|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 440,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer
Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
09-06-2007, 07:55 PM
|
#1 (permalink) |
|
Registered User
Join Date: Sep 2007
Posts: 12
OS: WinXP
|
HiJacked - please help
The trusted sites keep coming back even after I fix them with HJT. Also getting popups for winantiviruspro.
Logfile of HijackThis v1.99.0 Scan saved at 10:39:31 PM, on 9/6/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\tcpsvcs.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\QUICKENW\QWDLLS.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\devldr32.exe C:\Program Files\Dell Photo AIO Printer 922\bak\dlbtbmgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe c:\program files\internet explorer\iexplore.exe C:\WINDOWS\System32\wuauclt.exe C:\HiJack This\analyze.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmr...6.1&bm=ho_home R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {E6DA29EA-3B6C-44EE-B9CA-4F2AB7518315} - C:\WINDOWS\System32\yayyx.dll O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" O4 - HKLM\..\Run: [PPScheduler] "C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O15 - Trusted Zone: *.whataboutadog.com O15 - Trusted Zone: *.whataboutarabit.com O15 - Trusted IP range: 88.80.5.36 O16 - DPF: {02A5F34E-6AE3-430D-934D-A4A2038DCCA3} (SChartCtrl Class) - http://humanarc.softscape.com/ly/hum...vex/schart.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://ohvpn.bristolwest.com/CACHE/...ies/stcweb.cab O16 - DPF: {327FA9B6-BBC9-4CE1-A4E9-00C71C5537A3} (SDHtmlEditLib.SDHtmlEdit) - https://pathmark.softscape.com/ly/pa...tmleditlib.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1173764483250 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://ontrak.smallbizpros.com/eDPN...rt/arview2.cab O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab O16 - DPF: {CFEC05A7-790C-4D22-B3E0-EBA34C8CACF2} (LYScripting.FileAccessor) - http://ppm.bristolwest.com/ly/Bristo...yscripting.cab O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.co...oadControl.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...15/mcfscan.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: BlueSoleil Hid Service - Unknown - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NMIndexingService - Unknown - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing) O23 - Service: Cisco Systems, Inc. STC Agent - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here
|
|
09-07-2007, 10:44 AM
|
#2 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 42,269
OS: 2000 Pro; XP Pro; XP Home
|
Re: HiJacked - please help
Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009
|
|
|
|
|
09-07-2007, 05:12 PM
|
#3 (permalink) |
|
Registered User
Join Date: Sep 2007
Posts: 12
OS: WinXP
|
Re: HiJacked - please help
ComboFix 07-09-08.7 - "Garofalo family" 2007-09-07 19:33:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.198 [GMT -4:00] * Created a new restore point . (((((((((((((((((((((((((((((((((((((((( Look2Me's Log )))))))))))))))))))))))))))))))))))))))))))))))))) REGISTRY ENTRIES REMOVED: [HKEY_CLASSES_ROOT\clsid\{CEA775A5-548C-4048-9114-1A61A2D88444}] @="" [HKEY_CLASSES_ROOT\clsid\{CEA775A5-548C-4048-9114-1A61A2D88444}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\clsid\{CEA775A5-548C-4048-9114-1A61A2D88444}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\clsid\{CEA775A5-548C-4048-9114-1A61A2D88444}\InprocServer32] @="C:\\WINDOWS\\system32\\guard.tmp" "ThreadingModel"="Apartment" * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Granting SeDebugPrivilege to Administrators ... successful ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\DOWNLO~1\UDC6_0001_D19M1908NetInstaller.exe C:\WINDOWS\system32\ivhjregf.exe C:\WINDOWS\system32\wovjymhy.exe ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_DOMAINSERVICE -------\LEGACY_GB -------\LEGACY_IPRIP -------\DomainService -------\Iprip ((((((((((((((((((((((((( Files Created from 2007-08-08 to 2007-09-08 ))))))))))))))))))))))))))))))) . 