Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Hijackthis Log..website Pages Keep Opening Up In Ie


  • This topic is locked This topic is locked
7 replies to this topic

#1 bebetheworm

bebetheworm

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 12 July 2007 - 05:17 AM

Hi. I have a big problem with my computer. I dont appear to have a virus however when I'm connected to the internet..Internet explorer opens on its own and web pages come up, if if I'm looking at a website a new page will open up..its not a pop up though. I find it very annoying.
Can anyone please help me?
Can you see anything in my log?

Thank you
Kristen

Logfile of HijackThis v1.99.1
Scan saved at 6:12:48 PM, on 7/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\TEMP\win1D.tmp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Kristen\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win1D.tmp.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://supportapj.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1182171233015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1182223299859
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC412656-4D9F-4AC3-9B3E-B6C307DD6415}: NameServer = 123.2.1.5 122.148.1.5
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - (no file)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 12 July 2007 - 09:15 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum bebetheworm :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Posted Image
Posted Image

#3 bebetheworm

bebetheworm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 13 July 2007 - 10:22 PM

Thank you in advance for your help Richie.

"Kristen" - 2007-07-14 11:02:04 - ComboFix 07-07-14.3 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\clvtyrpn.dll
C:\WINDOWS\system32\dxtyarao.dll
C:\WINDOWS\system32\hvmaxmjh.dll
C:\WINDOWS\system32\iaapsluu.dll
C:\WINDOWS\system32\iifddbc.dll
C:\WINDOWS\system32\jkkheed.dll
C:\WINDOWS\system32\piijehrl.dll
C:\WINDOWS\system32\rxxnexat.dll
C:\WINDOWS\system32\scaamfrl.dll
C:\WINDOWS\system32\ssqrpmn.dll
C:\WINDOWS\system32\tleirxgj.dll
C:\WINDOWS\system32\ugjkoekw.dll
C:\WINDOWS\system32\ylemfnee.dll
C:\WINDOWS\system32\inixhndc.dll
C:\WINDOWS\system32\iqynujxj.dll
C:\WINDOWS\system32\pyssgsdh.dll
C:\WINDOWS\system32\wpncumal.dll
C:\WINDOWS\system32\yvndkwcn.dll
C:\WINDOWS\system32\iifddbc.dll
C:\WINDOWS\system32\jkkheed.dll
C:\WINDOWS\system32\ssqrpmn.dll
C:\WINDOWS\system32\tvvwa.bak1
C:\WINDOWS\system32\tvvwa.bak2
C:\WINDOWS\system32\tvvwa.ini
C:\WINDOWS\system32\tvvwa.ini2
C:\WINDOWS\system32\tvvwa.tmp
C:\WINDOWS\system32\nprytvlc.ini
C:\WINDOWS\system32\oaraytxd.ini
C:\WINDOWS\system32\hjmxamvh.ini
C:\WINDOWS\system32\lrhejiip.ini
C:\WINDOWS\system32\taxenxxr.ini
C:\WINDOWS\system32\lrfmaacs.ini
C:\WINDOWS\system32\jgxrielt.ini
C:\WINDOWS\system32\wkeokjgu.ini
C:\WINDOWS\system32\tvvwa.bak1
C:\WINDOWS\system32\tvvwa.bak2
C:\WINDOWS\system32\tvvwa.ini
C:\WINDOWS\system32\tvvwa.ini2
C:\WINDOWS\system32\tvvwa.tmp
C:\WINDOWS\system32\tvvwa.bak1
C:\WINDOWS\system32\tvvwa.bak2
C:\WINDOWS\system32\tvvwa.ini
C:\WINDOWS\system32\tvvwa.ini2
C:\WINDOWS\system32\tvvwa.tmp
C:\WINDOWS\system32\awvvt.dll
C:\WINDOWS\system32\byxwxyx.dll
C:\WINDOWS\system32\byxwxyx.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\ActiveDesktop\bin\ActiveDesktopExe.exe
C:\Program Files\screensavers.com\SSSInstaller\bin\SSSInstaller.dll
C:\Program Files\screensavers.com\SSSUninst.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\asc3550u
-------\ntio256


((((((((((((((((((((((((( Files Created from 2007-06-14 to 2007-07-14 )))))))))))))))))))))))))))))))


