine\A0144928.exe -> Dialer.PluginAccess.s : Cleaned with backup (quarantined).
C:\Documents and Settings\Patrick\Cookies\patrick@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\Patrick\Cookies\patrick@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Saasha\Cookies\saasha@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Patrick\Cookies\patrick@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.12:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\muovef0y.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.13:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\muovef0y.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.10:C:\Documents and Settings\Patrick\Application Data\Mozilla\Firefox\Profiles\61ydkecd.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Patrick\Cookies\patrick@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Saasha\Cookies\saasha@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.68:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\muovef0y.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Patrick\Cookies\patrick@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Saasha\Cookies\saasha@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Patrick\Cookies\patrick@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Patrick\Cookies\patrick@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.16:C:\Documents and Settings\Saasha\Application Data\Mozilla\Firefox\Profiles\hcngt12y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.17:C:\Documents and Settings\Saasha\Application Data\Mozilla\Firefox\Profiles\hcngt12y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.18:C:\Documents and Settings\Saasha\Application Data\Mozilla\Firefox\Profiles\hcngt12y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.19:C:\Documents and Settings\Saasha\Application Data\Mozilla\Firefox\Profiles\hcngt12y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.20:C:\Documents and Settings\Saasha\Application Data\Mozilla\Firefox\Profiles\hcngt12y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.21:C:\Documents and Settings\Saasha\Application Data\Mozilla\Firefox\Profiles\hcngt12y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{F98E4F65-2C7C-4BEE-8F5E-19E4A73F96CB}\RP485\A0144925.exe -> Trojan.Regspy : Cleaned with backup (quarantined).


::Report end

----------------

Combo Fix Report

"Patrick" - 07-04-14 15:18:07 Service Pack 2
ComboFix 07-04-13.2.V - Running from: C:\Program Files\Mozilla Firefox\


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bdeeg.bak1
C:\WINDOWS\system32\bdeeg.bak2
C:\WINDOWS\system32\bdeeg.ini
C:\WINDOWS\system32\irwfohlu.dll
C:\WINDOWS\system32\qfefjqmq.dll
C:\WINDOWS\system32\lhhcqiyd.dll
C:\WINDOWS\system32\jcvhpikm.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{84CE8~1


((((((((((((((((((((((((((((((( Files Created from 2007-03-14 to 2007-04-14 ))))))))))))))))))))))))))))))))))


2007-04-14 12:46 <DIR> d-------- C:\Program Files\SpeedFan
2007-04-13 14:06 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-04-13 10:40 <DIR> d-------- C:\DOCUME~1\Patrick\DoctorWeb
2007-04-12 17:10 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-04-09 14:43 <DIR> d-------- C:\Program Files\Rockstar Games
2007-04-04 10:06 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-04-02 19:23 <DIR> d-------- C:\Program Files\Codemasters
2007-04-02 15:14 <DIR> d-------- C:\DOCUME~1\Patrick\APPLIC~1\Help
2007-03-25 14:37 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-25 14:37 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-23 20:34 <DIR> d-------- C:\Program Files\iTunes
2007-03-23 20:34 <DIR> d-------- C:\Program Files\iPod
2007-03-21 19:51 37,544 --a------ C:\DOCUME~1\Patrick\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-03-19 20:19 69,632 -ra------ C:\WINDOWS\system32\xmltok.dll
2007-03-19 20:19 36,864 -ra------ C:\WINDOWS\system32\xmlparse.dll
2007-03-19 20:19 26,096 -ra------ C:\WINDOWS\system32\xmlinst.exe
2007-03-19 19:57 <DIR> d-------- C:\Program Files\Red Storm Entertainment
2007-03-19 16:08 <DIR> d-------- C:\DOCUME~1\Patrick\APPLIC~1\Screenshot Sender
2007-03-15 15:39 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-03-15 15:37 <DIR> d--h----- C:\WINDOWS\ShellNew


