Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help, Infected Computer


  • Please log in to reply
9 replies to this topic

#1 KKZ123

KKZ123

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 21 April 2007 - 05:12 PM

My computer is always freezing and slowing down. I am completely sure that my computer is infected because of the suspicious processes in the task manager. I have ran an adaware, spybot, and antivirus check, removed a few viruses, and the processes still appear.

Here is my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:04:38 PM, on 4/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\winIogon.exe
C:\WINDOWS\System32\tvgspga.exe
C:\Program Files\DAEMON Tools\daemon.exe
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\hebdi.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe
O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\WINDOWS\System32\hebdi.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/MaxisHotDateTeleX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by121fd.bay121.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151286541373
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151286531748
O16 - DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} (ENetLauncher Control) - http://www.dragongemworld.com/Active_X/ENetLauncher.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin10USA.cab
O16 - DPF: {DF7E9E9B-A7D8-4B2C-82E0-AC630D9594A5} (JSUpdaterAx Control) - http://www.jceports.com/_app/cab/JSUpdaterAX.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:16 AM

Posted 25 April 2007 - 09:40 PM

Apologies for the delay in responding.

The workload on this forum is intense, and sometimes it is not possible to respond to every inquiry.

As you suspect, there are malware entries showing on your log.

It is best to have the most current log possible, so please run HijackThis again (make sure all windows and browsers are closed), Scan, and post the new log here.

I will be notified when you post the log, and will be glad to assist you.

Old duck...


#3 KKZ123

KKZ123
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 26 April 2007 - 09:41 PM

Thanks for helping me.

Here is a log of a scan I just did a minute ago with all browsers and windows closed

Logfile of HijackThis v1.99.1
Scan saved at 7:34:02 PM, on 4/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\winIogon.exe
C:\WINDOWS\System32\ixdt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\abig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe
O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\WINDOWS\System32\abig.exe
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/MaxisHotDateTeleX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by121fd.bay121.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151286541373
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151286531748
O16 - DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} (ENetLauncher Control) - http://www.dragongemworld.com/Active_X/ENetLauncher.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin10USA.cab
O16 - DPF: {DF7E9E9B-A7D8-4B2C-82E0-AC630D9594A5} (JSUpdaterAx Control) - http://www.jceports.com/_app/cab/JSUpdaterAX.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:16 AM

Posted 26 April 2007 - 10:10 PM

Please run HijackThis, Scan
Check box for:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe
O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\WINDOWS\System32\abig.exe

O20 - AppInit_DLLs:

Select: Fix checked

~~~~
Restart the computer.

~~~~
Next, download SuperAntiSpyware Home Edition Free Version
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

Please save the information in the SuperAntiSpyware log to post in your reply.

~~~~
Last, download FindAWF:
http://noahdfear.geekstogo.com/FindAWF.exe

Save the file to the Desktop
Double-click: FindAWF.exe

If a Security Alert shows, allow the program to run.

When done, a text file awf.txt is produced.

