Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log


  • This topic is locked This topic is locked
2 replies to this topic

#1 walrus_27

walrus_27

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 08 July 2007 - 10:25 AM

I have tried to use adware removal programs and an anti-virus program on my laptop. It's caught some issues but I am still inundated with adware pop-ups while surfing the internet. Clearly there's something wrong...can anyone help?



Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\Insight\Tools\aiclient.exe
C:\Program Files\FBM Software\ZeroSpyware Limited Edition\FileDeleter.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\FBM Software\ZeroSpyware Limited Edition\ZeroSpyware LE.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\lucxrp\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://infonet.upmc.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 128.147.214.42 oaoasp01.oaohs.com
O1 - Hosts: 128.147.214.42 jwalk.upmc.edu
O1 - Hosts: 128.147.214.52 test.as400.upmchp
O1 - Hosts: 128.147.17.49 upmcprd-filenet-nch-server
O1 - Hosts: 157.229.40.53 fndev-filenet-nch-server
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINNT\system32\nbxdspei.dll",forkonce
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [ZSLEScheduler] RunDll32.exe "C:\Program Files\FBM Software\ZeroSpyware Limited Edition\ZSScheduler.dll", runScheduler C:\Program Files\FBM Software\ZeroSpyware Limited Edition\
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O4 - S-1-5-18 Startup: MAPZ.LNK = C:\Documents and Settings\All Users\MAPZ.BAT (User 'SYSTEM')
O4 - .DEFAULT Startup: MAPZ.LNK = C:\Documents and Settings\All Users\MAPZ.BAT (User 'Default user')
O4 - .DEFAULT User Startup: MAPZ.LNK = C:\Documents and Settings\All Users\MAPZ.BAT (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://infonet.upmc.com
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: http://*.esign.chp.edu (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: http://*.highmark.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: http://*.upmc.com (HKLM)
O15 - Trusted Zone: http://*.upmc.edu (HKLM)
O15 - Trusted Zone: acct.upmchs.net (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O15 - Trusted IP range: http://157.229.*.* (HKLM)
O15 - Trusted IP range: http://10.*.*.* (HKLM)
O15 - Trusted IP range: http://10.*.*.* (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = acct.upmchs.net
O17 - HKLM\Software\..\Telephony: DomainName = acct.upmchs.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{20F6E208-D94A-4D57-85BA-9AF02AD8A3BA}: Domain = ACCT.UPMCHS.NET
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B828366-E4E5-4D8E-8827-0497AB8B1C72}: NameServer = 128.147.22.101,128.147.128.83
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = acct.upmchs.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{20F6E208-D94A-4D57-85BA-9AF02AD8A3BA}: Domain = ACCT.UPMCHS.NET
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = acct.upmchs.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{20F6E208-D94A-4D57-85BA-9AF02AD8A3BA}: Domain = ACCT.UPMCHS.NET
O23 - Service: Asset Insight Client (AICLIENT) - Unknown owner - C:\Insight\Tools\aiclient.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ZeroSpyware FileDeleter (FileDeleter) - FBM Software - C:\Program Files\FBM Software\ZeroSpyware Limited Edition\FileDeleter.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\Care Management System\profsydyxart.html

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:45 AM

Posted 18 July 2007 - 12:52 AM

Hello,

Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon. Read the disclaimer and click OK.
  • Click on the Scan button.
  • Check every entry that appears there
  • Click the Fix button.
  • Re-scan once again and check and fix again until DAFT says that all associations are OK.
Then...

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:45 AM

Posted 28 July 2007 - 05:20 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users