2007-09-07 19:32 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-06 22:14 <DIR> d-------- C:\VundoFix Backups 2007-09-06 22:13 113,664 --a------ C:\VundoFix.exe 2007-09-06 21:37 3,166 --a------ C:\WINDOWS\system32\tmp.reg 2007-09-06 21:36 <DIR> d-------- C:\SmitfraudFix 2007-09-06 21:33 1,003,789 --a------ C:\SmitfraudFix.exe 2007-09-06 19:04 2,050,954 ---hs---- C:\WINDOWS\system32\xyyay.bak2 2007-09-06 01:32 <DIR> d-------- C:\DOCUME~1\GAROFA~1\APPLIC~1\Ahead 2007-09-06 01:22 <DIR> d-------- C:\Program Files\WinBudget 2007-09-06 01:21 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys 2007-09-06 01:21 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys 2007-09-06 01:20 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll 2007-09-06 01:20 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll 2007-09-06 01:20 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll 2007-09-06 01:20 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe 2007-09-06 01:20 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll 2007-09-06 01:20 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll 2007-09-06 01:20 <DIR> d-------- C:\Program Files\Common Files\Ahead 2007-09-05 23:24 6,448 ---hs---- C:\WINDOWS\system32\xyyay.bak1 2007-09-05 23:21 244,832 --a------ C:\WINDOWS\system32\yayyx.dll 2007-09-05 23:13 <DIR> d-------- C:\Program Files\BitLord 2007-09-05 21:56 <DIR> d--h-c--- C:\WINDOWS\$MSI30UninstallMSI30-KB884016$ 2007-09-04 00:08 33,280 --a--c--- C:\WINDOWS\system32\dllcache\iprip.dll 2007-09-04 00:08 33,280 --a------ C:\WINDOWS\system32\iprip.dll 2007-09-04 00:08 18,944 --a--c--- C:\WINDOWS\system32\dllcache\simptcp.dll 2007-09-04 00:08 18,944 --a------ C:\WINDOWS\system32\simptcp.dll 2007-09-03 15:27 78,848 --a------ C:\WINDOWS\system32\INLOADER.DLL 2007-09-03 15:27 298,496 --a------ C:\WINDOWS\uninst.exe 2007-09-03 15:27 <DIR> d-------- C:\Program Files\PCFriendly 2007-08-28 20:50 <DIR> d-------- C:\WINDOWS\system32\bak . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-06 01:20 --------- d-------- C:\Program Files\Ahead 2007-09-06 01:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead 2007-09-04 21:27 --------- d-------- C:\Program Files\iTunes 2007-09-04 21:26 --------- d-------- C:\Program Files\iPod 2007-09-04 00:24 --------- d-------- C:\Program Files\Google 2007-08-29 00:32 --------- d-------- C:\DOCUME~1\GAROFA~1\APPLIC~1\TextPad 2007-08-28 20:57 --------- d-------- C:\Program Files\QuickTime 2007-08-28 20:57 --------- d-------- C:\Program Files\Dell Photo AIO Printer 922 2007-08-20 19:43 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink 2007-08-16 12:40 --------- d-------- C:\DOCUME~1\GAROFA~1\APPLIC~1\AdobeUM 2007-08-06 22:37 --------- d-------- C:\Program Files\Apple Software Update 2007-08-06 22:37 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple 2007-07-23 17:02 --------- d-------- C:\DOCUME~1\GAROFA~1\APPLIC~1\RipIt4Me 2007-07-23 15:48 --------- d-------- C:\Program Files\RipIt4Me 2007-07-20 00:57 267112 --a------ C:\WINDOWS\system32\xactengine2_9.dll 2007-07-20 00:54 66408 --a------ C:\WINDOWS\system32\dxdllreg.exe 2007-07-20 00:54 18280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll 2007-07-19 18:14 444776 --a------ C:\WINDOWS\system32\d3dx10_35.dll 2007-07-19 18:14 3727720 --a------ C:\WINDOWS\system32\d3dx9_35.dll 2007-07-19 18:14 1358192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll 2007-06-20 20:46 266088 --a------ C:\WINDOWS\system32\xactengine2_8.dll 2004-12-25 20:56 81408 -r-hs---- C:\DOCUME~1\GAROFA~1\APPLIC~1\erht.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC918E32-0E7A-48C5-AA7F-8ED1D8149FAA}] 2007-09-05 23:21 244832 --a------ C:\WINDOWS\System32\yayyx.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2007-08-28 20:55] "WCSE Mgr"="" [] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-04 01:12] "Logitech Utility"="Logi_MwX.Exe" [2002-11-08 06:50 C:\WINDOWS\LOGI_MWX.EXE] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [2007-08-28 20:55] "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-08-28 20:55] "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-08-28 20:55] "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-08-28 20:55] "PPScheduler"="C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe" [2007-08-28 20:55] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-08-28 20:55] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-28 20:55] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-04 00:25] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 08:00] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [] "NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 16:56] C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 03:22:40] Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54] Quicken Startup.lnk - C:\QUICKENW\QWDLLS.EXE [2004-11-17 22:23:34] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{32019592-CC9C-4A68-8093-10C38600F294}"= C:\WINDOWS\qxmpejgp.dll [ ] "{A6386D11-F599-40FA-85BB-3345311BA95C}"= C:\WINDOWS\bsxwxgh.