Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How To Remove Smitfraud-c.toolbar888 And Iiiji.dll


  • This topic is locked This topic is locked
6 replies to this topic

#1 eternal

eternal

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 08 May 2007 - 12:37 AM

Hello Malware/Spyware team!!
I have a major problem with Spyware/Malware in my system. I have search, read, and download the suggested programs to clean it but still nothing. Here are some of the common problems.

1) Whenever i reboot my notebook computer, it takes at least 5 minutes to load. Couple months ago, it takes less than a minute.

2) I use FireFox Browser (20070309 Firefox/2.0.0.3) but I get random IE (Version: 6.0.2900.2180.xpsp_sp2_gdr.070227-2254) pop ups. My AdBlock Plus (Version 0.7.5) and Yahoo! Anti-Spy (Version 1.14) doesn't detect it. When I'm offline, I still get IE window that ask: "The Web page you requested is not available offline. To view this page, click Connect."
URL Example:
"http://89.188.16.10/trafc-2/rfe.php?cmp=nm_ff_ron&uid=09a57648f4cf11db88c2003048895bfc&nid=ik&guid=04ac5c46+05302a9a52c145b2a5e7ca2392dc1bce&url=http:%2F%2Fwww.dmcs.com.au%2Fhome&affid=67308&lid=http>"

3) After I downloaded AVG Anti-Virus (Free Version), It detects "dqhpiwuo.dll" so I delete it. When i reboot, after the 5 minutes loading, i get a window screen that says:
"C:\WINDOWS\system32\dqhpiwuo.dll
The specified module could not be found."

4) Last problem is that i have followed the instruction that was posted by "Shred1970", Reply by "RichieUK" regarding Smitfraud-C.Toolbar888. When I tried to reboot and set it in "Safe Mode" I get a black screen with four safe mode on each corner. It took 5 minutes to load then a window with a YEs/NO option. It disappears after 30 seconds. So after many reboot, I was able to click NO and get the option to restore. I restored it one day earlier instead of 2 months ago because of my current saved data/files.

HHHHHHHHHHHHHHHH Logfile of HijackThis v1.99.1 HHHHHHHHHHHHHHHH

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:/www.yahoo.com
R0 - HKLU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run:[igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run:[igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run:[igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run:[SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run:[APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE"
O4 - HKLM\..\Run:[CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run:[eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run:[AVG7_CC] C:\PROGRA~1\Grisoft\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run:[a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run:[AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKLM\..\Run:[WindowService] rundll32.exe "C:\WINDOWS\system32\dqhpiwuo",realset
O4 - HKCU\..\Run:[HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1\MICROS~2\Office10\EXCEL.EXE/300
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssc.dll
O9 - Extra 'tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11D2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Window Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215b8138-A2CF-44C5-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...tive/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171831441994
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\Skype\SKYPE4~.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Developement a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG Alert Manager Service (Avg7Alrt) - GRISOFT,s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG Update Service (Avg7UpdSvc) - GRISOFT,s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT,s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe

HHHHHHHHHHHHHHHH AVG Anti-Spyware report HHHHHHHHHHHHHHHH

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:40:32 AM 5/8/2007

+ Scan result:

:mozilla.455:C:\Documents and Settings\Hien Vu\Application Data\Mozilla\Firefox\Profiles\c0rdvn0m.default\cookies-1.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.445:C:\Documents and Settings\Hien Vu\Application Data\Mozilla\Firefox\Profiles\c0rdvn0m.default\cookies-1.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.446:C:\Documents and Settings\Hien Vu\Application Data\Mozilla\Firefox\Profiles\c0rdvn0m.default\cookies-1.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq86.tmp -> TrackingCookie.Adbrite : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq88.tmp -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Hien Vu\Cookies\hien vu@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.440:C:\Documents and Settings\Hien Vu\Application Data\Mozilla\Firefox\Profiles\c0rdvn0m.default\cookies-1.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.439:C:\Documents and Settings\Hien Vu\Application Data\Mozilla\Firefox\Profiles\c0rdvn0m.default\cookies-1.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.184:C:\Documents and Settings\Hien Vu\Application Data\Mozilla\Firefox\Profiles\c0rdvn0m.default\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.207:C:\Documents and Settings\Hien Vu\Application Data\Mozilla\Firefox\Profiles\c0rdvn0m.default\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.291:C:\Documents and Settings\Hien Vu\Application Data\Mozilla\Firefox\Profiles\c0rdvn0m.default\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.338:C:\Documents and Settings\Hien Vu\Application Data\Mozilla\Firefox\Profiles\c0rdvn0m.default\cookies-1.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.364:C:\Documents and Settings\Hien Vu\Application Data\Mozilla\Firefox\Profiles\c0rdvn0m.default\cookies-1.txt -> TrackingCookie.Inet-cash : Cleaned.
:mozilla.196:C:\System Volume Information\_restore{2BC5C3E7-F515-485C-86EC-7454B0280AC2}\RP103\A0023705.old -> TrackingCookie.Masterstats : Cleaned.
:mozilla.203:C:\Documents and Settings\Hien Vu\Application Data\Mozilla\Firefox\Profiles\c0rdvn0m.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.143:C:\Documents and Settings\Hien Vu\Application Data\Mozilla\Firefox\Profiles\c0rdvn0m.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.144:C:\System Volume Information\_restore{2BC5C3E7-F515-485C-86EC-7454B0280AC2}\RP103\A0023705.old -> TrackingCookie.Netflame : Cleaned.
:mozilla.226:C:\System Volume Information\_restore{2BC5C3E7-F515-485C-86EC-7454B0280AC2}\RP103\A0023705.old -> TrackingCookie.Paypal : Cleaned.
:mozilla.233:C:\Documents and Settings\Hien Vu\Application Data\Mozilla\Firefox\Profiles\c0rdvn0m.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.81:C:\Documents and Settings\Hien Vu\Application Data\Mozilla\Firefox\Profiles\c0rdvn0m.default\cookies-1.txt -> TrackingCookie.Paypal : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8C.tmp -> TrackingCookie.Tacoda : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8D.tmp -> TrackingCookie.Tacoda : Cleaned.
:mozilla.32:C:\Documents and Settings\Hien Vu\Application Data\Mozilla\Firefox\Profiles\c0rdvn0m.default\cookies-1.txt -> TrackingCookie.Webtrends : Cleaned.

::Report end

HHHHHHHHHHHHHHHH ComboFix log HHHHHHHHHHHHHHHH

"Hien Vu" - 2007-05-08 0:42:12 Service Pack 2
ComboFix 07-05.07.3.V - Running from: "C:\Documents and Settings\Hien Vu\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ijiii.bak1
C:\WINDOWS\system32\ijiii.bak2
C:\WINDOWS\system32\ijiii.ini
C:\WINDOWS\system32\ijiii.ini2
C:\WINDOWS\system32\ijiii.tmp
C:\WINDOWS\system32\iiiji.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((( Files Created from 2007-04-08 to 2007-05-08 ))))))))))))))))))))))))))))))))))


