Hijacked[INACTIVE]

CCFX

By CCFX,
in Malware Removal

 Share Followers 0

Recommended Posts

CCFX

CCFX

Posted
Posted

Looking for some guidance.

I have been working on this system trying to rid it of all the malware for the past two weeks. :( I wanted to know if someone more intelligent than me could review the following HJT log and tell me what step is next.

Logfile of HijackThis v1.99.1

Scan saved at 1:41:10 AM, on 5/7/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\PROMon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINNT\system32\hkcmd.exe

C:\WINNT\GWMDMMSG.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINNT\system32\wuauclt.exe

C:\Tools\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {2E0E64D9-7534-30D4-6B07-C85E70B560E7} - (no file)

O2 - BHO: (no name) - {31A08461-626D-53AF-AEC1-6D55B7AF56D6} - (no file)

O2 - BHO: Class - {33C72CDB-3BBD-17B9-5B4C-A9284AAF181A} - C:\WINNT\system32\sdkqd.dll (file missing)

O2 - BHO: (no name) - {4DABBD0F-E50D-DF6B-CB93-3EC3F78B0459} - (no file)

O2 - BHO: (no name) - {4FA802CF-0ABC-5933-2F97-A6D62B6D0D92} - (no file)

O2 - BHO: (no name) - {56832034-0118-AC10-2815-32621E9662AF} - (no file)

O2 - BHO: (no name) - {69817633-2086-10E0-B86C-9B1DEB7AEF18} - (no file)

O2 - BHO: (no name) - {7E3BB037-7059-55DB-FA6D-8DF74FEDD760} - (no file)

O2 - BHO: (no name) - {83177E66-7E7F-538B-46D1-43698538D537} - (no file)

O2 - BHO: (no name) - {8E0CE432-A3AE-A80E-30A8-4C94088B9CDC} - (no file)

O2 - BHO: (no name) - {98394CA1-7BAB-B29A-F6EF-BCD02C45FA18} - (no file)

O2 - BHO: (no name) - {A81B8484-8534-2D9B-22DE-F1DF8324EDA6} - (no file)

O2 - BHO: (no name) - {AA238E86-8EAD-2ECE-FF73-195A0AAF0B1C} - (no file)

O2 - BHO: (no name) - {AC7E418F-F696-735F-7662-84321DD3E7DA} - (no file)

O2 - BHO: (no name) - {C1484A99-2038-0CDC-C80E-44766C75E89B} - (no file)

O2 - BHO: (no name) - {CBCDBF9A-F483-A3DC-B820-8EDE2149D4CD} - (no file)

O2 - BHO: (no name) - {D73446D7-0CE7-C991-3DD6-4BFA0AEC16E0} - (no file)

O2 - BHO: (no name) - {DE0B9FB0-13BA-2FB8-8A80-F7625867954E} - (no file)

O2 - BHO: (no name) - {E0E70BCF-8645-7988-38D4-547B3E4E06E8} - (no file)

O2 - BHO: (no name) - {E63F821B-67B7-E242-9311-6ABFC66AFDF8} - (no file)

O2 - BHO: (no name) - {FA741EB8-2839-DFA0-00E5-4D86BF6A6478} - (no file)

O2 - BHO: (no name) - {FF83C3DD-B793-E7DC-E2AA-7D6BFF8DEE6B} - (no file)

O4 - HKLM\..\Run: [ipvd.exe] C:\WINNT\system32\ipvd.exe

O4 - HKLM\..\Run: [sdkla.exe] C:\WINNT\system32\sdkla.exe

O4 - HKLM\..\Run: [sdkgg32.exe] C:\WINNT\sdkgg32.exe

O4 - HKLM\..\Run: [sysTray] C:\Program Files\cqsjqa.exe

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [netqn.exe] C:\WINNT\system32\netqn.exe

O4 - HKLM\..\Run: [mfczk.exe] C:\WINNT\system32\mfczk.exe

O4 - HKLM\..\Run: [lich] lich.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKCU\..\Run: [sndraw32] C:\WINNT\system32\sndraw32.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINNT\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINNT\System32\shdocvw.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146627232093

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IntelĀ® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe

O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Thanks in advance.

Link to post
Share on other sites
jwbirdsong

jwbirdsong

Posted
Posted

First of all, you will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix

Please download Ewido Anti Malware, it is a free version of the program.