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\\WINDOWS\\System32\\yayyx [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] C:\Program Files\Ahead\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\System32\DRIVERS\DcCam.sys R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\System32\drivers\dcfs2k.sys R2 msos;msos;\??\C:\WINDOWS\System32\DRIVERS\msos.sys R3 cinemclc;CineMaster C 3.0 WDM Main Driver;C:\WINDOWS\System32\drivers\cinemclc.sys R3 itchfltr;iTouch Keyboard Filter;C:\WINDOWS\System32\DRIVERS\itchfltr.sys R3 vdmindvd;Cinemaster C WDM DVD Driver;C:\WINDOWS\System32\drivers\vdmindvd.sys S1 Exportit;Exportit;C:\WINDOWS\System32\DRIVERS\exportit.sys S2 ATNT40K;ActiveTouch NT Appsharing Driver;C:\WINDOWS\System32\DRIVERS\ATNT40K.SYS S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\WINDOWS\System32\DRIVERS\CSVirtA.sys S3 DcFpoint;DcFpoint;C:\WINDOWS\System32\DRIVERS\DcFpoint.sys S3 DcLps;Legacy Polling Service;C:\WINDOWS\System32\DRIVERS\DcLps.sys S3 DcPTP;dcptp;C:\WINDOWS\System32\DRIVERS\DcPTP.sys S4 ISEXEng;ISEXEng;C:\WINDOWS\System32\angelex.exe S4 oldr;oldr;C:\WINDOWS\System32\oldr.exe . Contents of the 'Scheduled Tasks' folder "2007-09-05 07:00:00 C:\WINDOWS\Tasks\backup.job" - C:\WINDOWS\system32\ntbackup.exe "2007-09-07 13:00:00 C:\WINDOWS\Tasks\system32.job" - C:\WINDOWS\system32 . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-08 19:43:42 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-08 19:45:50 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-09-08 19:45 . --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:59:57 PM, on 9/8/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\devldr32.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\QUICKENW\QWDLLS.EXE C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Java\jre1.5.0_05\bin\bak\jusched.exe C:\WINDOWS\System32\MDM.EXE C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe c:\program files\internet explorer\iexplore.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmr...6.1&bm=ho_home O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" O4 - HKLM\..\Run: [PPScheduler] "C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O15 - Trusted Zone: *.whataboutadog.com O15 - Trusted Zone: *.whataboutarabit.com O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM) O16 - DPF: {02A5F34E-6AE3-430D-934D-A4A2038DCCA3} (SChartCtrl Class) - http://humanarc.softscape.com/ly/hum...vex/schart.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://ohvpn.bristolwest.com/CACHE/...ies/stcweb.cab O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab O16 - DPF: {327FA9B6-BBC9-4CE1-A4E9-00C71C5537A3} (SDHtmlEditLib.SDHtmlEdit) - https://pathmark.softscape.com/ly/pa...tmleditlib.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1173764483250 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://ontrak.smallbizpros.com/eDPN...rt/arview2.cab O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab O16 - DPF: {CFEC05A7-790C-4D22-B3E0-EBA34C8CACF2} (LYScripting.FileAccessor) - http://ppm.bristolwest.com/ly/Bristo...yscripting.cab O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.co...oadControl.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...15/mcfscan.