2007-07-14 10:59 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-13 16:35 <DIR> d-------- C:\Program Files\MSN Messenger
2007-07-13 09:48 <DIR> d-------- C:\DOCUME~1\Kristen\Pavark
2007-07-12 21:03 <DIR> d-------- C:\Program Files\Opera
2007-07-12 21:03 <DIR> d-------- C:\DOCUME~1\Kristen\APPLIC~1\Opera
2007-07-12 18:45 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-12 13:47 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-07-09 16:48 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-09 16:39 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-09 16:39 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-07 15:59 <DIR> d--h----- C:\DOCUME~1\Kristen\APPLIC~1\GTek
2007-07-07 15:59 <DIR> d--h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GTek
2007-07-07 15:58 7,882 --a------ C:\WINDOWS\system32\GTKCMOS.sys
2007-07-07 15:58 7,626 --a------ C:\WINDOWS\system32\GPCIEnum.sys
2007-07-07 15:58 7,168 --a------ C:\WINDOWS\system32\DLPT64.sys
2007-07-07 15:58 6,977 --a------ C:\WINDOWS\system32\DDMI2.sys
2007-07-07 15:58 6,656 --a------ C:\WINDOWS\system32\DLPT2.sys
2007-07-07 15:58 5,632 --a------ C:\WINDOWS\system32\GPCIEn64.sys
2007-07-07 15:58 5,120 --a------ C:\WINDOWS\system32\GTKCMO64.sys
2007-07-07 15:58 4,608 --a------ C:\WINDOWS\system32\DDMI64.sys
2007-07-06 18:34 <DIR> d-------- C:\DOCUME~1\Kristen\APPLIC~1\TrojanHunter
2007-07-06 17:58 <DIR> d-------- C:\Program Files\TrojanHunter 4.7
2007-07-05 10:10 138,368 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-07-05 10:08 <DIR> d-------- C:\DOCUME~1\Kristen\APPLIC~1\Spyware Terminator
2007-07-05 10:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spyware Terminator
2007-07-05 10:04 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-05 10:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-05 10:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-05 10:01 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-07-05 03:55 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-05 03:41 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-07-05 03:35 <DIR> d-------- C:\Program Files\Google
2007-07-02 20:44 <DIR> d-------- C:\Program Files\Real
2007-07-02 20:44 <DIR> d-------- C:\Program Files\Common Files\Real
2007-07-02 20:38 <DIR> d-------- C:\DOCUME~1\Kristen\APPLIC~1\Real
2007-07-02 20:29 <DIR> d-------- C:\My Downloads
2007-07-02 20:25 <DIR> d-------- C:\DOCUME~1\Kristen\APPLIC~1\PCTV4Me
2007-07-02 20:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PCTV4Me
2007-06-30 20:45 <DIR> d-------- C:\Screensavers.com
2007-06-30 20:45 <DIR> d-------- C:\Program Files\Astro Gemini Software
2007-06-30 20:44 <DIR> d-------- C:\Program Files\3D Titanic Screensaver
2007-06-28 20:48 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-28 20:48 <DIR> d-------- C:\Program Files\CCleaner
2007-06-24 20:10 <DIR> d-------- C:\DOCUME~1\Kristen\APPLIC~1\Watchtower
2007-06-22 22:17 <DIR> d-------- C:\Program Files\RegCure
2007-06-22 18:58 <DIR> d-------- C:\DOCUME~1\Kristen\APPLIC~1\Help
2007-06-22 18:56 <DIR> d-------- C:\WINDOWS\HyperHealthV6.0
2007-06-21 20:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-06-21 19:17 <DIR> d-------- C:\WINDOWS\system32\Dell
2007-06-21 19:17 <DIR> d-------- C:\Program Files\Dell
2007-06-21 11:53 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-06-19 19:26 <DIR> d-------- C:\Program Files\MSECache
2007-06-19 19:22 27,024,112 --a------ C:\Program Files\PowerPointViewer.exe
2007-06-19 18:51 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-06-19 16:18 <DIR> d-------- C:\WINDOWS\Prefetch
2007-06-19 16:02 92,208 --a------ C:\WINDOWS\system\WING.DLL
2007-06-19 16:02 188,960 --a------ C:\WINDOWS\system\WINGDE.DLL
2007-06-19 16:02 12,800 --a------ C:\WINDOWS\system\WING32.DLL
2007-06-19 16:02 <DIR> d-------- C:\WESTWOOD
2007-06-19 15:44 <DIR> d-------- C:\WINDOWS\provisioning
2007-06-19 15:44 <DIR> d-------- C:\WINDOWS\peernet
2007-06-19 15:42 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-06-19 15:38 <DIR> d-------- C:\WINDOWS\EHome
2007-06-19 15:32 95,424 --a------ C:\WINDOWS\system32\drivers\slnthal.sys
2007-06-19 15:32 9,216 --a------ C:\WINDOWS\system32\proxycfg.exe
2007-06-19 15:32 88,064 --a------ C:\WINDOWS\system32\p2pnetsh.dll
2007-06-19 15:32 86,016 --a------ C:\WINDOWS\system32\p2pgasvc.dll
2007-06-19 15:32 86,016 --a------ C:\WINDOWS\system32\mdmxsdk.dll
2007-06-19 15:32 81,408 --a------ C:\WINDOWS\system32\wscsvc.dll
2007-06-19 15:32 8,192 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2007-06-19 15:32 8,192 --a------ C:\WINDOWS\system32\smbinst.exe
2007-06-19 15:32 78,464 --a------ C:\WINDOWS\system32\drivers\usbvideo.sys
2007-06-19 15:32 75,776 --a------ C:\WINDOWS\system32\strmfilt.dll
2007-06-19 15:32 73,832 --a------ C:\WINDOWS\system32\slcoinst.dll
2007-06-19 15:32 73,796 --a------ C:\WINDOWS\system32\slserv.exe
2007-06-19 15:32 7,680 --a------ C:\WINDOWS\system32\kbdsmsno.dll
2007-06-19 15:32 7,680 --a------ C:\WINDOWS\system32\kbdsmsfi.dll
2007-06-19 15:32 7,168 --a------ C:\WINDOWS\system32\kbdukx.dll
