Register Members List Social Groups Search Today's Posts Mark Forums Read  
Computer Forums

Member Login

Remember Me? Sign Up! | Forgot Password
 
Slogan
 
Computer Forums > The World Wide Web > Virus - Spyware Protection / Detection > HijackThis Logs (finished) » can someone help heres a hijack log
 
Page 1 of 2 1 2
LinkBack Thread Tools Display Modes
 
Old 06-01-2008, 10:02 PM   #1 (permalink)
 
Newb Techie

Join Date: Jun 2008

Posts: 5

icemanWST is on a distinguished road
Default can someone help heres a hijack log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:30 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = Internet Explorer: Get It Now
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A94867E7-7C1B-4693-AA98-DBC7E6ED5804} - C:\WINDOWS\system32\jkhfd.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\s wg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames...p.cab56961.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab55579.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - AppInit_DLLs: perfnesys.dll,C:\Program,Files\PermissionResearch\ prai.dll,perfnesys.dll,C:\Program Files\PermissionResearch\prai.dll perfnesys.dll
O20 - Winlogon Notify: efcayaw - efcayaw.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11026 bytes



It wont let me update my virus protection and spy bot detects smitfraud-c but i delete it and it comes back..and usually there's more with it. I can't use mozilla anymore, it just doesn't load. Sometimes I can download things but once it's downloaded if it has to install files from the internet it wont connect. I can directly type in websites but if I search on google or another search engine, my internet explorer gets hijacked and takes me to other advertisement type websites. I've tried to do a windows restore but even if I take it all the way back as far as it goes but it says there's nothing new so it won't let me, even tried in safe mode. Any help would be much appreieciated. Thank you.
icemanWST is offline  
Old 06-02-2008, 02:47 PM   #2 (permalink)
 
Super Techie

Join Date: Aug 2007

Posts: 451

techpro5238 is on a distinguished road
Default Re: can someone help heres a hijack log
As soon as I get home, I will create your instructions. Sadly, I don't have my libraries here with me.
techpro5238 is offline  
Old 06-02-2008, 06:04 PM   #3 (permalink)
 
Super Techie

Join Date: Aug 2007

Posts: 451

techpro5238 is on a distinguished road
Default Re: can someone help heres a hijack log
Hello icemanWST and welcome to tech forums

Lets get started on your computer, as quickly as possible. Please follow my steps to the best of your ability and if you have any questions please feel free to ask them.

Step1 | SmitfraudFix

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Step2 | ComboFix

Download ComboFix from Here or Here to your Desktop.
Read first: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  • Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer

Logs Required In Next Post
---------------------------------

SmitfraudFix Log
ComboFix Log
techpro5238 is offline  
Old 06-02-2008, 08:24 PM   #4 (permalink)
 
Newb Techie

Join Date: Jun 2008

Posts: 5

icemanWST is on a distinguished road
Default Re: can someone help heres a hijack log
SmitFraudFix v2.323

Scan done at 19:12:25.87, Mon 06/02/2008
Run from C:\WINDOWS\system32\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\system32\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Irene Hawthorne


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Irene Hawthorne\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\IRENEH~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="perfnesys.dll,C:\\Program,Files\\P ermissionResearch\\prai.dll,perfnesys.dll,C:\\Prog ram Files\\PermissionResearch\\prai.dll perfnesys.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.ex e,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{CCF1BE16-861F-4ED0-885D-8C5C02B75C7F}: DhcpNameServer=192.168.2.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CCF1BE16-861F-4ED0-885D-8C5C02B75C7F}: DhcpNameServer=192.168.2.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CCF1BE16-861F-4ED0-885D-8C5C02B75C7F}: DhcpNameServer=192.168.2.1 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


thats from the smitfraudfix. It wouldnt work when I tried to open it but I moved it and changed the name and it worked. I can't download the combofix, when I click the link it says page not found on both links. I've tried to look some other places but everytime I find something with it, the page won't load, it'll act is if I typed in the wrong URL.
icemanWST is offline  
Old 06-02-2008, 08:34 PM   #5 (permalink)
 