2007-05-07 21:16 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-07 18:54 <DIR> d-------- C:\WINDOWS\pss
2007-05-07 17:58 <DIR> d-------- C:\Program Files\CleanUp!(2)
2007-05-07 12:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-07 01:17 786,432 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-05-07 01:17 4,456,448 --a------ C:\DOCUME~1\HIENVU~1\ntuser.dat
2007-05-06 01:11 <DIR> d-------- C:\Program Files\Opera
2007-05-06 00:04 <DIR> d-------- C:\SmitfraudFix
2007-05-05 16:26 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2007-05-04 15:15 <DIR> d-------- C:\DOCUME~1\HIENVU~1\.housecall6.6
2007-05-04 15:06 <DIR> d-------- C:\DOCUME~1\HIENVU~1\APPLIC~1\Yahoo!
2007-05-04 15:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-05-04 15:05 <DIR> d-------- C:\Program Files\Yahoo!
2007-05-04 13:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-05-04 13:28 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-05-04 13:28 <DIR> d-------- C:\Program Files\CA
2007-05-03 18:27 <DIR> d-------- C:\Program Files\PowerISO
2007-05-03 16:05 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-05-02 13:25 <DIR> d-------- C:\DOCUME~1\HIENVU~1\APPLIC~1\Norman
2007-05-02 13:00 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-02 13:00 <DIR> d-------- C:\DOCUME~1\HIENVU~1\APPLIC~1\Lavasoft
2007-05-01 20:25 <DIR> d-------- C:\DOCUME~1\HIENVU~1\APPLIC~1\Leadertech
2007-04-27 11:56 <DIR> d-------- C:\DOCUME~1\HIENVU~1\APPLIC~1\AdobeAUM
2007-04-27 11:46 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-04-18 12:32 64,512 --a------ C:\WINDOWS\system32\PTPITCP.dll
2007-04-18 12:32 294,912 --a------ C:\WINDOWS\system32\KPDPM.dll
2007-04-18 12:32 225,280 --a------ C:\WINDOWS\system32\KPDPMUI.dll
2007-04-18 12:32 <DIR> d-------- C:\WINDOWS\system32\color
2007-04-18 12:32 <DIR> d-------- C:\WINDOWS\system32\BWKDLogs
2007-04-18 12:32 <DIR> d-------- C:\Program Files\Common Files\Kodak
2007-04-18 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak
2007-04-18 12:29 <DIR> d-------- C:\Program Files\Kodak