  1. Install ewido security suite
  2. When installing the program, under "Additonal Options" uncheck...
    • Install background guard
    • Install scan via context menu

[*] Launch ewido, there should now be an icon on your desktop, double-click it.

[*] The program will now open to the main screen.

[*] When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

Start Ewido

[*] You will need to update ewido to the latest definition files:

  • On the left hand side of the main screen click update.
  • Then click on Start Update.

[*] The update will start and a progress bar will show the updates being installed.

(the status bar at the bottom will display "Update successful")

[*] Close Ewido

If you are having problems with the updater, you can use this link to manually update ewido.

Ewido manual updates

Please run HijackThis and click "Scan." Place checks next to the following entries:

O2 - BHO: (no name) - {2E0E64D9-7534-30D4-6B07-C85E70B560E7} - (no file)

O2 - BHO: (no name) - {31A08461-626D-53AF-AEC1-6D55B7AF56D6} - (no file)

O2 - BHO: Class - {33C72CDB-3BBD-17B9-5B4C-A9284AAF181A} - C:\WINNT\system32\sdkqd.dll (file missing)

O2 - BHO: (no name) - {4DABBD0F-E50D-DF6B-CB93-3EC3F78B0459} - (no file)

O2 - BHO: (no name) - {4FA802CF-0ABC-5933-2F97-A6D62B6D0D92} - (no file)

O2 - BHO: (no name) - {56832034-0118-AC10-2815-32621E9662AF} - (no file)

O2 - BHO: (no name) - {69817633-2086-10E0-B86C-9B1DEB7AEF18} - (no file)

O2 - BHO: (no name) - {7E3BB037-7059-55DB-FA6D-8DF74FEDD760} - (no file)

O2 - BHO: (no name) - {83177E66-7E7F-538B-46D1-43698538D537} - (no file)

O2 - BHO: (no name) - {8E0CE432-A3AE-A80E-30A8-4C94088B9CDC} - (no file)

O2 - BHO: (no name) - {98394CA1-7BAB-B29A-F6EF-BCD02C45FA18} - (no file)

O2 - BHO: (no name) - {A81B8484-8534-2D9B-22DE-F1DF8324EDA6} - (no file)

O2 - BHO: (no name) - {AA238E86-8EAD-2ECE-FF73-195A0AAF0B1C} - (no file)

O2 - BHO: (no name) - {AC7E418F-F696-735F-7662-84321DD3E7DA} - (no file)

O2 - BHO: (no name) - {C1484A99-2038-0CDC-C80E-44766C75E89B} - (no file)

O2 - BHO: (no name) - {CBCDBF9A-F483-A3DC-B820-8EDE2149D4CD} - (no file)

O2 - BHO: (no name) - {D73446D7-0CE7-C991-3DD6-4BFA0AEC16E0} - (no file)

O2 - BHO: (no name) - {DE0B9FB0-13BA-2FB8-8A80-F7625867954E} - (no file)

O2 - BHO: (no name) - {E0E70BCF-8645-7988-38D4-547B3E4E06E8} - (no file)

O2 - BHO: (no name) - {E63F821B-67B7-E242-9311-6ABFC66AFDF8} - (no file)

O2 - BHO: (no name) - {FA741EB8-2839-DFA0-00E5-4D86BF6A6478} - (no file)

O2 - BHO: (no name) - {FF83C3DD-B793-E7DC-E2AA-7D6BFF8DEE6B} - (no file)

O4 - HKLM\..\Run: [ipvd.exe] C:\WINNT\system32\ipvd.exe

O4 - HKLM\..\Run: [sdkla.exe] C:\WINNT\system32\sdkla.exe

O4 - HKLM\..\Run: [sdkgg32.exe] C:\WINNT\sdkgg32.exe

O4 - HKLM\..\Run: [sysTray] C:\Program Files\cqsjqa.exe

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [netqn.exe] C:\WINNT\system32\netqn.exe

O4 - HKLM\..\Run: [mfczk.exe] C:\WINNT\system32\mfczk.exe

O4 - HKLM\..\Run: [lich] lich.exe

O4 - HKCU\..\Run: [sndraw32] C:\WINNT\system32\sndraw32.exe

O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab

O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

Close all browser and other windows except for HijackThis, and click "Fix Checked".