Super Techie

Join Date: Aug 2007

Posts: 451

techpro5238 is on a distinguished road
Default Re: can someone help heres a hijack log
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
techpro5238 is offline  
Old 06-02-2008, 10:09 PM   #6 (permalink)
 
Newb Techie

Join Date: Jun 2008

Posts: 5

icemanWST is on a distinguished road
Default Re: can someone help heres a hijack log
SDFix: Version 1.187
Run by Irene Hawthorne on Mon 06/02/2008 at 21:46

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\IRENEH~1\Desktop\SDFIX\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Program Files\ISM\ism.exe - Deleted
C:\Program Files\ISM\Uninstall.exe - Deleted
C:\Program Files\QdrPack\dicts.gz - Deleted
C:\Program Files\QdrPack\dictys.gz - Deleted
C:\Program Files\QdrPack\QdrPack10.exe - Deleted
C:\Program Files\QdrPack\QdrPack11 .exe - Deleted
C:\Program Files\QdrPack\QdrPack12.exe - Deleted
C:\Program Files\QdrPack\QdrPack13.exe - Deleted
C:\Program Files\QdrPack\QdrPack15.exe - Deleted
C:\Program Files\QdrPack\QdrPack16.exe - Deleted
C:\Program Files\QdrPack\stixpupd.exe - Deleted
C:\Program Files\QdrPack\trgts.gz - Deleted
C:\Program Files\QdrModule\dic.gz - Deleted
C:\Program Files\QdrModule\dicy.gz - Deleted
C:\Program Files\QdrModule\kwd.gz - Deleted
C:\Program Files\QdrModule\pckr.dat - Deleted
C:\Program Files\QdrModule\QdrModule10 .exe - Deleted
C:\Program Files\QdrModule\QdrModule11 .exe - Deleted
C:\Program Files\QdrModule\QdrModule13.exe - Deleted
C:\Program Files\QdrModule\QdrModule15.exe - Deleted
C:\Program Files\QdrModule\QdrModule16.exe - Deleted
C:\WINDOWS\system32\spywarewarning2.mht - Deleted



Folder C:\Program Files\ISM - Removed
Folder C:\Program Files\QdrPack - Removed
Folder C:\Program Files\QdrModule - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-02 22:01:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Nls\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40, 38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Nls\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6, ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Nls\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a, 19,42
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Network\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\clbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\syst em32\drivers\clbdriver.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nl s\MUILanguages\RCV2\clb.dll]
"0"=hex:00,00,28,0a,01,00,05,00
"1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40, 38,e1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nl s\MUILanguages\RCV2\clbcatex.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6, ec,d3
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nl s\MUILanguages\RCV2\clbcatq.dll]
"0"=hex:2a,00,3e,11,0c,00,d1,07
"1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a, 19,42
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Sa feBoot\Minimal\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Sa feBoot\Network\clbdriver.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\c lbdriver]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\??\globalroot\systemroot\syst em32\drivers\clbdriver.sys"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData]
"affid"="12"
"subid"="usa"
"control"=hex:1a,00,15,13,07,11,18,1f,14,0a,49,09, 4b,1a,09,50,11,e5,f5
"prov"="10010"
"googleadserver"="pagead2.googlesyndication.co m"
"flagged"=dword:00000001

scanning hidden files ...

