Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Need help with my HJT Log (Hit a dead end) Need help with my HJT Log (Hit a dead end)
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 04-30-2007, 11:15 AM   #1 (permalink)
Registered User
 
buddha's Avatar
 
Join Date: Mar 2002
Location: Clearwater, Florida
Posts: 16
OS: Win2K/XP/Linux


Send a message via AIM to buddha Send a message via Yahoo to buddha
Need help with my HJT Log (Hit a dead end)
I have came to a dead end with my recent battle with some Mal/Spy/Adware and I need to reach out to get some help.

I got infected by multiple programs and got rid of the major things that were creating popups and making Avast go off about every 10 minutes which I thnk was the caused from Vundo which I got the vundofix and ran that a removed it and that seemed to work but I am still getting hit in Avast.

Steps I have taken:
1. All Virus and Spy apps are up to date
2. Ran Spybot, Adware and Windows Defender
3. Ran in safe mode multiple times
4. Removed Vundo with VundoFix

I have above average knowledge with comps and everything I know to do I have done and I see things in the HJT log but I am not really sure what program infected me to remove them since I am not familiar with HJT.

Here is my log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:08:24 PM, on 4/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\WINDOWS\retadpu2000219.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\nic\Desktop\HiJackThis\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8118
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\qohvxdvv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {93FF1CC5-3BEE-444C-AF93-AD8E1EE28585} - C:\WINDOWS\system32\awtss.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\uhcmojut.dll",realset
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\nic\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.cherrytap.com/imgs/ImageUploader4.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 6315 bytes
__________________
"Technology is dominated by two types of people. Those who manage what they do not understand and those who understand what they do not manage."
buddha is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-01-2007, 10:17 AM   #2 (permalink)
Registered User
 
buddha's Avatar
 
Join Date: Mar 2002
Location: Clearwater, Florida
Posts: 16
OS: Win2K/XP/Linux


Send a message via AIM to buddha Send a message via Yahoo to buddha
Re: Need help with my HJT Log (Hit a dead end)
Still in need for help with this. I just got an alert from Windows Defender about Ipwindows and when I have done searches on the net about this Vundo comes up and I have ran the VundoFix already and it keeps coming back.

Any help is appreciated.
__________________
"Technology is dominated by two types of people. Those who manage what they do not understand and those who understand what they do not manage."
buddha is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-01-2007, 11:10 AM   #3 (permalink)
Registered User
 
buddha's Avatar
 
Join Date: Mar 2002
Location: Clearwater, Florida
Posts: 16
OS: Win2K/XP/Linux


Send a message via AIM to buddha Send a message via Yahoo to buddha
Re: Need help with my HJT Log (Hit a dead end)
Sorry for the multiple posts but I dont see an edit option.

Adding DSS scan

Deckard's System Scanner v20070426.43
Run by nic on 2007-05-01 at 13:01:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
9: 2007-05-01 17:02:12 UTC - RP9 - Deckard's System Scanner Restore Point
8: 2007-05-01 16:09:08 UTC - RP8 - Windows Defender Checkpoint
7: 2007-04-30 17:19:08 UTC - RP7 - Installed Windows Installer Clean Up
6: 2007-04-30 14:53:39 UTC - RP6 - Installed Ad-Aware SE Personal
5: 2007-04-29 16:07:21 UTC - RP5 - System Checkpoint


-- First Restore Point --
1: 2007-04-26 16:51:41 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as nic.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:04:59 PM, on 5/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\WINDOWS\retadpu2000219.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\nic\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\nic.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8118
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\qohvxdvv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {93FF1CC5-3BEE-444C-AF93-AD8E1EE28585} - C:\WINDOWS\system32\awtss.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\uhcmojut.dll",realset
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\nic\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.cherrytap.com/imgs/ImageUploader4.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 VClone - c:\windows\system32\drivers\vclone.sys <Not Verified; Elaborate Bytes AG; Virtual CloneDrive>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R2 Ndismeetro (Meetro NDIS Protocol Driver) - c:\windows\system32\drivers\ndismeetro.sys <Not Verified; Meetro; Meetro>
R3 A3AB (D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB)) - c:\windows\system32\drivers\a3ab.sys <Not Verified; D-Link Corporation; D-Link Wireless Network adapter>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes AG; CDRTools>