2007-06-19 15:32 7,168 --a------ C:\WINDOWS\system32\kbdno1.dll
2007-06-19 15:32 7,168 --a------ C:\WINDOWS\system32\kbdfi1.dll
2007-06-19 15:32 67,584 --a------ C:\WINDOWS\system32\drivers\sdbus.sys
2007-06-19 15:32 6,656 --a------ C:\WINDOWS\system32\kbdinmal.dll
2007-06-19 15:32 6,656 --a------ C:\WINDOWS\system32\kbdinben.dll
2007-06-19 15:32 6,144 --a------ C:\WINDOWS\system32\kbdmlt48.dll
2007-06-19 15:32 6,144 --a------ C:\WINDOWS\system32\kbdmlt47.dll
2007-06-19 15:32 6,144 --a------ C:\WINDOWS\system32\kbdinbe1.dll
2007-06-19 15:32 6,016 --a------ C:\WINDOWS\system32\drivers\smbali.sys
2007-06-19 15:32 59,648 --a------ C:\WINDOWS\system32\drivers\rfcomm.sys
2007-06-19 15:32 59,392 --a------ C:\WINDOWS\system32\logman.exe
2007-06-19 15:32 526,848 --a------ C:\WINDOWS\system32\p2psvc.dll
2007-06-19 15:32 50,176 --a------ C:\WINDOWS\system32\xmlprovi.dll
2007-06-19 15:32 5,632 --a------ C:\WINDOWS\system32\kbdmaori.dll
2007-06-19 15:32 49,152 --a------ C:\WINDOWS\system32\powercfg.exe
2007-06-19 15:32 48,640 --a------ C:\WINDOWS\system32\pnrpnsp.dll
2007-06-19 15:32 452,736 --a------ C:\WINDOWS\system32\drivers\mtxparhm.sys
2007-06-19 15:32 44,672 --a------ C:\WINDOWS\system32\drivers\uagp35.sys
2007-06-19 15:32 44,032 --a------ C:\WINDOWS\system32\twext.dll
2007-06-19 15:32 42,240 --a------ C:\WINDOWS\system32\drivers\viaagp.sys
2007-06-19 15:32 41,088 --a------ C:\WINDOWS\system32\drivers\sisagp.sys
2007-06-19 15:32 404,990 --a------ C:\WINDOWS\system32\drivers\slntamr.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-22 10:58:37 358 ----a-w C:\WINDOWS\system32\drivers\Med
2007-06-20 03:06:05 -------- d-----w C:\Program Files\Messenger
2007-06-19 11:20:35 -------- d-----w C:\DOCUME~1\Kristen\APPLIC~1\Ahead
2007-06-19 07:44:20 -------- d-----w C:\Program Files\Movie Maker
2007-06-19 07:42:05 -------- d-----w C:\Program Files\Windows NT
2007-06-05 11:12:53 -------- d-----w C:\DOCUME~1\Kristen\APPLIC~1\MSN6
2007-06-04 07:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 07:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 07:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-27 05:15:11 493,160 ----a-w C:\incredimail_install.exe
2007-05-27 05:08:24 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-27 04:45:21 5,149,152 ----a-w C:\rminstall.exe
2007-05-27 02:37:31 -------- d-----w C:\Program Files\D-Link
2007-05-27 02:05:56 -------- d-----w C:\Program Files\Ahead
2007-05-27 02:03:40 -------- d-----w C:\Program Files\Common Files\Ahead
2007-05-27 01:56:26 -------- d-----w C:\Program Files\Windows Media Components
2007-05-27 01:55:36 -------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-05-27 01:55:35 -------- d-----w C:\Program Files\Ulead Systems
2007-05-27 00:44:37 -------- d-----w C:\Program Files\Watchtower
2007-05-27 00:40:53 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-26 18:33:52 -------- d-----w C:\Program Files\Common Files\ODBC
2007-05-26 18:33:50 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-05-26 11:24:07 -------- d-----w C:\Program Files\AMD
2007-05-26 11:23:06 -------- d-----w C:\Program Files\Analog Devices
2007-05-26 11:19:16 -------- d-----w C:\Program Files\NVIDIA Corporation
2007-05-26 10:56:59 -------- d-----w C:\Program Files\microsoft frontpage
2007-05-26 10:54:46 0 --sha-r C:\MSDOS.SYS
2007-05-26 10:54:46 0 --sha-r C:\IO.SYS
2007-05-26 10:54:46 0 ----a-w C:\CONFIG.SYS
2007-05-26 10:54:46 0 ----a-w C:\AUTOEXEC.BAT
2007-05-26 10:53:59 -------- d-----w C:\Program Files\Online Services
2007-05-26 10:52:56 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-05-26 10:52:32 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-05-26 10:52:15 -------- d--h--w C:\Program Files\WindowsUpdate
2007-05-26 10:52:07 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 14:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 14:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 14:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 14:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-03 14:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
2006-08-31 20:33 322368 --a------ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 15:21 C:\WINDOWS\system32\HdAShCut.exe]
"nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2006-02-17 10:40]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 09:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-09-07 15:35]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-08-27 19:22]
"DSLSTATEXE"="C:\Program Files\D-Link\DSL-200\dslstat.exe" [2005-12-12 15:44]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-19 06:46]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-07-05 10:09]
"THGuard"="C:\Program Files\TrojanHunter 4.7\THGuard.exe" [2007-06-23 00:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winemx32]
winemx32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
C:\Program Files\IncrediMail\bin\IncMail.exe /c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Magentic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
mgrs.exe