C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\drivers\clbdriver.sys 7168 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbdll.dll 45056 bytes executable
C:\WINDOWS\system32\clbinit.dll 1687 bytes
C:\WINDOWS\system32\dllcache\clb.dll 10752 bytes executable
C:\WINDOWS\system32\dllcache\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll 110080 bytes executable
C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll 501248 bytes executable
C:\Program Files\Common Files\Real\Plugins\clbascauth.dll 40960 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 13


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Documents and Settings\\Rob\\Desktop\\warez.exe"="C:\\Documents and Settings\\Rob\\Desktop\\warez.exe:*:Enabled:warez"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:E nabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\ system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*isabled:Windows Messenger"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\GetTiffany\\gettiffany.exe"="C:\\Program Files\\GetTiffany\\gettiffany.exe:*:Enabled:Macrom edia Projector"
"C:\\Program Files\\Atari\\Scrabble Online\\scrabbleo.exe"="C:\\Program Files\\Atari\\Scrabble Online\\scrabbleo.exe:*:Enabled:scrabbleo"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Progra m Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:Re alPlayer"
"C:\\Program Files\\Warez P2P Client\\My Shared Folder\\iMesh6.exe"="C:\\Program Files\\Warez P2P Client\\My Shared Folder\\iMesh6.exe:*:Enabled:iMesh"
"C:\\Program Files\\Hasbro Interactive\\Scrabble v2.0\\Scrabble v2.0.exe"="C:\\Program Files\\Hasbro Interactive\\Scrabble v2.0\\Scrabble v2.0.exe:*isabled:Scrabble v2.0"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:M5Shell"
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"="C:\\Progr am Files\\BearShare Applications\\BearShare\\BearShare.exe:*:Enabled:B earShare"
"C:\\Program Files\\BearFlix\\bearflix.exe"="C:\\Program Files\\BearFlix\\bearflix.exe:*:Enabled:BearFlix"
"C:\\Program Files\\FilePipe P2P\\giFT\\giFTl.exe"="C:\\Program Files\\FilePipe P2P\\giFT\\giFTl.exe:*:Enabled:FilePipe P2P giFT Loader"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS \\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTor rent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\ \Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Ena bled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Progra m Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Ya hoo! FT Server"
"C:\\Program Files\\AIM\\AIM95_c0\\aim.exe"="C:\\Program Files\\AIM\\AIM95_c0\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\BitZip\\bitzip.exe"="C:\\Program Files\\BitZip\\bitzip.exe:*:Enabled:bitzip"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avgine t.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgam svr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.ex e"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc. exe"
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"="C:\\Program Files\\Paltalk Messenger\\paltalk.exe:*:Enabledaltalk 9.1"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr .exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\H elpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\GameTap\\bin\\Release\\gametap.exe"="C:\\Pr ogram Files\\GameTap\\bin\\Release\\gametap.exe:*:Enable d:GameTap Application"
"C:\\Program Files\\Starcraft\\StarCraft.exe"="C:\\Program Files\\Starcraft\\StarCraft.exe:*:Enabled:Starcraf t"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Cain\\Cain.exe"="C:\\Program Files\\Cain\\Cain.exe:*:Enabled:Cain - Password Recovery Utility"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\WINDOWS\\Temp\\~os43.tmp\\ossproxy.exe"="C:\\ WINDOWS\\Temp\\~os43.tmp\\ossproxy.exe:*:Enabled:o ssproxy.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

Remaining Files :


File Backups: - C:\DOCUME~1\IRENEH~1\Desktop\SDFIX\SDFix\backups\b ackups.zip

Files with Hidden Attributes :