Next, please reboot your computer in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

http://www.pchell.com/support/safemode.shtml

Start Ewido Anti-Malware

  • Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
  • Click on Complete System Scan, the scan will now begin.
  • While the scan is in progress you will be promted to clean files, click OK.
  • When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  • Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  • Click Save Report.
  • Now save the report .txt file to your desktop.
  • Close Ewido

When Ewido is finished scanning; reboot back to normal mode and run this online virus scan:(MUST use IE) ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
    - Select either Home User or Company
  • Click the big Scan Now button
  • If/when you get a notice that Panda wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.

.

Post

  • The Ewido log
  • A new HijackThis log
  • Panda results

in your next reply here.

Link to post
Share on other sites
CCFX

CCFX

Posted
  • Author
Posted

Thanks for the help.

I completed all steps in the order requested.

Almost there.

Here are the reports requested.

---------------------------------------------------------

ewido anti-malware - Scan report

---------------------------------------------------------

+ Created on: 10:10:06 AM, 5/7/2006

+ Report-Checksum: 2E1BEFD8

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{0E5F2482-16C5-35FF-C41E-6FBD60CC094F} -> Adware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{2EE5241D-6041-2CDD-BE05-C4263150CE85} -> Adware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{33A0E090-367D-F4A5-3EAB-AC16FCEAE0E4} -> Adware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{347C0CBB-197D-63E4-6532-6D86E44AA109} -> Adware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{44B1F0D9-8D4A-B320-0B94-4327FF80D51E} -> Adware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{4FC94B1F-F066-F80C-485F-C0DA5FF9D913} -> Adware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{588A083D-3EC5-A393-A9A0-E5DD1BC3F762} -> Adware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{5E6907AD-4057-5842-8288-F1EFF0E72AA1} -> Adware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{6A2063B6-69B5-A3A1-7403-0D537F961042} -> Adware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{72A9B624-8C5D-2A66-F77F-2A9004EE69D5} -> Adware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{7713DD6B-A984-F8B8-9A9D-A8BCF01E58A9} -> Adware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{7E41957F-89DF-563D-E57F-852D80213014} -> Adware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{7F1BFF8F-418C-427D-AF1D-F1A6A769CB93} -> Adware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{9E6CB7E7-D9CA-2ED9-A46C-035B874130E9} -> Adware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{C1165E67-68EB-8644-61A7-C70B7B4D913A} -> Adware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{D0399E2B-05D1-5DA6-F24E-BF769D7B7DCB} -> Adware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{EC451F32-BB29-5DBF-E96E-4F507B7878C8} -> Adware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{EE716A0B-FF24-94E4-7B6E-3F50AEC19912} -> Adware.CoolWebSearch : Cleaned with backup

HKU\S-1-5-21-3307217056-972670786-3454122357-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{69817633-2086-10E0-B86C-9B1DEB7AEF18} -> Adware.CoolWebSearch : Cleaned with backup

HKU\S-1-5-21-3307217056-972670786-3454122357-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98394CA1-7BAB-B29A-F6EF-BCD02C45FA18} -> Adware.CoolWebSearch : Cleaned with backup

HKU\S-1-5-21-3307217056-972670786-3454122357-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AC7E418F-F696-735F-7662-84321DD3E7DA} -> Adware.CoolWebSearch : Cleaned with backup

HKU\S-1-5-21-3307217056-972670786-3454122357-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DE0B9FB0-13BA-2FB8-8A80-F7625867954E} -> Adware.CoolWebSearch : Cleaned with backup

HKU\S-1-5-21-3307217056-972670786-3454122357-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FA741EB8-2839-DFA0-00E5-4D86BF6A6478} -> Adware.CoolWebSearch : Cleaned with backup

C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\Owner\Cookies\owner@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup

C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup

C:\Program Files\TBONBin -> Adware.BetterInternet : Cleaned with backup

C:\Program Files\TBONBin\tbon.exe -> Adware.BetterInternet : Cleaned with backup

C:\Program Files\TBONBin\TBONInst.cfg -> Adware.BetterInternet : Cleaned with backup

C:\Program Files\TBONBin\TBONUnst.htm -> Adware.BetterInternet : Cleaned with backup

C:\Program Files\TBONBin\TBONWnd.EXE -> Adware.BetterInternet : Cleaned with backup

C:\Program Files\TBONBin\Uninstall.exe -> Adware.BetterInternet : Cleaned with backup