~~~~
Finally, run HijackThis once again, and Scan.

~~~~
Please post the following in your reply:
The SuperAntiSpyware log
The FindAWF awf.text
A new HijackThis log

Old duck...


#5 KKZ123

KKZ123
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 27 April 2007 - 01:23 AM

SuperAntiSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/26/2007 at 10:45 PM

Application Version : 3.7.1018

Core Rules Database Version : 3226
Trace Rules Database Version: 1237

Scan type : Complete Scan
Total Scan Time : 01:09:02

Memory items scanned : 358
Memory threats detected : 0
Registry items scanned : 5485
Registry threats detected : 0
File items scanned : 44496
File threats detected : 55

Adware.Tracking Cookie
C:\Documents and Settings\Jimmy.VALUED-20606295\Cookies\jimmy@www.burstnet[1].txt
C:\Documents and Settings\Jimmy.VALUED-20606295\Cookies\jimmy@azjmp[1].txt
C:\Documents and Settings\Jimmy.VALUED-20606295\Cookies\jimmy@ads.ak.facebook[1].txt
C:\Documents and Settings\Jimmy.VALUED-20606295\Cookies\jimmy@adlegend[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@a.websponsors[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@ad.reduxmedia[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@ad.yieldmanager[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@ad2.adecn[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@ad2.fotki[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@adcentriconline[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@adecn[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@adknowledge[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@adopt.hbmediapro[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@ads.ak.facebook[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@ads.hairboutique[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@ads.mediamayhemcorp[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@ads.moviemaze[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@ads.mytelus[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@ads.realtechnetwork[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@adsrevenue[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@advertising[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@anad.tacoda[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@atdmt[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@atwola[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@azjmp[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@burstnet[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@clicksor[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@data2.perf.overture[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@entrepreneur[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@evan-ross-naess.tripod[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@i.screensavers[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@kanoodle[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@m1.webstats.motigo[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@offers.intermediainteractive[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@optimost[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@realmedia[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@smileycentral[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@soundclick[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@tribalfusion[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@tripod.lycos[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@webstats4u[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@www.0stats[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@www.burstbeacon[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@www.burstnet[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@www.screensavers[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@www.soundclick[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@xiti[1].txt
C:\Documents and Settings\Wanda\Cookies\wanda@xtracker[2].txt
C:\Documents and Settings\Wanda\Cookies\wanda@zedo[1].txt
C:\Documents and Settings\Wanda\Local Settings\Temp\Cookies\wanda@a.websponsors[2].txt
C:\Documents and Settings\Wanda\Local Settings\Temp\Cookies\wanda@adecn[1].txt
C:\Documents and Settings\Wanda\Local Settings\Temp\Cookies\wanda@adknowledge[2].txt
C:\Documents and Settings\Wanda\Local Settings\Temp\Cookies\wanda@interclick[2].txt

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\HQGHUMEA.DLL

Trojan.WINIOGON
C:\WINDOWS\SYSTEM32\WINIOGON.EXE

The AWF.text


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\BAK

09/25/2006 10:12 AM 90,112 CLIStart.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\LOGITECH\VIDEO\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_1\BIN\BAK

12/15/2006 04:23 AM 75,520 jusched.exe
1 File(s) 75,520 bytes

Directory of D:\PROGRA~1\DAEMON~1\BAK

11/12/2006 03:48 AM 157,592 daemon.exe
1 File(s) 157,592 bytes

Directory of D:\PROGRA~1\ALWILS~1\AVAST4\BAK

01/15/2007 10:28 AM 108,160 ashDisp.exe
1 File(s) 108,160 bytes

Directory of D:\PROGRA~1\GRISOFT\AVGANT~1.5\BAK

11/11/2006 04:01 PM 6,266,880 avgas.exe
1 File(s) 6,266,880 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

90112 Sep 25 2006 "C:\Program Files\ATI Technologies\ATI.ACE\bak\CLIStart.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
49263 Oct 12 2006 "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe"
165784 Apr 3 2007 "C:\Program Files\DAEMON Tools\daemon.exe"
157592 Nov 12 2006 "D:\Program Files\DAEMON Tools\bak\daemon.exe"
75392 Apr 18 2007 "D:\Program Files\Alwil Software\Avast4\ashDisp.exe"
108160 Jan 15 2007 "D:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
6266880 Nov 11 2006 "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe"


end of report

new HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 11:16:27 PM, on 4/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/MaxisHotDateTeleX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by121fd.bay121.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151286541373
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151286531748
O16 - DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} (ENetLauncher Control) - http://www.dragongemworld.com/Active_X/ENetLauncher.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin10USA.cab
O16 - DPF: {DF7E9E9B-A7D8-4B2C-82E0-AC630D9594A5} (JSUpdaterAx Control) - http://www.jceports.com/_app/cab/JSUpdaterAX.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:16 AM

Posted 27 April 2007 - 11:18 PM

We ran FindAWF because the system is infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate file to a "bak" or backup folder.

Running FindAWF allows us to identify the files that were infected as well as the backups, and then restore the files. Before undertaking this task, however, please run the following:

DelDomains
http://www.mvps.org/winhelp2002/DelDomains.inf
To delete all entries in the Restricted & Trusted Zone list, right click DelDomains.inf
Select: Install

ResetProtocolDefaults
http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg
Right click the link, save target as or save link as, and save to the Desktop.

Locate ResetProtocolDefaults.reg on the Desktop
Right-click and select: Merge
OK the prompt

~~~~
Now, launch Notepad (Start > Run, type in: notepad)
Copy/paste all the blue text below to it:

if exist "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" del /q "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
copy "C:\Program Files\ATI Technologies\ATI.ACE\bak\CLIStart.exe" "C:\Program Files\ATI Technologies"
del /q "C:\Program Files\ATI Technologies\ATI.ACE\bak\CLIStart.exe"
rmdir "C:\Program Files\ATI Technologies\ATI.ACE\bak"

if exist "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" del /q "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
copy "C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe" "C:\Program Files\Java\jre1.5.0_11\bin"
del /q "C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe"
rmdir "C:\Program Files\Java\jre1.5.0_11\bin\bak"

if exist "D:\Program Files\DAEMON Tools\daemon.exe" del /q "D:\Program Files\DAEMON Tools\daemon.exe"
copy "D:\Program Files\DAEMON Tools\bak\daemon.exe" "D:\Program Files\DAEMON Tools"
del /q "D:\Program Files\DAEMON Tools\bak\daemon.exe"
rmdir "D:\Program Files\DAEMON Tools\bak"

if exist "D:\Program Files\Alwil Software\Avast4\ashDisp.exe" del /q "D:\Program Files\Alwil Software\Avast4\ashDisp.exe"
copy "D:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe" "D:\Program Files\Alwil Software\Avast4"
del /q "D:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
rmdir "D:\Program Files\Alwil Software\Avast4\bak"

if exist "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" del /q "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"
copy "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe" "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5"
del /q "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe"
rmdir "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak"


In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: AWF_Fix.bat
Save as Type: All files
Click: Save
Exit out of Notepad.

Next, on the Desktop, double click on AWF_Fix.bat

~~~~
Please run FindAWF once again, and post the AWF.txt in your reply.

Old duck...


#7 KKZ123

KKZ123
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 28 April 2007 - 01:14 AM

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\LOGITECH\VIDEO\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:16 AM

Posted 28 April 2007 - 07:49 PM

:thumbsup:

Are you still having malware problems?

Old duck...


#9 KKZ123

KKZ123
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 29 April 2007 - 12:15 AM

I guess I have no more computer problems. Thanks a lot for helping me

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:16 AM

Posted 29 April 2007 - 11:45 AM

If you are not having malware problems, you are good to go!

Take a good look at the following suggestions to remain malware free:
Tony Kleinís article 'How Did I Get Infected In The First Place'
http://forums.spywareinfo.com/index.php?showtopic=60955

Thank you for your patience, and performing the procedures requested.
If you have any questions or comments, post back. Otherwise...


Good luck, and safe journey through WWW land!!

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users