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-08 02:51:55 -------- d-----w C:\Program Files\Chameleon Clock
2007-05-07 01:09:31 -------- d-----w C:\DOCUME~1\HIENVU~1\APPLIC~1.\U3
2007-05-06 18:52:26 -------- d-----w C:\DOCUME~1\HIENVU~1\APPLIC~1.\Lavasoft
2007-05-05 02:50:44 -------- d-----w C:\DOCUME~1\HIENVU~1\APPLIC~1.\uTorrent
2007-05-04 19:06:31 -------- d-----w C:\DOCUME~1\HIENVU~1\APPLIC~1.\Yahoo!
2007-05-03 02:59:16 -------- d-----w C:\DOCUME~1\HIENVU~1\APPLIC~1.\Norman
2007-05-02 00:25:18 -------- d-----w C:\DOCUME~1\HIENVU~1\APPLIC~1.\Leadertech
2007-04-28 19:34:32 -------- d-----w C:\Program Files\Trillian
2007-04-27 15:56:32 -------- d-----w C:\DOCUME~1\HIENVU~1\APPLIC~1.\AdobeAUM
2007-04-22 19:20:46 -------- d-----w C:\DOCUME~1\HIENVU~1\APPLIC~1.\1ClickDVDCopy
2007-04-20 02:15:48 -------- d-----w C:\DOCUME~1\HIENVU~1\APPLIC~1.\dvdcss
2007-04-17 05:36:13 -------- d-----w C:\Program Files\Audio Extractor
2007-04-16 01:45:19 -------- d-----w C:\DOCUME~1\HIENVU~1\APPLIC~1.\Skype
2007-04-12 03:23:04 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-08 05:18:43 -------- d-----w C:\Program Files\eyeQ
2007-04-04 03:44:13 19,664 ----a-w C:\DOCUME~1\HIENVU~1\APPLIC~1.\GDIPFONTCACHEV1.DAT
2007-04-02 22:29:53 -------- d-----w C:\DOCUME~1\HIENVU~1\APPLIC~1.\MSN6
2007-04-01 19:52:21 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-03-30 23:42:40 -------- d-----w C:\Program Files\TrojanHunter 4.6
2007-03-27 00:58:34 -------- d-----w C:\Program Files\TEXTware
2007-03-27 00:35:03 -------- d-----w C:\DOCUME~1\HIENVU~1\APPLIC~1.\AdobeUM
2007-03-27 00:32:27 -------- d-----w C:\Program Files\Common Files\Borland Shared
2007-03-26 18:44:28 -------- d-----w C:\DOCUME~1\HIENVU~1\APPLIC~1.\Reallusion
2007-03-26 18:31:38 -------- d-----w C:\Program Files\Skype
2007-03-26 18:31:37 -------- d-----w C:\Program Files\Common Files\Skype
2007-03-26 01:17:19 -------- d-----w C:\DOCUME~1\HIENVU~1\APPLIC~1.\Apple Computer
2007-03-25 14:56:20 -------- d-----w C:\Program Files\iTunes
2007-03-25 14:56:10 -------- d-----w C:\Program Files\iPod
2007-03-25 14:55:39 -------- d-----w C:\Program Files\QuickTime
2007-03-25 05:50:36 -------- d-----w C:\DOCUME~1\HIENVU~1\APPLIC~1.\TypingMaster7
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-17 04:28:10 -------- d-----w C:\DOCUME~1\HIENVU~1\APPLIC~1.\EssentialPIM
2007-03-16 22:18:46 -------- d-----w C:\Program Files\EssentialPIM
2007-03-16 20:12:14 -------- d-----w C:\Program Files\Registry Optimizer 3.0
2007-03-09 23:02:04 -------- d-----w C:\Program Files\XiangQi
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-08 02:22:19 -------- d-----w C:\Program Files\Sidebar
2007-03-08 00:38:54 863,744 ----a-w C:\WINDOWS\system32\shdoclc.dll
2007-03-08 00:34:54 75,776 ----a-w C:\WINDOWS\system32\magnify.exe
2007-03-08 00:34:53 391,680 ----a-w C:\WINDOWS\system32\cmd.exe
2007-03-08 00:34:52 83,456 ----a-w C:\WINDOWS\system32\charmap.exe
2007-03-08 00:34:52 117,760 ----a-w C:\WINDOWS\system32\calc.exe
2007-03-08 00:34:51 750,080 ----a-w C:\WINDOWS\system32\wiashext.dll
2007-03-08 00:34:51 473,600 ----a-w C:\WINDOWS\system32\zipfldr.dll
2007-03-08 00:34:51 186,368 ----a-w C:\WINDOWS\system32\accwiz.exe
2007-03-08 00:34:50 587,776 ----a-w C:\WINDOWS\system32\shimgvw.dll
2007-03-08 00:34:50 218,624 ----a-w C:\WINDOWS\system32\syncui.dll
2007-03-08 00:34:49 4,408,320 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2007-03-08 00:34:48 139,264 ----a-w C:\WINDOWS\system32\stobject.dll
2007-03-08 00:34:47 80,896 ----a-w C:\WINDOWS\system32\mydocs.dll
2007-03-08 00:34:47 2,263,040 ----a-w C:\WINDOWS\system32\netshell.dll
2007-03-08 00:34:46 331,776 ----a-w C:\WINDOWS\system32\mstask.dll