S3 ENTECH - c:\windows\system32\drivers\entech.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Scheduled Tasks -------------------------------------------------------------

2007-05-01 02:05:20 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-04-29 19:14:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-04-01 and 2007-05-01 -----------------------------

2007-05-01 12:54:09 0 d-------- C:\Program Files\SpywareBlaster
2007-05-01 12:50:58 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-05-01 1255 0 d-------- C:\Program Files\Ipwindows
2007-04-30 13:19:11 0 d-------- C:\Program Files\Windows Installer Clean Up
2007-04-30 13:18:49 0 d-------- C:\Program Files\MSECACHE
2007-04-30 10:53:41 0 d-------- C:\Program Files\Lavasoft
2007-04-30 10:50:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-28 08:50:58 0 d-------- C:\WINDOWS\LastGood
2007-04-26 12:14:04 0 d-------- C:\VundoFix Backups
2007-04-26 11:51:35 0 d-------- C:\Program Files\InetGet2
2007-04-25 13:09:32 132660 --a------ C:\WINDOWS\system32\uhcmojut.dll
2007-04-24 18:51:55 0 d-------- C:\Program Files\Windows Defender
2007-04-23 1341 281172 ---hs---- C:\WINDOWS\system32\awvvv.dll
2007-04-23 12:57:08 40183 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2007-04-23 11:22:49 0 d-------- C:\Program Files\QuickTime
2007-04-10 11:12:40 0 d-------- C:\WINDOWS\.jagex_cache_32


-- Find3M Report ---------------------------------------------------------------

2007-05-01 12:42:49 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-05-01 12:10:54 0 d-------- C:\Program Files\Trillian
2007-04-30 10:53:54 0 d-------- C:\Documents and Settings\nic\Application Data\Lavasoft
2007-04-23 16:26:39 0 d-------- C:\Documents and Settings\nic\Application Data\uTorrent
2007-04-23 12:01:43 0 d-------- C:\Program Files\mIRC
2007-04-23 11:15:49 0 d-------- C:\Program Files\Apple Software Update
2007-03-27 23:54:27 0 d-------- C:\Program Files\Logitech
2007-03-15 10:08:13 101438 --a------ C:\WINDOWS\b122.exe


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINDOWS\system32\qohvxdvv.dll [x]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll
{93FF1CC5-3BEE-444C-AF93-AD8E1EE28585} C:\WINDOWS\system32\awtss.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"VirtualCloneDrive"="\"C:\\Program Files\\Elaborate Bytes\\VirtualCloneDrive\\VCDDaemon.exe\" /s"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
@=""
"Launch LGDCore"="\"C:\\Program Files\\Logitech\\G-series Software\\LGDCore.exe\" /SHOWHIDE"
"Launch LCDMon"="\"C:\\Program Files\\Logitech\\G-series Software\\LCDMon.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"InfoData"="rundll32.exe \"C:\\WINDOWS\\system32\\uhcmojut.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Startup Manager"="C:\\Documents and Settings\\nic\\Application Data\\Systweak\\ASO 2\\smstartUp manager.exe"
"Gadwin PrintScreen 3.5"="C:\\Program Files\\Gadwin Systems\\PrintScreen\\PrintScreen.exe /nosplash"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3F9D0C61-737D-44D1-BD80-91AF857061CC}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="s3k_autoupdate"
"hkey"="HKCU"
"command"="C:\\Program Files\\Serials3k\\s3k_autoupdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IntelMEM"
"hkey"="HKLM"
"command"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dff9d237-d3e9-11db-925b-00123fd55adb}]
Shell\AutoRun\command F:\CA_Install.exe


-- End of Deckard's System Scanner: finished at 2007-05-01 at 13:05:42 ---------
Attached Files
File Type: txt extra.txt (12.0 KB, 0 views)
__________________
"Technology is dominated by two types of people. Those who manage what they do not understand and those who understand what they do not manage."
buddha is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-01-2007, 11:04 PM   #4 (permalink)
Analyst, Security Team; Assistant Rangemaster, TSF Academy
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2


Re: Need help with my HJT Log (Hit a dead end)
Hi Buddha,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, here’s what we do first.