Sat 3 Nov 2007 104 ..SHR --- "C:\WINDOWS\system32\51C0F3D8F4.sys"
Sat 3 Nov 2007 5,852 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 1 Jun 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 31 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 30 Jul 2007 19,456 A..H. --- "C:\Documents and Settings\Rob\Application Data\Microsoft\Word\~WRL0001.tmp"
Sat 28 Jul 2007 19,456 A..H. --- "C:\Documents and Settings\Rob\Application Data\Microsoft\Word\~WRL0003.tmp"
Sat 28 Jul 2007 19,968 A..H. --- "C:\Documents and Settings\Rob\Application Data\Microsoft\Word\~WRL0372.tmp"
Thu 1 Jun 2006 4,348 A..H. --- "C:\Documents and Settings\Rob\My Documents\My Music\License Backup\drmv1key.bak"
Sun 22 Oct 2006 20 A..H. --- "C:\Documents and Settings\Rob\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 19 Jun 2006 400 A.SH. --- "C:\Documents and Settings\Rob\My Documents\My Music\License Backup\drmv2key.bak"
Thu 19 Apr 2007 8 A..H. --- "C:\Documents and Settings\Irene Hawthorne\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp "
Thu 19 Apr 2007 8 A..H. --- "C:\Documents and Settings\Irene Hawthorne\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp "
Fri 20 Apr 2007 8 A..H. --- "C:\Documents and Settings\Irene Hawthorne\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp "
Fri 20 Apr 2007 8 A..H. --- "C:\Documents and Settings\Irene Hawthorne\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp "
Wed 18 Apr 2007 8 A..H. --- "C:\Documents and Settings\Rob\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp "
Thu 19 Apr 2007 8 A..H. --- "C:\Documents and Settings\Rob\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp "
Wed 25 Apr 2007 8 A..H. --- "C:\Documents and Settings\Rob\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp "
Wed 25 Apr 2007 8 A..H. --- "C:\Documents and Settings\Rob\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp "

Finished!
icemanWST is offline  
Old 06-03-2008, 05:33 PM   #7 (permalink)
 
Super Techie

Join Date: Aug 2007

Posts: 451

techpro5238 is on a distinguished road
Default Re: can someone help heres a hijack log
Step1 | The Avenger

Please download The Avenger HERE.

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:
Files to delete:
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll
C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\clb.dll
C:\WINDOWS\system32\clbcatex.dll
C:\WINDOWS\system32\clbcatq.dll
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\dllcache\clb.dll
C:\WINDOWS\system32\dllcache\clbcatex.dll
C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll
C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll
C:\WINDOWS\system32\51C0F3D8F4.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Program Files\Common Files\Real\Plugins\clbascauth.dll
C:\StubInstaller.exe


Folders to delete:
C:\WINDOWS\Temp
C:\Documents and Settings\Irene Hawthorne\Application Data\Gtek
C:\Documents and Settings\Rob\Application Data\Gtek

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer.
  • Important: When the computer boots up, do not let it enter Normal Mode, but enter Safe Mode with Networking right away.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

Step2 | Registry Script

We are going to edit your Windows Registry. Before doing so, we have to backup the registry just in case something goes wrong. To do so, please go to Start => Run and copy/paste the following text in quotes:

"regedit /e C:\RegBackup.reg"

Your mouse pointer may become an hour glass for a few moments. Please wait until the computer become inactive and your mouse pointer returns to normal. Then follow the steps below:

1. Open a notepad (not wordpad) document

2. In the new notepad document, please copy/paste the following text in the code box:

Code:
REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clb.dll]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\clbdriver.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\clbdriver.sys]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"C:\\StubInstaller.exe"=-
"C:\\WINDOWS\\Temp\\~os43.tmp\\ossproxy.exe"=-
(EVERYONE NOTE: The above script was created specifically for this user, and will cause damage to your computer if you run it on your system)

3. Click File => Save As and change "Save As Type:" to All Files

4. After doing the above save the file to your desktop as "Fix.reg"

5. When you browse to your desktop, your file should look exactly like this:

http://core.pchelpme.us/images/speeches/Fix-Reg.PNG

6. It will ask you, "Are you sure you want to add the information in <Filepath> to the registry?" Please click Yes to this prompt.

Step3 | Running ComboFix

Download ComboFix from Here or Here to your Desktop.
Read first: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  • Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer

Logs Required In Next Post
-----------------------------

TheAvenger Log
ComboFix Log
Hijackthis Log
techpro5238 is offline  
Old 06-03-2008, 08:49 PM   #8 (permalink)
 