2007-03-08 00:34:46 128,512 ----a-w C:\WINDOWS\system32\msiexec.exe
2007-03-08 00:34:45 67,584 ----a-w C:\WINDOWS\system32\batmeter.dll
2007-03-08 00:34:45 200,192 ----a-w C:\WINDOWS\system32\moricons.dll
2007-03-08 00:34:45 1,477,120 ----a-w C:\WINDOWS\system32\msgina.dll
2007-03-08 00:34:44 8,192 ----a-w C:\WINDOWS\system32\wpabaln.exe
2007-03-08 00:34:44 440,320 ----a-w C:\WINDOWS\system32\freecell.exe
2007-03-08 00:34:44 100,864 ----a-w C:\WINDOWS\system32\ahui.exe
2007-03-08 00:34:43 92,160 ----a-w C:\WINDOWS\system32\cabview.dll
2007-03-08 00:34:43 55,296 ----a-w C:\WINDOWS\system32\migpwd.exe
2007-03-08 00:34:43 125,720 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-03-08 00:34:42 80,896 ----a-w C:\WINDOWS\system32\dfrgres.dll
2007-03-08 00:34:42 168,960 ----a-w C:\WINDOWS\system32\mobsync.exe
2007-03-08 00:34:37 402,944 ----a-w C:\WINDOWS\system32\fontext.dll
2007-03-08 00:34:36 224,256 ----a-w C:\WINDOWS\regedit.exe
2007-03-08 00:34:36 1,655,808 ----a-w C:\WINDOWS\explorer.exe
2007-03-08 00:34:35 194,048 ----a-w C:\WINDOWS\system32\photowiz.dll
2007-03-08 00:34:33 390,144 ----a-w C:\WINDOWS\system32\themeui.dll
2007-03-08 00:34:33 347,136 ----a-w C:\WINDOWS\system32\tourstart.exe
2007-03-08 00:34:33 31,744 ----a-w C:\WINDOWS\system32\stimon.exe
2007-03-08 00:34:32 59,392 ----a-w C:\WINDOWS\system32\sendmail.dll
2007-03-08 00:34:32 162,304 ----a-w C:\WINDOWS\system32\netid.dll
2007-03-08 00:34:32 103,936 ----a-w C:\WINDOWS\system32\shrpubw.exe
2007-03-08 00:34:31 80,896 ----a-w C:\WINDOWS\system32\icmui.dll
2007-03-08 00:34:31 132,096 ----a-w C:\WINDOWS\system32\hotplug.dll
2007-03-08 00:34:31 115,712 ----a-w C:\WINDOWS\system32\cleanmgr.exe
2007-03-08 00:34:30 428,824 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-03-08 00:34:30 218,624 ----a-w C:\WINDOWS\system32\taskmgr.exe
2007-03-08 00:34:29 840,192 ----a-w C:\WINDOWS\system32\rasdlg.dll
2007-03-08 00:34:29 189,952 ----a-w C:\WINDOWS\system32\credui.dll
2007-03-08 00:34:28 744,448 ----a-w C:\WINDOWS\system32\comctl32.dll
2007-03-08 00:34:28 500,224 ----a-w C:\WINDOWS\system32\cmdial32.dll
2007-03-08 00:34:28 32,768 ----a-w C:\WINDOWS\hh.exe
2007-03-08 00:30:14 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-03-08 00:30:06 1,949,184 ----a-w C:\WINDOWS\system32\logonui.exe
2007-03-02 20:31:46 1,937 ----a-w C:\WINDOWS\mozver.dat
2007-02-21 20:56:40 22,040 ----a-w C:\DOCUME~1\HIENVU~1\APPLIC~1.\addon.dat
2007-02-18 00:59:42 248 ----a-w C:\WINDOWS\system32\PavCPL.dat
2007-02-17 23:58:52 0 ----a-w C:\WINDOWS\nsreg.dat
2007-02-17 23:44:39 81,920 ----a-w C:\DOCUME~1\HIENVU~1\APPLIC~1.\ezpinst.exe
2007-02-17 23:44:39 47,360 ----a-w C:\DOCUME~1\HIENVU~1\APPLIC~1.\pcouffin.sys
2007-02-17 05:33:26 0 --sha-r C:\MSDOS.SYS
2007-02-17 05:33:26 0 --sha-r C:\IO.SYS
2007-02-17 05:33:26 0 ----a-w C:\CONFIG.SYS
2007-02-17 05:33:26 0 ----a-w C:\AUTOEXEC.BAT
2007-02-17 05:30:59 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{02478D38-C3F9-4efb-9B51-7695ECA05670}"="C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll"
"{53707962-6F74-2D53-2644-206D7942484F}"="C:\PROGRA~1\SPYBOT~1\SDHelper.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus 2007\\APVXDWIN.EXE\" /s"
"CaISSDT"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\caissdt.exe\""
"eTrustPPAP"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust PestPatrol Anti-Spyware\\PPActiveDetection.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"a-squared"="\"C:\\Program Files\\a-squared Anti-Malware\\a2guard.exe\""
"AWMON"="\"C:\\PROGRA~1\\Lavasoft\\AD-AWA~2\\Ad-Watch.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"HomeAlarm"="C:\\Program Files\\Chameleon Clock\\ChamClock.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfddbc

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{40432023-bedb-11db-9dea-001422a62490}]
Shell\AutoRun\command E:\LaunchU3.exe -a

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9ca37604-c4b4-11db-9e03-001422a62490}]

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f04d44c0-bed5-11db-9de9-001422a62490}]
Shell\AutoRun\command G:\setupSNK.exe

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-08 00:49:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-08 0:50:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-08 00:50


After I ran the ComboFix, the computer reboot itself and got the following error:
a-squared Anti-Malware 2.1 Alert


C:\WINDOWS\System32\drivers\etc\hosts
Diagnosis: A program tries to change the Hosts file
What does this mean?
"The Hosts file allows particular host names to be mapped to a specific IP address, independently of the DNS lookup. Spyware uses this trick to (e.g.) redirect the web address of your bank to a hacker server containing a copy of the online banking application. This Hosts technique also has a useful side. You can (e.g.) redirect the addresses of various advertising networks to point to your local IP and thus prevent advertising from appearing on websites that you visit. If you are sure that the Hosts file change was done with a harmless reason, click the "Accept change" button, otherwise click "Deny change" to restore the previous state of the Hosts file."

What do you want to do?
Accept change or Deny change

I selected Deny change
-----------------------------

Panda Antivirus 2007
Potentially unwated program detected!
Program name: Application/NirCmd.A
Location:
c:\windows\nircmd.exe

I selected Delete the program

Panda Antivirus 2007
Potentially unwated program detected!
Program name: Application/NirCmd.A
Location:
c:\combofix\nircmd.exe

I selected Delete the program
-----------------------------

Panda Antivirus 2007
Potentially unwated program detected!
Program name: Application/NirCmd.A
Location:
c:\combofix\nircmd.exe

I selected Delete the program
-----------------------------

Then I tried to run the SmitfraudFix.exe file and I got the following message:

Panda Antivirus 2007
Potentially unwated program detected!
Program name: Application/Processor
Location:
c:\documents and settings\hien vu\destop\smitfraudfix\process.exe

I selected Delete the program

SmitFraudFix v2.176
restart.exe file missing !
Unzip all the archive in a folder.

Press any key to continue . . .

What do you think I should do? Is it better off I save my current data now and Restore my notebook computer 2 months earlier or you guys can still save me? :thumbsup:



Moved from the XP Form. ~acklan~

Edited by acklan, 08 May 2007 - 12:42 AM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:45 AM

Posted 08 May 2007 - 11:20 AM

Hello,

Can you rescan with HijackThis and post the log please? Because your HijackThislo you posted doesn't make much sense since I suspect you ran it before you scanned with Combofix.

Also, please copy and paste the complete log from HijackThis, because I am missing a big part on top, where it says "Running processes".

Also, let me explain some of the error/notifications you got after running Combofix. All of them are actually false alerts:

After I ran the ComboFix, the computer reboot itself and got the following error:
a-squared Anti-Malware 2.1 Alert

C:\WINDOWS\System32\drivers\etc\hosts
Diagnosis: A program tries to change the Hosts file
What does this mean?
"The Hosts file allows particular host names to be mapped to a specific IP address, independently of the DNS lookup. Spyware uses this trick to (e.g.) redirect the web address of your bank to a hacker server containing a copy of the online banking application. This Hosts technique also has a useful side. You can (e.g.) redirect the addresses of various advertising networks to point to your local IP and thus prevent advertising from appearing on websites that you visit. If you are sure that the Hosts file change was done with a harmless reason, click the "Accept change" button, otherwise click "Deny change" to restore the previous state of the Hosts file."

