hijack this log

[judie200]

I just want to know if there is something in thehighjach this,that shouldn't be there.I think there are acouple,i'm not sue.Because my windows keep on flickering.Logfile of HijackThis v1.99.1
Scan saved at 1:48:07 PM, on 8/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ViewMate Office Keyboard KU312\Versato.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\ViewMate Office Keyboard KU312\OSD.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Judith Pennant.JUDITH-57AVOLJ0\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Enable Office Keyboard Driver.lnk = C:\Program Files\ViewMate Office Keyboard KU312\Versato.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

[sUBs]

1. Download this file -

http://download.bleepingcomputer.com/sUBs/combofix.exe

http://www.techsupportforum.com/sectools/combofix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[judie200]

Which site am i suppose to download or do I download both sites you gave me?

[sUBs]

Any one will do.

[judie200]

It told me that I need to have administrative privleges to run this tool.

[sUBs]

Are you not the Administrator of this machine? Reboot to Safe mode & run it from there.


Instructions for getting ot Safe Mode

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.

[judie200]

It will not let me do it there either.
How can I become the administrater of this account.
Maybe because I never registered it when i installed the windows I clicked later I would register it.Did I do something wrong by not registering it?

[sUBs]

It may just be a bug with this new version. Download an older copy using this other link

[judie200]

It must have been a bug in the other one.This is what I got from itStart Time= Fri 08/04/2006 18:08:25.46
Running from: C:\Documents and Settings\Judith Pennant.JUDITH-57AVOLJ0\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-02 18:16:48 ( .D... ) "C:\Program Files\MSN"
2006-08-02 18:07:56 ( .D... ) "C:\Program Files\Common Files\ODBC"
2006-08-02 12:57:08 99965 ( A.... ) "C:\WINDOWS\UninstallFirefox.exe"
2006-08-02 11:54:32 ( .D... ) "C:\Program Files\MSN Messenger"
2006-07-31 12:09:12 ( .D... ) "C:\Program Files\ViewMate Office Keyboard KU312"
2006-07-27 00:04:10 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-26 23:43:32 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-26 23:08:46 ( .D... ) "C:\Program Files\SpywareGuard"
2006-07-26 22:55:34 ( .D... ) "C:\Program Files\SpywareBlaster"
2006-07-25 1446 ( .D... ) "C:\Program Files\3B Software"
2006-07-25 01:14:24 74 ( A.... ) "C:\WINDOWS\system32\ENoSignature.dll"
2006-05-22 14:43:52 244240 ( A.... ) "C:\WINDOWS\unicows.dll"
2006-05-19 04:51:02 159232 ( A.... ) "C:\WINDOWS\system32\xpob2res.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-04 17:49 132,501,504 C:\hiberfil.sys
2006-08-02 18:19 81,408 C:\WINDOWS\system32\msoert2.dll
2006-08-02 18:19 587,776 C:\WINDOWS\system32\inetcomm.dll
2006-08-02 18:19 47,616 C:\WINDOWS\system32\inetres.dll
2006-08-02 18:19 228,864 C:\WINDOWS\system32\msoeacct.dll
2006-08-02 18:19 226,304 C:\WINDOWS\system32\srrstr.dll
2006-08-02 18:19 221,696 C:\WINDOWS\system32\qmgr.dll
2006-08-02 18:19 17,408 C:\WINDOWS\system32\qmgrprxy.dll
2006-08-02 18:16 9,728 C:\WINDOWS\system32\xolehlp.dll
2006-08-02 18:16 869,376 C:\WINDOWS\system32\msdtctm.dll
2006-08-02 18:16 83,968 C:\WINDOWS\system32\mtxoci.dll
2006-08-02 18:16 82,432 C:\WINDOWS\system32\comrepl.dll
2006-08-02 18:16 582,656 C:\WINDOWS\system32\catsrvut.dll
2006-08-02 18:16 56,832 C:\WINDOWS\system32\colbact.dll
2006-08-02 18:16 495,616 C:\WINDOWS\system32\comuid.dll
2006-08-02 18:16 489,984 C:\WINDOWS\system32\hypertrm.dll
2006-08-02 18:16 468,480 C:\WINDOWS\system32\clbcatq.dll
2006-08-02 18:16 359,936 C:\WINDOWS\system32\msdtcprx.dll
2006-08-02 18:16 215,040 C:\WINDOWS\system32\catsrv.dll
2006-08-02 18:16 151,040 C:\WINDOWS\system32\msdtcuiu.dll
2006-08-02 18:16 113,944 C:\WINDOWS\system32\wuauclt.exe
2006-08-02 18:16 100,864 C:\WINDOWS\system32\clbcatex.dll
2006-08-02 18:16 1,172,992 C:\WINDOWS\system32\comsvcs.dll
2006-08-02 18:16 1,081,112 C:\WINDOWS\system32\wuaueng.dll
2006-08-02 18:07 24,661 C:\WINDOWS\system32\spxcoins.dll
2006-08-02 18:07 13,312 C:\WINDOWS\system32\irclass.dll
2006-07-31 11:56 358,400 C:\WINDOWS\CallVers.exe
2006-07-26 23:27 21,312 C:\WINDOWS\choice.exe
2006-07-26 13:20 113 C:\WINDOWS\system32\zonedon.reg
2006-07-26 13:20 113 C:\WINDOWS\system32\zonedoff.reg
2006-07-25 01:14 74 C:\WINDOWS\system32\ENoSignature.dll
2006-07-24 14:00 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-24 14:00 11,776 C:\WINDOWS\system32\ZPORT4AS.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Windows Registry Repair Pro"="C:\\Program Files\\3B Software\\Windows Registry Repair Pro\\RegistryRepairPro.exe 4"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\not active]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnsyslog]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnsyslog"
"hkey"="HKLM"
"inimapping"="0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\Judith Pennant backup.job
C:\WINDOWS\tasks\Judith Pennant scan and fix.job