Newb Techie

Join Date: Jun 2008

Posts: 5

icemanWST is on a distinguished road
Default Re: can someone help heres a hijack log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:47:12, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = Internet Explorer: Get It Now
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A94867E7-7C1B-4693-AA98-DBC7E6ED5804} - C:\WINDOWS\system32\jkhfd.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\s wg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF21007.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames...p.cab56961.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab55579.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - AppInit_DLLs: perfnesys.dll,C:\Program,Files\PermissionResearch\ prai.dll,perfnesys.dll,C:\Program Files\PermissionResearch\prai.dll perfnesys.dll
O20 - Winlogon Notify: efcayaw - efcayaw.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10943 bytes
icemanWST is offline  
Old 06-03-2008, 08:50 PM   #9 (permalink)
 
Newb Techie

Join Date: Jun 2008

Posts: 5

icemanWST is on a distinguished road
Default Re: can someone help heres a hijack log
I missed getting into safe mode so I tried to run it again. The first time around (the txt isn't here now, I guess it just keeps the last one) it said EVERYTHING that was input was deleted .suscessfully.


Logfile of The Avenger Version 2.0, (c) by Swandog46
Swandog46's Public Anti-Malware Tools

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "clbdriver" found!
ImagePath: \??\globalroot\systemroot\system32\drivers\clbdriv er.sys
Start Type: 1 (System)

Rootkit scan completed.


Error: file "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex. dll" not found!
Deletion of file "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex. dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.d ll" not found!
Deletion of file "C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.d ll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\clbdriver.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\clbdriver.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\clb.dll" not found!
Deletion of file "C:\WINDOWS\system32\clb.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\clbcatex.dll" not found!
Deletion of file "C:\WINDOWS\system32\clbcatex.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\clbcatq.dll" not found!
Deletion of file "C:\WINDOWS\system32\clbcatq.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\clbdll.dll" not found!
Deletion of file "C:\WINDOWS\system32\clbdll.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\clbinit.dll" not found!
Deletion of file "C:\WINDOWS\system32\clbinit.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\dllcache\clb.dll" not found!
Deletion of file "C:\WINDOWS\system32\dllcache\clb.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\dllcache\clbcatex.dll" not found!
Deletion of file "C:\WINDOWS\system32\dllcache\clbcatex.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll " not found!
Deletion of file "C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll " failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll" not found!
Deletion of file "C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\51C0F3D8F4.sys" not found!
Deletion of file "C:\WINDOWS\system32\51C0F3D8F4.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\KGyGaAvL.sys" not found!
Deletion of file "C:\WINDOWS\system32\KGyGaAvL.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Program Files\Common Files\Real\Plugins\clbascauth.dll" not found!
Deletion of file "C:\Program Files\Common Files\Real\Plugins\clbascauth.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\StubInstaller.exe" not found!
Deletion of file "C:\StubInstaller.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\WINDOWS\Temp" deleted successfully.

Error: folder "C:\Documents and Settings\Irene Hawthorne\Application Data\Gtek" not found!
Deletion of folder "C:\Documents and Settings\Irene Hawthorne\Application Data\Gtek" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\Documents and Settings\Rob\Application Data\Gtek" not found!
Deletion of folder "C:\Documents and Settings\Rob\Application Data\Gtek" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.







ComboFix 08-06-03.1 - Irene Hawthorne 2008-06-03 20:16:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.242 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\My Documents\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Dwayne\My Documents\Online Security Guide.url
C:\Documents and Settings\Dwayne\My Documents\Security Troubleshooting.url
C:\Program Files\RcvSystem
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdm.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER


((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-06-03 17:12 . 1999-05-05 22:22 471,040 --a------ C:\WINDOWS\system32\KERNEL032.DLL
2008-06-03 15:19 . 2008-06-03 15:19 268 --ah----- C:\sqmdata16.sqm
2008-06-03 15:19 . 2008-06-03 15:19 244 --ah----- C:\sqmnoopt16.sqm
2008-06-03 03:39 . 2008-06-03 03:39 <DIR> d-------- C:\WINDOWS\system32\SmitfraudFix
2008-06-02 21:31 . 2008-06-02 21:31 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-02 19:12 . 2008-06-02 19:12 3,548 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-02 19:03 . 2008-06-02 19:03 1,392,671 --a------ C:\WINDOWS\system32\fix.exe
2008-06-02 17:45 . 2008-06-03 03:35 <DIR> d-------- C:\Documents and Settings\Irene Hawthorne\Application Data\Azureus
2008-05-29 16:44 . 2008-05-29 16:44 <DIR> d-------- C:\Documents and Settings\Irene Hawthorne\Application Data\Lavasoft
2008-05-27 22:22 . 2008-05-27 22:38 <DIR> d-------- C:\Program Files\Security Task Manager
2008-05-27 22:22 . 2008-06-03 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-05-24 16:36 . 2008-05-24 16:35 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-24 16:36 . 2008-05-24 16:37 2,538 --a------ C:\WINDOWS\unins000.dat
2008-05-23 16:00 . 2004-08-04 06:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-05-20 13:41 . 2008-05-20 13:41 244 --ah----- C:\sqmnoopt15.sqm
2008-05-20 13:41 . 2008-05-20 13:41 232 --ah----- C:\sqmdata15.sqm
2008-05-16 03:04 . 2008-05-16 03:04 118 --a------ C:\WINDOWS\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-06-04 00:23 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-04 00:05 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-03 21:31 --------- d-----w C:\Documents and Settings\Guest\Application Data\Talkback
2008-06-03 21:30 --------- d-----w C:\Program Files\BitZip
2008-06-03 21:30 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Talkback
2008-06-03 07:39 --------- d--h--r C:\Documents and Settings\Irene Hawthorne\Application Data\yahoo!
2008-06-03 07:39 --------- d-----w C:\Program Files\Yahoo!
2008-06-03 07:39 --------- d-----w C:\Program Files\Conduit
2008-06-03 07:39 --------- d-----w C:\Program Files\BitZipperSearch
2008-06-03 07:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-06-03 07:35 --------- d-----w C:\Program Files\GetTiffany
2008-06-03 06:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-03 01:24 --------- d-----w C:\Program Files\Azureus
2008-05-31 08:07 --------- d-----w C:\Documents and Settings\Irene Hawthorne\Application Data\AVG7
2008-05-31 07:47 --------- d-----w C:\Program Files\CaptureWebCam
2008-05-29 22:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-29 20:43 --------- d-----w C:\Program Files\Mail PassView
2008-05-27 01:02 --------- d-----w C:\Program Files\MSN Messenger
2008-05-27 01:02 --------- d-----w C:\Program Files\Cain
2008-05-26 07:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-25 18:58 --------- d-----w C:\Program Files\LimeWire
2008-05-25 18:58 --------- d-----w C:\Program Files\FrostWire
2008-05-25 18:58 --------- d-----w C:\Program Files\eMule
2008-05-25 18:45 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-05-23 20:00 7,168 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-04-16 00:25 --------- d-----w C:\Program Files\Java
2008-04-06 18:08 --------- d-----w C:\Program Files\Google
.
Code:
<pre>
----a-w            40,048 2007-12-24 00:27:42  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w         1,404,928 2007-12-24 00:25:59  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w            81,920 2007-12-24 00:26:15  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w           249,856 2007-12-24 00:26:07  C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w           185,632 2007-12-24 00:27:49  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            66,680 2007-12-24 00:26:41  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w            94,208 2007-12-24 00:25:56  C:\Program Files\Dell\Media Experience\DMXLauncher .exe