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing) O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe -- End of file - 9413 bytes Find AWF report by noahdfear ©2006 Version 1.40 The current date is: Sat 09/08/2007 The current time is: 20:02:45.01 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\DELLPH~1\BAK 03/29/2004 03:12 PM 290,816 dlbtbmgr.exe 1 File(s) 290,816 bytes Directory of C:\PROGRA~1\ITUNES\BAK 07/31/2007 06:44 PM 271,672 iTunesHelper.exe 1 File(s) 271,672 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK 06/29/2007 06:24 AM 286,720 QTTask.exe 1 File(s) 286,720 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 08/29/2002 08:00 AM 13,312 ctfmon.exe 07/09/2001 10:50 AM 155,648 NeroCheck.exe 2 File(s) 168,960 bytes Directory of C:\PROGRA~1\AHEAD\NEROBA~1\BAK 10/11/2005 06:25 PM 1,961,984 NBJ.exe 1 File(s) 1,961,984 bytes Directory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK 08/16/2007 08:39 AM 416,256 avgcc.exe 1 File(s) 416,256 bytes Directory of C:\PROGRA~1\SCANSOFT\PAPERP~1\BAK 10/26/2004 08:08 PM 40,960 IndexSearch.exe 10/26/2004 08:21 PM 98,304 PPScheduler.exe 10/26/2004 08:07 PM 36,864 pptd40nt.exe 3 File(s) 176,128 bytes Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK 10/03/2005 10:25 PM 180,269 realsched.exe 1 File(s) 180,269 bytes Directory of C:\PROGRA~1\COMMON~1\SCANSO~1\SSBKGD~1\BAK 10/14/2003 11:22 AM 155,648 SSBkgdupdate.exe 1 File(s) 155,648 bytes Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK 08/26/2005 06:14 PM 36,975 jusched.exe 1 File(s) 36,975 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 24080 Aug 28 2007 "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" 290816 Mar 29 2004 "C:\Program Files\Dell Photo AIO Printer 922\bak\dlbtbmgr.exe" 271672 Aug 15 2007 "C:\Program Files\iTunes\iTunesHelper.exe" 271672 Jul 31 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe" 102400 Sep 4 2007 "C:\WINDOWS\Installer\{974C05A0-C76C-4724-A9A2-11D5D1355729}\iTunesIco.exe" 116024 Aug 15 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.3.2.6\iTunesSetupAdmin.exe" 24080 Aug 28 2007 "C:\Program Files\QuickTime\QTTask.exe" 286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\QTTask.exe" 77824 Sep 17 2002 "F:\WINDOWS\SYSTEM\qttask.exe" 13312 Aug 29 2002 "C:\WINDOWS\system32\ctfmon.exe" 13312 Aug 29 2002 "C:\WINDOWS\system32\bak\ctfmon.exe" 155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe" 155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe" 1957888 Apr 14 2005 "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" 1961984 Oct 11 2005 "C:\Program Files\Ahead\Nero BackItUp\bak\NBJ.exe" 416256 Sep 4 2007 "C:\Program Files\Grisoft\AVG7\avgcc.exe" 416256 Aug 16 2007 "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe" 24080 Aug 28 2007 "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" 40960 Oct 26 2004 "C:\Program Files\ScanSoft\PaperPort\bak\IndexSearch.exe" 24080 Aug 28 2007 "C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe" 98304 Oct 26 2004 "C:\Program Files\ScanSoft\PaperPort\bak\PPScheduler.exe" 24080 Aug 28 2007 "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" 36864 Oct 26 2004 "C:\Program Files\ScanSoft\PaperPort\bak\pptd40nt.exe" 24080 Aug 28 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 180269 Oct 3 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" 24080 Aug 28 2007 "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" 155648 Oct 14 2003 "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe" 32881 Sep 28 2004 "C:\Program Files\DeductionPro 2006\JRE\bin\jusched.exe" 24080 Aug 28 2007 "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" 36975 Aug 26 2005 "C:\Program Files\Java\jre1.5.0_05\bin\bak\jusched.exe" end of report  
|
|
|
|
|
09-07-2007, 06:20 PM
|
#4 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 42,269
OS: 2000 Pro; XP Pro; XP Home
|
Re: HiJacked - please help
Open notepad and copy/paste the text in the quotebox below into it:
Quote:
 Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall --------------------------------------------------------------------------------------------- Double-click FindAWF.exe to start the tool.
---------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- Please return with the logs from: ComboFix FindAWF HijackThis
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
09-07-2007, 07:00 PM
|
#5 (permalink) |
|
Registered User
Join Date: Sep 2007
Posts: 12
OS: WinXP
|
Re: HiJacked - please help
Thanks for the reply, guy...