We need to disable your Windows Defender real-time protection as it may interfere with the fixes that we need to make.

To disable Windows Defender:
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.


NEXT:

Please download VirtumundoBeGone:
  • Save it to the desktop.
  • Close all running programs (including your Internet browser).
  • Double-click VirtumundoBeGone.exe on the desktop.
  • Follow the directions as indicated.

This program may generate a "BLUE SCREEN OF DEATH" which is an expected/necessary part of the process. Do not be concerned. Just reboot if your system "jams".

To confirm successful deletion, and to determine if there are any additional problems, please post the VirtumundoBeGone log VBG.txt. It will be on your desktop.


NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\qohvxdvv.dll (file missing)
O2 - BHO: (no name) - {93FF1CC5-3BEE-444C-AF93-AD8E1EE28585} - C:\WINDOWS\system32\awtss.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\uhcmojut.dll",realest


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please download OTMoveIt by OldTimer:
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\uhcmojut.dll
    C:\WINDOWS\system32\uhcmojut.dll
    C:\WINDOWS\b122.exe
    C:\WINDOWS\system32\awvvv.dll
    C:\Program Files\InetGet2

  • Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
  • Click the red MoveIt! button.
  • Close OTMoveIt.
  • Please post the log from OTMoveIt, located here:

    C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  1. The log from the VirtumundoBeGone scan.
  2. The log from the ComboFix scan.
  3. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.
__________________

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Sempurna is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-02-2007, 10:32 AM   #5 (permalink)
Registered User
 
buddha's Avatar
 
Join Date: Mar 2002
Location: Clearwater, Florida
Posts: 16
OS: Win2K/XP/Linux


Send a message via AIM to buddha Send a message via Yahoo to buddha
Re: Need help with my HJT Log (Hit a dead end)
Your instructions were very easy to follow and very appreciated. Here are the logs.


[05/02/2007, 12:05:53] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\nic\Desktop\VirtumundoBeGone.exe" )
[05/02/2007, 1202] - Detected System Information:
[05/02/2007, 1202] - Windows Version: 5.1.2600, Service Pack 2
[05/02/2007, 1202] - Current Username: nic (Admin)
[05/02/2007, 1202] - Windows is in NORMAL mode.
[05/02/2007, 1202] - Searching for Browser Helper Objects:
[05/02/2007, 1202] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[05/02/2007, 1202] - BHO 2: {1557B435-8242-4686-9AA3-9265BF7525A4} ()
[05/02/2007, 1202] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2007, 1202] - Checking for HKLM\...\Winlogon\Notify\qohvxdvv
[05/02/2007, 1202] - Key not found: HKLM\...\Winlogon\Notify\qohvxdvv, continuing.
[05/02/2007, 1202] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/02/2007, 1202] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2007, 1202] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/02/2007, 1202] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/02/2007, 1202] - BHO 4: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[05/02/2007, 1202] - BHO 5: {93FF1CC5-3BEE-444C-AF93-AD8E1EE28585} ()
[05/02/2007, 1202] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/02/2007, 1202] - Checking for HKLM\...\Winlogon\Notify\awtss
[05/02/2007, 1202] - Key not found: HKLM\...\Winlogon\Notify\awtss, continuing.
[05/02/2007, 1202] - Finished Searching Browser Helper Objects
[05/02/2007, 1202] - Finishing up...
[05/02/2007, 1202] - Nothing found! Exiting...