----a-w           460,784 2007-12-24 00:28:25  C:\Program Files\DellSupport\DSAgnt .exe
----a-w            68,856 2007-12-24 00:28:05  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           579,072 2007-12-24 00:27:33  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w            49,152 2007-12-24 00:27:07  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w           256,576 2007-12-24 00:27:08  C:\Program Files\iTunes\iTunesHelper .exe
----a-w         1,121,792 2007-12-24 00:27:13  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w           124,128 2007-12-24 00:26:54  C:\Program Files\Symantec AntiVirus\VPTray .exe
----a-w         1,880,064 2007-12-24 00:27:34  C:\Program Files\verizon\Servicepoint\VerizonServicepoint .exe
----a-w           438,359 2007-12-24 00:27:28  C:\Program Files\verizon\SmartBridge\MotiveSB .exe
----a-w            12,288 2007-12-24 00:26:34  C:\Program Files\Winamp\Winampa .exe
----a-w            15,360 2007-12-24 01:16:24  C:\WINDOWS\system32\ctfmon .exe
----a-w            77,824 2007-12-24 00:26:23  C:\WINDOWS\system32\hkcmd .exe
----a-w           114,688 2007-12-24 00:26:27  C:\WINDOWS\system32\igfxpers .exe
----a-w            94,208 2007-12-24 00:26:20  C:\WINDOWS\system32\igfxtray .exe
----a-w           122,940 2007-12-24 00:26:17  C:\WINDOWS\system32\DLA\DLACTRLW .EXE
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A94867E7-7C1B-4693-AA98-DBC7E6ED5804}]
C:\WINDOWS\system32\jkhfd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 16:35 67112]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2008-04-05 19:03 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [ ]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [ ]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"Motive SmartBridge"="C:\PROGRA~1\verizon\SMARTB~1\MotiveS B.exe" [ ]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe " [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"combofix"="C:\WINDOWS\system32\CF21007.exe" [2004-08-04 06:00 388608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 15:40 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-12 10:12:50 24576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-12-02 22:48:26 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}"= C:\WINDOWS\system32\efcayaw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcayaw]
efcayaw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=perfnesys.dll,C:\Program,Files\Perm issionResearch\prai.dll,perfnesys.dll,C:\Program Files\PermissionResearch\prai.dll perfnesys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Documents and Settings\\Rob\\Desktop\\warez.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\GetTiffany\\gettiffany.exe"=
"C:\\Program Files\\Atari\\Scrabble Online\\scrabbleo.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Warez P2P Client\\My Shared Folder\\iMesh6.exe"=
"C:\\Program Files\\Hasbro Interactive\\Scrabble v2.0\\Scrabble v2.0.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"C:\\Program Files\\BearFlix\\bearflix.exe"=
"C:\\Program Files\\FilePipe P2P\\giFT\\giFTl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\AIM\\AIM95_c0\\aim.exe"=
"C:\\Program Files\\BitZip\\bitzip.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr .exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\GameTap\\bin\\Release\\gametap.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Cain\\Cain.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\WINDOWS\\Temp\\~os43.tmp\\ossproxy.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"14101:TCP"= 14101:TCP:BitComet 14101 TCP
"14101:UDP"= 14101:UDP:BitComet 14101 UDP