Contents of the 'Scheduled Tasks' folder
2007-07-13 07:19:20 C:\WINDOWS\tasks\Norton Security Scan.job
2007-07-14 03:10:46 C:\WINDOWS\tasks\RegCure Program Check.job
2007-07-11 19:57:29 C:\WINDOWS\tasks\RegCure.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-14 11:10:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-14 11:12:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-14 11:11

--- E O F ---

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 14 July 2007 - 06:12 AM

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge it into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winemx32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]

Post a new HijackThis log into your next reply please.
Posted Image
Posted Image

#5 bebetheworm

bebetheworm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 18 July 2007 - 08:31 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:30:41 PM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Kristen\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://supportapj.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1182171233015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1182223299859
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC412656-4D9F-4AC3-9B3E-B6C307DD6415}: NameServer = 123.2.1.5 122.148.1.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - (no file)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 18 July 2007 - 09:10 AM

1. Disable TrojanHunter Guard by right clicking on the icon in your System Tray.
2. Make sure that the program, TrojanHunter itself, is also closed/not running.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

-----------------------------------------

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
Combofix.exe
C:\QOOBOX

Enable TrojanHunter Guard.

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

-----------------------------------------

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#7 bebetheworm

bebetheworm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 18 July 2007 - 07:15 PM

thank you very much for your help. You put things very simply and very easy to follow.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 19 July 2007 - 04:26 AM

You're welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users