DllUnregisterServer procedure not found in C:\WINDOWS\system32\uhcmojut.dll
C:\WINDOWS\system32\uhcmojut.dll NOT unregistered.
C:\WINDOWS\system32\uhcmojut.dll moved successfully.
File/Folder C:\WINDOWS\system32\uhcmojut.dll not found.
C:\WINDOWS\b122.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\awvvv.dll
C:\WINDOWS\system32\awvvv.dll NOT unregistered.
C:\WINDOWS\system32\awvvv.dll moved successfully.
C:\Program Files\InetGet2 moved successfully.

Created on 05/02/2007 12:18:28

"nic" - 07-05-02 12:21:42 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\nic\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\UnInstall.exe
C:\WINDOWS\system32\drivers\fad.sys
C:\Program Files\ipwindows


((((((((((((((((((((((((((((((( Files Created from 2007-04-02 to 2007-05-02 ))))))))))))))))))))))))))))))))))


2007-05-01 13:01 <DIR> d-------- C:\Deckard
2007-05-01 12:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-05-01 12:50 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-30 13:19 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-04-30 13:18 <DIR> d-------- C:\Program Files\MSECACHE
2007-04-30 10:53 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-30 10:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-28 08:50 <DIR> d-------- C:\WINDOWS\LastGood
2007-04-26 12:14 <DIR> d-------- C:\VundoFix Backups
2007-04-24 18:51 <DIR> d-------- C:\Program Files\Windows Defender
2007-04-23 11:22 <DIR> d-------- C:\Program Files\QuickTime
2007-04-10 11:12 <DIR> d-------- C:\WINDOWS\.jagex_cache_32


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-02 01:39 152833 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-05-01 12:42 -------- d-------- C:\Program Files\mozilla thunderbird
2007-05-01 12:10 -------- d-------- C:\Program Files\trillian
2007-04-23 12:01 -------- d-------- C:\Program Files\mirc
2007-04-18 12:16 733824 --a------ C:\WINDOWS\system32\aswboot.exe
2007-04-18 12:12 94552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-18 12:12 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-18 12:10 23416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-18 12:09 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-18 12:07 26888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-18 12:06 90112 --a------ C:\WINDOWS\system32\avastss.scr
2007-03-27 23:54 -------- d-------- C:\Program Files\logitech
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"VirtualCloneDrive"="\"C:\\Program Files\\Elaborate Bytes\\VirtualCloneDrive\\VCDDaemon.exe\" /s"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
@=""
"Launch LGDCore"="\"C:\\Program Files\\Logitech\\G-series Software\\LGDCore.exe\" /SHOWHIDE"
"Launch LCDMon"="\"C:\\Program Files\\Logitech\\G-series Software\\LCDMon.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Startup Manager"="C:\\Documents and Settings\\nic\\Application Data\\Systweak\\ASO 2\\smstartUp manager.exe"
"Gadwin PrintScreen 3.5"="C:\\Program Files\\Gadwin Systems\\PrintScreen\\PrintScreen.exe /nosplash"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="s3k_autoupdate"
"hkey"="HKCU"
"command"="C:\\Program Files\\Serials3k\\s3k_autoupdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IntelMEM"
"hkey"="HKLM"
"command"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dff9d237-d3e9-11db-925b-00123fd55adb}]
Shell\AutoRun\command F:\CA_Install.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-02 12:27:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-02 12:27:38
C:\ComboFix-quarantined-files.txt ... 07-05-02 12:27
__________________
"Technology is dominated by two types of people. Those who manage what they do not understand and those who understand what they do not manage."
buddha is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-02-2007, 10:32 AM   #6 (permalink)
Registered User
 
buddha's Avatar
 
Join Date: Mar 2002
Location: Clearwater, Florida
Posts: 16
OS: Win2K/XP/Linux


Send a message via AIM to buddha Send a message via Yahoo to buddha
Re: Need help with my HJT Log (Hit a dead end)
Logfile of HijackThis v1.99.1
Scan saved at 12:30:50 PM, on 5/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\WINDOWS\retadpu2000219.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8118
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Startup Manager] C:\Documents and Settings\nic\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.cherrytap.com/imgs/ImageUploader4.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
__________________
"Technology is dominated by two types of people. Those who manage what they do not understand and those who understand what they do not manage."
buddha is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-02-2007, 09:58 PM   #7 (permalink)
Analyst, Security Team; Assistant Rangemaster, TSF Academy
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2


Re: Need help with my HJT Log (Hit a dead end)
Hi Buddha,

You’re most welcome, Buddha. I’m glad to hear that you had no problems following the directions I posted.