Two questions: 1. Can I attach the log files as attachments, or do I need to paste the text here? I am sending them as attachments, so pls let me know if that's okay... 2. Was I supposed to be offline when completing the steps in your last post? Thankshijackthis.txt awf.txt ComboFix.txt ComboFix 07-09-08.7 - "Garofalo family" 2007-09-08 21:39:22.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.152 [GMT -4:00] * Created a new restore point FILE:: C:\WINDOWS\Tasks\system32.job C:\WINDOWS\system32\xyyay.bak2 C:\WINDOWS\system32\xyyay.bak1 C:\WINDOWS\system32\yayyx.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\WinBudget C:\VundoFix Backups C:\VundoFix Backups\addmorefiles.txt C:\VundoFix Backups\efcywtr.dll.bad C:\WINDOWS\system32\ocfmluum.exe C:\WINDOWS\system32\xyyay.bak1 C:\WINDOWS\system32\xyyay.bak2 C:\WINDOWS\system32\yayyx.dll C:\WINDOWS\Tasks\system32.job ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_DOMAINSERVICE -------\DomainService ((((((((((((((((((((((((( Files Created from 2007-08-09 to 2007-09-09 ))))))))))))))))))))))))))))))) . 2007-09-08 19:59 <DIR> d-------- C:\Program Files\Trend Micro 2007-09-07 19:32 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-06 22:13 113,664 --a------ C:\VundoFix.exe 2007-09-06 21:37 3,166 --a------ C:\WINDOWS\system32\tmp.reg 2007-09-06 21:36 <DIR> d-------- C:\SmitfraudFix 2007-09-06 21:33 1,003,789 --a------ C:\SmitfraudFix.exe 2007-09-06 01:32 <DIR> d-------- C:\DOCUME~1\GAROFA~1\APPLIC~1\Ahead 2007-09-06 01:21 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys 2007-09-06 01:21 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys 2007-09-06 01:20 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll 2007-09-06 01:20 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll 2007-09-06 01:20 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll 2007-09-06 01:20 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe 2007-09-06 01:20 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll 2007-09-06 01:20 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll 2007-09-06 01:20 <DIR> d-------- C:\Program Files\Common Files\Ahead 2007-09-05 23:13 <DIR> d-------- C:\Program Files\BitLord 2007-09-05 21:56 <DIR> d--h-c--- C:\WINDOWS\$MSI30UninstallMSI30-KB884016$ 2007-09-04 00:08 33,280 --a--c--- C:\WINDOWS\system32\dllcache\iprip.dll 2007-09-04 00:08 33,280 --a------ C:\WINDOWS\system32\iprip.dll 2007-09-04 00:08 18,944 --a--c--- C:\WINDOWS\system32\dllcache\simptcp.dll 2007-09-04 00:08 18,944 --a------ C:\WINDOWS\system32\simptcp.dll 2007-09-03 15:27 78,848 --a------ C:\WINDOWS\system32\INLOADER.DLL 2007-09-03 15:27 298,496 --a------ C:\WINDOWS\uninst.exe 2007-09-03 15:27 <DIR> d-------- C:\Program Files\PCFriendly 2007-08-28 20:50 <DIR> d-------- C:\WINDOWS\system32\bak . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-06 01:20 --------- d-------- C:\Program Files\Ahead 2007-09-06 01:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead 2007-09-04 21:27 --------- d-------- C:\Program Files\iTunes 2007-09-04 21:26 --------- d-------- C:\Program Files\iPod 2007-09-04 00:24 --------- d-------- C:\Program Files\Google 2007-08-29 00:32 --------- d-------- C:\DOCUME~1\GAROFA~1\APPLIC~1\TextPad 2007-08-28 20:57 --------- d-------- C:\Program Files\QuickTime 2007-08-28 20:57 --------- d-------- C:\Program Files\Dell Photo AIO Printer 922 2007-08-20 19:43 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink 2007-08-16 12:40 --------- d-------- C:\DOCUME~1\GAROFA~1\APPLIC~1\AdobeUM 2007-08-06 22:37 --------- d-------- C:\Program Files\Apple Software Update 2007-08-06 22:37 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple 2007-07-23 17:02 --------- d-------- C:\DOCUME~1\GAROFA~1\APPLIC~1\RipIt4Me 2007-07-23 15:48 --------- d-------- C:\Program Files\RipIt4Me 2007-07-20 00:57 267112 --a------ C:\WINDOWS\system32\xactengine2_9.dll 2007-07-20 00:54 66408 --a------ C:\WINDOWS\system32\dxdllreg.exe 2007-07-20 00:54 18280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll 2007-07-19 18:14 444776 --a------ C:\WINDOWS\system32\d3dx10_35.dll 2007-07-19 18:14 3727720 --a------ C:\WINDOWS\system32\d3dx9_35.dll 2007-07-19 18:14 1358192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll 2007-06-20 20:46 266088 --a------ C:\WINDOWS\system32\xactengine2_8.dll 2004-12-25 20:56 81408 -r-hs---- C:\DOCUME~1\GAROFA~1\APPLIC~1\erht.exe . ((((((((((((((((((((((((((((( snapshot_2007-09-08_194447.01 ))))))))))))))))))))))))))))))))))))))))) . ----a-w 7,680 2004-07-01 22:08:18 C:\WINDOWS\system32\bitsprx2.dll ----a-w 7,168 2004-07-01 22:08:18 C:\WINDOWS\system32\bitsprx3.dll --s-a-r 224,573 2004-12-20 07:13:07 C:\WINDOWS\system32\en4ol1h31.dll ----a-w 569,344 2001-07-06 19:41:30 