Completion time: Fri 08/04/2006 18:08:35.79
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

[sUBs]

Judie, despite the absence of any antivirus programs, your machine appears clean. May I ask why you do not have any antivirus programs installed?

Let's do an online-scan& see if it picks anything up. Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

When you have completed that, download and run Blacklight

Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this

When it finishes, click Next. You may get a screen similar to the picture below. Click on Close

BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log

[judie200]

I can't get the kaspersky scan to work it keeps telling me its expired.

[sUBs]

Go to Start → Control Panel → Add or Remove Programs and uninstall the following program:

• Kaspersky

Then try again

[judie200]

I did uninstall it, and it told me the same thing, license key expired.

[sUBs]

Just received word from the Kaspersky forums:

Quote:

Originally Posted by Ivan Krasnov on the Kaspersky Forum's

Unfortunately we have occured some difficult problems.
Our developers will release new version of KOS next week.
Now KOS is not available. We are sorry about this situation.
Thank you for understanding.

Please use an alternate scanner - Panda ActiveScan

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.

[judie200]

Incident Status Location

Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179}
Adware:adware/webhancer Not disinfected Windows Registry
Adware:adware/powerscan Not disinfected Windows Registry
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Judith Pennant.JUDITH-57AVOLJ0\Application Data\Mozilla\Firefox\Profiles\7tl6wkpm.default\cookies.txt[.apmebf.com/]

[sUBs]

Will wait for Blacklight's report

[judie200]

08/04/06 21:53:06 [Info]: BlackLight Engine 1.0.42 initialized
08/04/06 21:53:06 [Info]: OS: 5.1 build 2600 (Service Pack 1)
08/04/06 21:53:06 [Note]: 7019 4
08/04/06 21:53:06 [Note]: 7005 0
08/04/06 21:53:10 [Note]: 7006 0
08/04/06 21:53:10 [Note]: 7011 136
08/04/06 21:53:10 [Note]: 7026 0
08/04/06 21:53:11 [Note]: 7026 0
08/04/06 21:53:19 [Note]: FSRAW library version 1.7.1019
08/04/06 21:53:20 [Note]: 7007 0

[sUBs]

Quote:

Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179}

Go to start > Run - paste in the following single line command & click OK

Code:

cmd /c reg delete hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179} /f

This will get rid of the malware entry found by Panda & concludes your malware issues. The flickering issues should be related to your graphic card. Guys from the hardware forum will help with that.


Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
   Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
   • Tick on the checkbox - Turn off System Restore on all drives
   • Click Apply
   Turn it back 'On' by unticking the same checkbox & click OK
   
   
   
2. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
3. SECURING INTERNET EXPLORER
   From within Internet Explorer click on the Tools menu and then click on Internet Options.
   • Select the Security tab
     • Click once on the Internet icon so it becomes highlighted.
     • Select Custom Level .
       • Change 'Download signed ActiveX controls' to Prompt
       • Change 'Download unsigned ActiveX controls' to Disable
       • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
       • Change 'Installation of desktop items' to Prompt
       • Change 'Launching programs and files in an IFRAME' to Prompt
       • Change 'Navigate sub-frames across different domains' to Prompt
       • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
4. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
5. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
   
   
   
6. Microsoft Windows Update
   Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
7. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
   
   
   
8. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
   
   
   
9. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here
   
   
   
10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[judie200]

Thanks for all your time and help.You sure do have alot of patients.