Let’s see if there’s anything else lurking in your system.

Please download CCleaner (freeware) and save it to your desktop:
  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Once installed, run CCleaner and click the Windows tab.
  • Select the following:
    • Check everything under the Internet Explorer section.
    • Check everything under the Windows Explorer section.
    • Check everything under the System section.
    • Check ONLY Old Prefetch data under the Advanced section.
  • Then, click the Applications tab:
    • UNCHECK everything there.
  • Next, click the Options button, then click the Advanced button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  • Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.


NEXT:

Let's run an online scan to make sure we're not leaving anything behind.

Please do an online scan with Kaspersky Online Scanner:
  • Click on Kaspersky Online Scanner.
  • You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK.
  • Now under select a target to scan:
    • Select My Computer.
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As button.
    • In the File name: field, type kavscan.
    • In the Save as type: field, select Text file (*.txt).
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please reboot your computer normally into Windows, and then please post the log from the Kaspersky scan and a new HijackThis log.

How are things running now?
__________________

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Sempurna is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-03-2007, 03:42 PM   #8 (permalink)
Registered User
 
buddha's Avatar
 
Join Date: Mar 2002
Location: Clearwater, Florida
Posts: 16
OS: Win2K/XP/Linux


Send a message via AIM to buddha Send a message via Yahoo to buddha
Re: Need help with my HJT Log (Hit a dead end)
Everything seems to be running fine and I am not getting any alerts from Avast however Kaspersky Online Scanner found a few things.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 03, 2007 5:34:20 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 3/05/2007
Kaspersky Anti-Virus database records: 312908
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 84430
Number of viruses found: 12
Number of infected objects: 36 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:48:53