C:\WINDOWS\system32\imagr5.dll ----a-w 544,768 2001-07-06 17:44:46 C:\WINDOWS\system32\imagx5.dll ----a-w 283,920 2001-07-06 23:24:18 C:\WINDOWS\system32\ImagXpr5.dll ----a-w 152,064 2002-11-08 10:50:00 C:\WINDOWS\system32\lmoufrc.dll ----a-w 974,848 2002-01-05 09:48:16 C:\WINDOWS\system32\mfc70.dll ----a-w 54,784 2002-01-05 08:38:36 C:\WINDOWS\system32\msvci70.dll ----a-w 487,424 2002-01-05 08:40:18 C:\WINDOWS\system32\msvcp70.dll ----a-w 344,064 2002-01-05 08:37:26 C:\WINDOWS\system32\msvcr70.dll ----a-w 348,160 2004-02-25 16:05:28 C:\WINDOWS\system32\msvcr71.dll ----a-w 24,576 2001-08-18 03:43:40 C:\WINDOWS\system32\msxml3a.dll ----a-w 38,912 2001-06-26 13:15:46 C:\WINDOWS\system32\picn20.dll ----a-w 207,872 1998-08-25 02:27:24 C:\WINDOWS\system32\RDMWIN32.DLL ----a-w 14,048 2006-01-19 19:29:19 C:\WINDOWS\system32\spmsg.dll ----a-w 60,416 2007-01-29 08:58:06 C:\WINDOWS\system32\tzchange.exe ----a-w 92,208 1996-02-28 07:00:00 C:\WINDOWS\system32\wing.dll ----a-w 12,800 1996-02-28 07:00:00 C:\WINDOWS\system32\wing32.dll ----a-w 188,960 1996-02-28 07:00:00 C:\WINDOWS\system32\wingde.dll ----a-w 158,720 2004-06-30 23:59:25 C:\WINDOWS\system32\xpob2res.dll ----a-w 361,984 2004-07-01 22:08:18 C:\WINDOWS\system32\bits\qmgr.dll . ------w 7,680 2004-07-01 22:08:18 C:\WINDOWS\system32\bitsprx2.dll ------w 7,168 2004-07-01 22:08:18 C:\WINDOWS\system32\bitsprx3.dll --s---r 224,573 2004-12-20 07:13:07 C:\WINDOWS\system32\en4ol1h31.dll ------w 569,344 2001-07-06 19:41:30 C:\WINDOWS\system32\imagr5.dll ------w 544,768 2001-07-06 17:44:46 C:\WINDOWS\system32\imagx5.dll ------w 283,920 2001-07-06 23:24:18 C:\WINDOWS\system32\ImagXpr5.dll ------w 152,064 2002-11-08 10:50:00 C:\WINDOWS\system32\lmoufrc.dll ------w 974,848 2002-01-05 09:48:16 C:\WINDOWS\system32\mfc70.dll ------w 54,784 2002-01-05 08:38:36 C:\WINDOWS\system32\msvci70.dll ------w 487,424 2002-01-05 08:40:18 C:\WINDOWS\system32\msvcp70.dll ------w 344,064 2002-01-05 08:37:26 C:\WINDOWS\system32\msvcr70.dll ------w 348,160 2004-02-25 16:05:28 C:\WINDOWS\system32\msvcr71.dll ------w 24,576 2001-08-18 03:43:40 C:\WINDOWS\system32\msxml3a.dll ------w 38,912 2001-06-26 13:15:46 C:\WINDOWS\system32\picn20.dll ------w 207,872 1998-08-25 02:27:24 C:\WINDOWS\system32\RDMWIN32.DLL ------w 14,048 2006-01-19 19:29:19 C:\WINDOWS\system32\spmsg.dll ------w 60,416 2007-01-29 08:58:06 C:\WINDOWS\system32\tzchange.exe ------w 92,208 1996-02-28 07:00:00 C:\WINDOWS\system32\wing.dll ------w 12,800 1996-02-28 07:00:00 C:\WINDOWS\system32\wing32.dll ------w 188,960 1996-02-28 07:00:00 C:\WINDOWS\system32\wingde.dll ------w 158,720 2004-06-30 23:59:25 C:\WINDOWS\system32\xpob2res.dll ------w 361,984 2004-07-01 22:08:18 C:\WINDOWS\system32\bits\qmgr.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2007-08-28 20:55] "WCSE Mgr"="" [] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-04 01:12] "Logitech Utility"="Logi_MwX.Exe" [2002-11-08 06:50 C:\WINDOWS\LOGI_MWX.EXE] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [2007-08-28 20:55] "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-08-28 20:55] "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-08-28 20:55] "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-08-28 20:55] "PPScheduler"="C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe" [2007-08-28 20:55] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-08-28 20:55] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-28 20:55] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-04 00:25] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 08:00] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [] "NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 16:56] C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 03:22:40] Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54] Quicken Startup.lnk - C:\QUICKENW\QWDLLS.EXE [2004-11-17 22:23:34] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] C:\Program Files\Ahead\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\System32\DRIVERS\DcCam.sys R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\System32\drivers\dcfs2k.sys R2 msos;msos;\??