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-12 17:29 -------- d--h----- C:\Program Files\installshield installation information
2007-04-10 11:08 -------- d-------- C:\DOCUME~1\Patrick\APPLIC~1\limewire
2007-04-09 14:43 98304 --a------ C:\WINDOWS\system32\cmdlineext.dll
2007-04-05 22:52 -------- d-------- C:\Program Files\join me
2007-04-04 10:21 -------- d-------- C:\Program Files\microsoft sql server
2007-03-27 21:47 -------- d-------- C:\DOCUME~1\Patrick\APPLIC~1\openoffice.org2
2007-03-25 14:47 2346 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-23 19:28 -------- d-------- C:\Program Files\quicktime
2007-03-22 16:37 -------- d-------- C:\Program Files\azureus
2007-03-19 20:30 12464 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-03-19 16:07 -------- d-------- C:\Program Files\msn messenger
2007-03-19 16:07 -------- d-------- C:\Program Files\messenger plus! live
2007-03-17 23:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-12 09:57 -------- d-------- C:\DOCUME~1\Patrick\APPLIC~1\hamachi
2007-03-12 09:22 -------- d-------- C:\Program Files\counter-strike source
2007-03-09 01:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-09 01:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-09 01:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 23:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 17:49 17480 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-03-07 16:20 -------- d-------- C:\DOCUME~1\Patrick\APPLIC~1\u3
2007-03-01 19:41 -------- d-------- C:\Program Files\plato dvd to 3gp converter
2007-02-28 19:21 -------- d-------- C:\Program Files\lavasoft adaware
2007-02-28 19:21 -------- d-------- C:\Program Files\lavasoft
2007-02-28 19:21 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-02-28 19:21 -------- d-------- C:\DOCUME~1\Patrick\APPLIC~1\lavasoft
2007-02-22 17:02 -------- d-------- C:\Program Files\microsoft visual studio 8
2007-02-22 16:47 -------- d-------- C:\Program Files\microsoft.net
2007-02-10 05:29 67952 --a------ C:\WINDOWS\system32\sqlctr90.dll
2007-02-10 05:29 2234224 --a------ C:\WINDOWS\system32\sqlncli.dll
2007-02-06 06:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-01-27 08:45 73216 --a------ C:\WINDOWS\st6unst.exe
2007-01-27 08:45 249856 --------- C:\WINDOWS\setup1.exe
2007-01-19 11:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{67C55A8D-E808-4caa-9EA7-F77102DE0BB6} C:\WINDOWS\system32\jcvhpikm.dll [Missing]
{6FA944A4-1A92-4232-B500-8F422665AE3E} C:\WINDOWS\system32\pmkhi.dll [Missing]
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{975F87A0-0723-4225-A652-FC97FFBD81DB} C:\WINDOWS\system32\geedd.dll [Missing]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"PrintDrive"="rundll32.exe \"C:\\WINDOWS\\system32\\irwfohlu.dll\",setvm"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geedd
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljkjkk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wincqt32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I]
Shell\AutoRun\command I:\Install.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dda4c29c-cbac-11db-a0ed-000c6e7e8653}]
Shell\AutoRun\command G:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Scheduled scanning task.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-14 15:39:05
C:\ComboFix-quarantined-files.txt ... 07-04-14 15:39

----------------------------

Hijack This Log


Logfile of HijackThis v1.99.1
Scan saved at 3:39:35 PM, on 4/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\jcvhpikm.dll (file missing)
O2 - BHO: (no name) - {6FA944A4-1A92-4232-B500-8F422665AE3E} - C:\WINDOWS\system32\pmkhi.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {975F87A0-0723-4225-A652-FC97FFBD81DB} - C:\WINDOWS\system32\geedd.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\irwfohlu.dll",setvm
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Azerus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160113875531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160113839140
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll (file missing)
O20 - Winlogon Notify: mljkjkk - mljkjkk.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wincqt32 - wincqt32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe (file missing)
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - Unknown owner - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe (file missing)
O23 - Service: F-Secure Management Agent (FSMA) - Unknown owner - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

------

And my system seems to be running a bit faster at the moment... Like alot faster than it was coz it was so freaking slow... The popups haven't happened in a while... Etc. Etc. I dunno is there anything else that can be done??


Patch-C

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 14 April 2007 - 07:04 AM

First disable Windows Defender's real-time protection,as it may interfere.
* Open Microsoft Windows Defender. Click Start>All Programs>Windows Defender.
* Click on 'Tools'>'Options'.
* Under 'Real-time protection options', unselect the 'Turn on real-time protection' check box
* Click 'Save'.

***************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\jcvhpikm.dll (file missing)
O2 - BHO: (no name) - {6FA944A4-1A92-4232-B500-8F422665AE3E} - C:\WINDOWS\system32\pmkhi.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {975F87A0-0723-4225-A652-FC97FFBD81DB} - C:\WINDOWS\system32\geedd.dll (file missing)
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\irwfohlu.dll",setvm
O20 - Winlogon Notify: geedd - C:\WINDOWS\system32\geedd.dll (file missing)
O20 - Winlogon Notify: mljkjkk - mljkjkk.dll (file missing)
O20 - Winlogon Notify: wincqt32 - wincqt32.dll (file missing)

Exit Hijackthis.

***************************

Your log is clean :thumbsup:
If all's ok,please do the following:

Re-enable Windows Defender.

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading unselect 'Show hidden files and folders'.
* Re-check the 'Hide file extensions for known types' option.
* Re-check the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#7 Patch-C

Patch-C
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia, Melbourne
  • Local time:10:55 AM

Posted 15 April 2007 - 01:01 AM

So thats it?? Thanks dude... I will look after my comp properly now... Thanks..

Patch-C

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 15 April 2007 - 04:19 AM

You're most welcome :thumbsup:

Since your problem appears to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users