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S0 oxfjcp;oxfjcp;C:\WINDOWS\system32\drivers\kifeacu. sys []
S3 gel90xne;gel90xne;C:\DOCUME~1\IRENEH~1\LOCALS~1\Te mp\gel90xne.sys []
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sy s [2006-09-27 16:12]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-28 20:01]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-31 13:20:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 20:24:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\c lbdriver]
"imagepath"="\??\globalroot\systemroot\system32\dr ivers\clbdriver.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\taskmgr.exe
.
************************************************** ************************
.
Completion time: 2008-06-03 20:31:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-04 00:31:16

Pre-Run: 78,382,731,264 bytes free
Post-Run: 78,462,418,944 bytes free

234 --- E O F --- 2008-05-28 04:56:10
icemanWST is offline  
Old 06-04-2008, 07:41 PM   #10 (permalink)
 
Super Techie

Join Date: Aug 2007

Posts: 451

techpro5238 is on a distinguished road
Default Re: can someone help heres a hijack log
Hello icemanWST,

Sorry about the wait .. things have been 'hectic' on this part. You have a very bad Vundo infection that has to be removed ASAP. Please follow all my instructions as carefully as you can. Read all parts and follow anything that is in my steps.

Step1 | ComboFix CFScript

1. Please open Notepad
  • Click Start, then Run
  • Type "notepad.exe" in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
KillAll::

RenV::
----a-w            40,048 2007-12-24 00:27:42  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w         1,404,928 2007-12-24 00:25:59  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w            81,920 2007-12-24 00:26:15  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w           249,856 2007-12-24 00:26:07  C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w           185,632 2007-12-24 00:27:49  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            66,680 2007-12-24 00:26:41  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w            94,208 2007-12-24 00:25:56  C:\Program Files\Dell\Media Experience\DMXLauncher .exe
----a-w           460,784 2007-12-24 00:28:25  C:\Program Files\DellSupport\DSAgnt .exe
----a-w            68,856 2007-12-24 00:28:05  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           579,072 2007-12-24 00:27:33  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w            49,152 2007-12-24 00:27:07  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w           256,576 2007-12-24 00:27:08  C:\Program Files\iTunes\iTunesHelper .exe
----a-w         1,121,792 2007-12-24 00:27:13  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w           124,128 2007-12-24 00:26:54  C:\Program Files\Symantec AntiVirus\VPTray .exe
----a-w         1,880,064 2007-12-24 00:27:34  C:\Program Files\verizon\Servicepoint\VerizonServicepoint .exe
----a-w           438,359 2007-12-24 00:27:28  C:\Program Files\verizon\SmartBridge\MotiveSB .exe
----a-w            12,288 2007-12-24 00:26:34  C:\Program Files\Winamp\Winampa .exe
----a-w            15,360 2007-12-24 01:16:24  C:\WINDOWS\system32\ctfmon .exe
----a-w            77,824 2007-12-24 00:26:23  C:\WINDOWS\system32\hkcmd .exe
----a-w           114,688 2007-12-24 00:26:27  C:\WINDOWS\system32\igfxpers .exe
----a-w            94,208 2007-12-24 00:26:20  C:\WINDOWS\system32\igfxtray .exe
----a-w           122,940 2007-12-24 00:26:17  C:\WINDOWS\system32\DLA\DLACTRLW .EXE

File::
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\fix.exe
C:\WINDOWS\system32\beep.sys
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\efcayaw.dll

Folder::
C:\Program Files\RcvSystem
C:\Documents and Settings\All Users\Application Data\TEMP
C:\Program Files\Viewpoint

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A94867E7-7C1B-4693-AA98-DBC7E6ED5804}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcayaw]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clbdriver]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\Temp\\~os43.tmp\\ossproxy.exe"=-
3. Then in the text file go to FILE => SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/m...s/CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply

Step2 | Hijackthis Entries

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = Internet Explorer: Get It Now
O2 - BHO: (no name) - {A94867E7-7C1B-4693-AA98-DBC7E6ED5804} - C:\WINDOWS\system32\jkhfd.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - Winlogon Notify: efcayaw - efcayaw.dll (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Step3 | ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Logs Required In Next Post
-------------------------------

ComboFix (CFScript) Log
New Hijackthis Log
techpro5238 is offline  
 
 
Page 1 of 2 1 2

« BIOS will not detect CD-RW drive | how do i remove this spyware???? (HijackThis log included) »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hijack Log for my system - just scanned blue-lynx HijackThis Logs (finished) 1 05-06-2008 02:14 PM
Hijack log Stypher HijackThis Logs (finished) 3 03-15-2008 04:29 AM
My Hijack Log. AhBeng HijackThis Logs (finished) 8 02-29-2008 09:23 AM
hijack this log for me ...thanks tf krazyq HijackThis Logs (finished) 0 01-04-2008 02:32 AM
Hijack this log file rohandani HijackThis Logs (finished) 11 11-19-2007 09:52 AM

Contact Us - Computer Technology Forums - Archive - Top

 

All times are GMT -5. The time now is 07:34 AM.
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.3.2 Copyright ©2002-2009, Tech-Forums.net
vBulletin skin created by Baez & Baez Computers Inc.   |   Contact Management Software and AAOutlook 		Log Out Unregistered