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\WINDOWS\temp\_avast4_\unp70060347.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-04242007-185224.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\nic\Application Data\Mozilla\Firefox\Profiles\8c37un33.nic\cert8.db Object is locked skipped
C:\Documents and Settings\nic\Application Data\Mozilla\Firefox\Profiles\8c37un33.nic\formhistory.dat Object is locked skipped
C:\Documents and Settings\nic\Application Data\Mozilla\Firefox\Profiles\8c37un33.nic\history.dat Object is locked skipped
C:\Documents and Settings\nic\Application Data\Mozilla\Firefox\Profiles\8c37un33.nic\key3.db Object is locked skipped
C:\Documents and Settings\nic\Application Data\Mozilla\Firefox\Profiles\8c37un33.nic\parent.lock Object is locked skipped
C:\Documents and Settings\nic\Application Data\Mozilla\Firefox\Profiles\8c37un33.nic\search.sqlite Object is locked skipped
C:\Documents and Settings\nic\Application Data\Mozilla\Firefox\Profiles\8c37un33.nic\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\nic\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv620.jar-3fa4255-77b3e915.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\nic\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv620.jar-3fa4255-77b3e915.zip ZIP: infected - 1 skipped
C:\Documents and Settings\nic\Application Data\Sun\Java\Deployment\log\plugin142_03.trace Object is locked skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Inbox/[From Nic <calleja@tampabay.rr.com>][Date Fri, 15 Jul 2005 13:40:36 -0400]/text/[From "David Litchfield" <davidl@ngssoftware.com>][Date Fri, 15 Jul 2005 18:17:25 +0100]/text/[From 6, BAYES_50 0.00, FROM_ENDS_IN_NUMS 0.99,][Date Sat, 16 Jul 2005 17:54:28 -0400]/text/[From stephanie e <queenb134698@gmail.com>][Date Sun, 17 Jul 2005 05:22:38 -0400]/text/[From Reed Arvin <reedarvin@gmail.com>][Date Fri, 12 ... /[From Kroma Pierre <kroma@syss.de>][Date Fri, 12 Aug 2005 14:27:05 +0200]/UNNAMED Infected: Exploit.Perl.BT.a skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Inbox/[From Nic <calleja@tampabay.rr.com>][Date Fri, 15 Jul 2005 13:40:36 -0400]/text/[From "David Litchfield" <davidl@ngssoftware.com>][Date Fri, 15 Jul 2005 18:17:25 +0100]/text/[From 6, BAYES_50 0.00, FROM_ENDS_IN_NUMS 0.99,][Date Sat, 16 Jul 2005 17:54:28 -0400]/text/[From stephanie e <queenb134698@gmail.com>][Date Sun, 17 Jul 2005 05:22:38 -0400]/text/[From Reed Arvin <reedarvin@gmail.com>][Date Fri, 12 Aug 2005 07:50:46 -0700]/text Infected: Exploit.Perl.BT.a skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Inbox/[From Nic <calleja@tampabay.rr.com>][Date Fri, 15 Jul 2005 13:40:36 -0400]/text/[From "David Litchfield" <davidl@ngssoftware.com>][Date Fri, 15 Jul 2005 18:17:25 +0100]/text/[From 6, BAYES_50 0.00, FROM_ENDS_IN_NUMS 0.99,][Date Sat, 16 Jul 2005 17:54:28 -0400]/text/[From stephanie e <queenb134698@gmail.com>][Date Sun, 17 Jul 2005 05:22:38 -0400]/text Infected: Exploit.Perl.BT.a skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Inbox/[From Nic <calleja@tampabay.rr.com>][Date Fri, 15 Jul 2005 13:40:36 -0400]/text/[From "David Litchfield" <davidl@ngssoftware.com>][Date Fri, 15 Jul 2005 18:17:25 +0100]/text/[From 6, BAYES_50 0.00, FROM_ENDS_IN_NUMS 0.99,][Date Sat, 16 Jul 2005 17:54:28 -0400]/text Infected: Exploit.Perl.BT.a skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Inbox/[From Nic <calleja@tampabay.rr.com>][Date Fri, 15 Jul 2005 13:40:36 -0400]/text/[From "David Litchfield" <davidl@ngssoftware.com>][Date Fri, 15 Jul 2005 18:17:25 +0100]/text Infected: Exploit.Perl.BT.a skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Inbox/[From Nic <calleja@tampabay.rr.com>][Date Fri, 15 Jul 2005 13:40:36 -0400]/text Infected: Exploit.Perl.BT.a skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Inbox Mail Berkeley mbox: infected - 6 skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Trash/[From Nic <calleja@tampabay.rr.com>][Date Sat, 16 Jul 2005 22:37:38 -0400]/text/[From ian.latter@midnightcode.org][Date 18 Jul 2005 03:31:01 -0000]/text/[From "Stefan Kelm" <stefan.kelm@secorvo.de>][Date Mon, 18 Jul 2005 10:28:44 +0200]/text/[From "KF (lists)" <kf_lists@digitalmunition.com>][Date Thu, 11 Aug 2005 23:42:32 -0400]/UNNAMED/[From Kroma Pierre <kroma@syss.de>][Date Fri, 12 Aug 2005 14:27:05 +0200]/UNNAMED Infected: Exploit.Perl.BT.a skipped
C:\Documents and Settings\nic\Application Data\Thunderbird\Profiles\tzks91kp.default\Mail\pop.gmail.com\Trash/[From Nic <calleja@tampabay.rr.com>][Date Sat, 16 Jul 2005 22:37:38 -0400]/text/[From ian.latter@midnightcode.org][Date 18 Jul 2005 03:31:01 -0000]/text/[From "Stefan Kelm" <stefan.kelm@secorvo.de>][Date Mon, 18 Jul 2005 10:28:44 +0200]/text/[From "KF (l