C:\WINNT\system32\TheMatrixHasYou.exe -> Proxy.Small.bo : Cleaned with backup

C:\WINNT\system32\winbrume.dll -> Adware.BHO : Cleaned with backup

::Report End

------------------------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 10:55:14 AM, on 5/7/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\WINNT\System32\NMSSvc.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINNT\system32\hkcmd.exe

C:\WINNT\GWMDMMSG.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Tools\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {2E0E64D9-7534-30D4-6B07-C85E70B560E7} - (no file)

O2 - BHO: (no name) - {31A08461-626D-53AF-AEC1-6D55B7AF56D6} - (no file)

O2 - BHO: (no name) - {33C72CDB-3BBD-17B9-5B4C-A9284AAF181A} - (no file)

O2 - BHO: (no name) - {4DABBD0F-E50D-DF6B-CB93-3EC3F78B0459} - (no file)

O2 - BHO: (no name) - {4FA802CF-0ABC-5933-2F97-A6D62B6D0D92} - (no file)

O2 - BHO: (no name) - {56832034-0118-AC10-2815-32621E9662AF} - (no file)

O2 - BHO: (no name) - {69817633-2086-10E0-B86C-9B1DEB7AEF18} - (no file)

O2 - BHO: (no name) - {7E3BB037-7059-55DB-FA6D-8DF74FEDD760} - (no file)

O2 - BHO: (no name) - {83177E66-7E7F-538B-46D1-43698538D537} - (no file)

O2 - BHO: (no name) - {8E0CE432-A3AE-A80E-30A8-4C94088B9CDC} - (no file)

O2 - BHO: (no name) - {98394CA1-7BAB-B29A-F6EF-BCD02C45FA18} - (no file)

O2 - BHO: (no name) - {A81B8484-8534-2D9B-22DE-F1DF8324EDA6} - (no file)

O2 - BHO: (no name) - {AA238E86-8EAD-2ECE-FF73-195A0AAF0B1C} - (no file)

O2 - BHO: (no name) - {AC7E418F-F696-735F-7662-84321DD3E7DA} - (no file)

O2 - BHO: (no name) - {C1484A99-2038-0CDC-C80E-44766C75E89B} - (no file)

O2 - BHO: (no name) - {CBCDBF9A-F483-A3DC-B820-8EDE2149D4CD} - (no file)

O2 - BHO: (no name) - {D73446D7-0CE7-C991-3DD6-4BFA0AEC16E0} - (no file)

O2 - BHO: (no name) - {DE0B9FB0-13BA-2FB8-8A80-F7625867954E} - (no file)

O2 - BHO: (no name) - {E0E70BCF-8645-7988-38D4-547B3E4E06E8} - (no file)

O2 - BHO: (no name) - {E63F821B-67B7-E242-9311-6ABFC66AFDF8} - (no file)

O2 - BHO: (no name) - {FA741EB8-2839-DFA0-00E5-4D86BF6A6478} - (no file)

O2 - BHO: (no name) - {FF83C3DD-B793-E7DC-E2AA-7D6BFF8DEE6B} - (no file)

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINNT\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINNT\System32\shdocvw.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146627232093

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IntelĀ® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe

O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

------------------------------------------------------------

Panda Active Scan

Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt

Adware:adware/secure32 Not disinfected C:\Program Files\secure32.html

Adware:Adware/MediaTickets Not disinfected C:\Tools\HijackThis\backups\backup-20060507-091433-304.inf

Dialer:Dialer.ABR Not disinfected C:\Tools\HijackThis\backups\backup-20060507-091433-773.inf

Adware:Adware/PurityScan Not disinfected C:\Tools\HijackThis\backups\backup-20060507-091434-634.inf

Adware:adware/searchaid Not disinfected C:\WINNT\n_sjnvih.dat

Dialer:Dialer.Gen Not disinfected C:\WINNT\switchagreement.txt

Link to post
Share on other sites
jwbirdsong

jwbirdsong

Posted
Posted

I was going through the forum today and found this post..I don't know quite what happened, whether I didn't get a notice or what but I am terribly sorry for the delay, would you post a current Hijackthis log if you still need assistance please..Again I am VERY sorry

Link to post
Share on other sites
  • 1 month later...
Guest
This topic is now closed to further replies.
 Share
Followers 0
Go to topic listing