\C:\WINDOWS\System32\DRIVERS\msos.sys R3 cinemclc;CineMaster C 3.0 WDM Main Driver;C:\WINDOWS\System32\drivers\cinemclc.sys R3 itchfltr;iTouch Keyboard Filter;C:\WINDOWS\System32\DRIVERS\itchfltr.sys R3 vdmindvd;Cinemaster C WDM DVD Driver;C:\WINDOWS\System32\drivers\vdmindvd.sys S1 Exportit;Exportit;C:\WINDOWS\System32\DRIVERS\exportit.sys S2 ATNT40K;ActiveTouch NT Appsharing Driver;C:\WINDOWS\System32\DRIVERS\ATNT40K.SYS S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\WINDOWS\System32\DRIVERS\CSVirtA.sys S3 DcFpoint;DcFpoint;C:\WINDOWS\System32\DRIVERS\DcFpoint.sys S3 DcLps;Legacy Polling Service;C:\WINDOWS\System32\DRIVERS\DcLps.sys S3 DcPTP;dcptp;C:\WINDOWS\System32\DRIVERS\DcPTP.sys S4 ISEXEng;ISEXEng;C:\WINDOWS\System32\angelex.exe S4 oldr;oldr;C:\WINDOWS\System32\oldr.exe . Contents of the 'Scheduled Tasks' folder "2007-09-05 07:00:00 C:\WINDOWS\Tasks\backup.job" - C:\WINDOWS\system32\ntbackup.exe . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-08 21:45:24 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-08 21:47:31 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-09-08 21:47 C:\ComboFix2.txt ... 2007-09-08 19:45 . --- E O F --- Find AWF report by noahdfear ©2006 Version 1.40 Option 2 run successfully The current date is: Sat 09/08/2007 The current time is: 21:52:31.46 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\DELLPH~1\BAK 03/29/2004 03:12 PM 290,816 dlbtbmgr.exe 1 File(s) 290,816 bytes Directory of C:\PROGRA~1\ITUNES\BAK 07/31/2007 06:44 PM 271,672 iTunesHelper.exe 1 File(s) 271,672 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK 06/29/2007 06:24 AM 286,720 QTTask.exe 1 File(s) 286,720 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 08/29/2002 08:00 AM 13,312 ctfmon.exe 07/09/2001 10:50 AM 155,648 NeroCheck.exe 2 File(s) 168,960 bytes Directory of C:\PROGRA~1\AHEAD\NEROBA~1\BAK 10/11/2005 06:25 PM 1,961,984 NBJ.exe 1 File(s) 1,961,984 bytes Directory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK 08/16/2007 08:39 AM 416,256 avgcc.exe 1 File(s) 416,256 bytes Directory of C:\PROGRA~1\SCANSOFT\PAPERP~1\BAK 10/26/2004 08:08 PM 40,960 IndexSearch.exe 10/26/2004 08:21 PM 98,304 PPScheduler.exe 10/26/2004 08:07 PM 36,864 pptd40nt.exe 3 File(s) 176,128 bytes Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK 10/03/2005 10:25 PM 180,269 realsched.exe 1 File(s) 180,269 bytes Directory of C:\PROGRA~1\COMMON~1\SCANSO~1\SSBKGD~1\BAK 10/14/2003 11:22 AM 155,648 SSBkgdupdate.exe 1 File(s) 155,648 bytes Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK 08/26/2005 06:14 PM 36,975 jusched.exe 1 File(s) 36,975 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 290816 Mar 29 2004 "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" 290816 Mar 29 2004 "C:\Program Files\Dell Photo AIO Printer 922\bak\dlbtbmgr.exe" 271672 Aug 15 2007 "C:\Program Files\iTunes\iTunesHelper.exe" 271672 Jul 31 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe" 102400 Sep 4 2007 "C:\WINDOWS\Installer\{974C05A0-C76C-4724-A9A2-11D5D1355729}\iTunesIco.exe" 116024 Aug 15 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.3.2.6\iTunesSetupAdmin.exe" 286720 Jun 29 2007 "C:\Program Files\QuickTime\QTTask.exe" 286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\QTTask.exe" 77824 Sep 17 2002 "F:\WINDOWS\SYSTEM\qttask.exe" 13312 Aug 29 2002 "C:\WINDOWS\system32\ctfmon.exe" 13312 Aug 29 2002 "C:\WINDOWS\system32\bak\ctfmon.exe" 155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe" 155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe" 1957888 Apr 14 2005 "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" 1961984 Oct 11 2005 "C:\Program Files\Ahead\Nero BackItUp\bak\NBJ.exe" 416256 Sep 4 2007 "C:\Program Files\Grisoft\AVG7\avgcc.exe" 416256 Aug 16 2007 "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe" 40960 Oct 26 2004 "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" 40960 Oct 26 2004 "C:\Program Files\ScanSoft\PaperPort\bak\IndexSearch.exe" 98304 Oct 26 2004 "C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe" 98304 Oct 26 2004 "C:\Program Files\ScanSoft\PaperPort\bak\PPScheduler.exe" 36864 Oct 26 2004 "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" 36864 Oct 26 2004 "C:\Program Files\ScanSoft\PaperPort\bak\pptd40nt.exe" 180269 Oct 3 2005 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 180269 Oct 3 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" 155648 Oct 14 2003 "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" 155648 Oct 14 2003 "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe" 32881 Sep 28 2004 "C:\Program Files\DeductionPro 2006\JRE\bin\jusched.exe" 36975 Aug 26 2005 "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" 36975 Aug 26 2005 "C:\Program Files\Java\jre1.5.0_05\bin\bak\jusched.exe" end of report Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:56:19 PM, on 9/8/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\devldr32.