What do you want to do?
Accept change or Deny change

I selected Deny change

You should have chosen to accept the change, since it's Combofix that restored your hosts file back to default and your a-squared saw that as a Hijack attempt instead.

Panda Antivirus 2007
Potentially unwated program detected!
Program name: Application/NirCmd.A
Location:
c:\windows\nircmd.exe

I selected Delete the program

Panda Antivirus 2007
Potentially unwated program detected!
Program name: Application/NirCmd.A
Location:
c:\combofix\nircmd.exe

I selected Delete the program

Panda Antivirus 2007
Potentially unwated program detected!
Program name: Application/NirCmd.A
Location:
c:\combofix\nircmd.exe

I selected Delete the program
-----------------------------

Both files you told Panda to delete were related with Combofix and harmless.

Then I tried to run the SmitfraudFix.exe file and I got the following message:

Panda Antivirus 2007
Potentially unwated program detected!
Program name: Application/Processor
Location:
c:\documents and settings\hien vu\destop\smitfraudfix\process.exe

I selected Delete the program

SmitFraudFix v2.176
restart.exe file missing !
Unzip all the archive in a folder.

Press any key to continue . . .

There was no need to run Smitfraudfix here in the first place. Also, process.exe is a part of smitfraudfix.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 eternal

eternal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 08 May 2007 - 12:13 PM

Hi miekiemoes,
Thank you for your quick reply! :thumbsup: The reason I didn't post the whole HijackThis report because I couldn't find the option to save the log file. I had to type out that portion of the report. It was my first time using the program. So now I found it. Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 1:00:01 PM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\Program Files\Chameleon Clock\ChamClock.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Hien Vu\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\dqhpiwuo.dll",realset
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171831441994
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: khfddbc - khfddbc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe

Edited by eternal, 08 May 2007 - 12:16 PM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:45 AM

Posted 08 May 2007 - 02:02 PM

Hi,

A very important note here..

I notice from your log that you are running more than one different Anti-Virus programs with Auto-protect enabled. AVG Antivirus and Panda.
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So that's why I suggest you uninstall Panda or AVG and only keep ONE.
But before you do, Disable AdWatch.
This because Adwatch will interfere with a proper uninstall and also interfere with the fixes in HijackThis. I see Adwatch has been blocking

To disable AdWatch:

Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both options. You can enable these after resolving your problem; when I say that everything is ok again.

Then uninstall the extra Antivirus.

Then reboot.

I also see PestPatrol and asquared active and running in the background. Both are also watching the registry, so I suggest you disable them as well.
Actually, there is really NO need to have several different realtime scanners active, because after all, they are all doing the same. They only cause an extra slowdown if you all let them startup with Windows. Most important thing is that your Antivirus always starts up with Windows. The rest is optional.

After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\dqhpiwuo.dll",realset
O20 - Winlogon Notify: khfddbc - khfddbc.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Post a new HijackThislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 eternal

eternal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 08 May 2007 - 03:10 PM

Ok, I disabled AdWatch--uninstalled AVG Antivirus, PestPatrol, asquared and the old Java. I ran HijackThis and Fix Checked the 4 listed items. Here's the report. :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 3:53:53 PM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\Program Files\Chameleon Clock\ChamClock.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Documents and Settings\Hien Vu\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171831441994
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:45 AM

Posted 08 May 2007 - 03:18 PM

Hi,

Your log looks clean again. Don't forget to install the newest Java version. :thumbsup:

How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:45 AM

Posted 15 May 2007 - 03:09 PM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users