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\QUICKENW\QWDLLS.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\MDM.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmr...6.1&bm=ho_home O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" O4 - HKLM\..\Run: [PPScheduler] "C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM) O16 - DPF: {02A5F34E-6AE3-430D-934D-A4A2038DCCA3} (SChartCtrl Class) - http://humanarc.softscape.com/ly/hum...vex/schart.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://ohvpn.bristolwest.com/CACHE/...ies/stcweb.cab O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab O16 - DPF: {327FA9B6-BBC9-4CE1-A4E9-00C71C5537A3} (SDHtmlEditLib.SDHtmlEdit) - https://pathmark.softscape.com/ly/pa...tmleditlib.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1173764483250 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://ontrak.smallbizpros.com/eDPN...rt/arview2.cab O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab O16 - DPF: {CFEC05A7-790C-4D22-B3E0-EBA34C8CACF2} (LYScripting.FileAccessor) - http://ppm.bristolwest.com/ly/Bristo...yscripting.cab O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.co...oadControl.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...15/mcfscan.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing) O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe -- End of file - 9183 bytes Last edited by tetonbob; 09-07-2007 at 07:53 PM. |
|
|
|
|
09-07-2007, 08:01 PM
|
#6 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 42,269
OS: 2000 Pro; XP Pro; XP Home
|
Re: HiJacked - please help
Once we've got control of the main infection, as we now do, disconnecting is not as necessary, though it's never a bad idea. Helps prevent the bad guys from calling out while they're under attack.
Prefer if you post the logs in reply, rather than attach them. Easier to read in that form. Thanks. Double-click FindAWF.exe to start the tool.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009
|
|
|
|
|
09-07-2007, 08:44 PM
|
#7 (permalink) |
|
Registered User
Join Date: Sep 2007
Posts: 12
OS: WinXP
|
Re: HiJacked - please help
Find AWF report by noahdfear ©2006
Version 1.40 Option 3 run successfully The current date is: Sat 09/08/2007 The current time is: 23:42:02.49 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\AHEAD\NEROBA~1\BAK 10/11/2005 06:25 PM 1,961,984 NBJ.exe 1 File(s) 1,961,984 bytes Directory of C:\PROGRA~1\COMMON~1\SCANSO~1\SSBKGD~1\BAK 10/14/2003 11:22 AM 155,648 SSBkgdupdate.exe 1 File(s) 155,648 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 1957888 Apr 14 2005 "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" 1961984 Oct 11 2005 "C:\Program Files\Ahead\Nero BackItUp\bak\NBJ.exe" 155648 Oct 14 2003 "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" 155648 Oct 14 2003 "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe" end of report |
|
|
|
|
09-07-2007, 09:12 PM
|
#8 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 42,269
OS: 2000 Pro; XP Pro; XP Home
|
Re: HiJacked - please help
Good work. Looks like one stuck around. Let's try again.
Double-click FindAWF.exe to start the tool.
Double-click FindAWF.exe to start the tool.
Download ResetProtocolDefaults.reg to your desktop. Locate "ResetProtocolDefaults.reg" Right-click and select: Merge (Ok the prompt) --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009
|
|
|
|
|
09-07-2007, 09:30 PM
|
#9 (permalink) |
|
Registered User
Join Date: Sep 2007
Posts: 12
OS: WinXP
|
Re: HiJacked - please help
Dam, looks like the pesky one is still there?
Find AWF report by noahdfear ©2006 Version 1.40 Option 3 run successfully The current date is: Sun 09/09/2007 The current time is: 0:19:24.22 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\AHEAD\NEROBA~1\BAK 10/11/2005 06:25 PM 1,961,984 NBJ.exe 1 File(s) 1,961,984 bytes Directory of C:\PROGRA~1\COMMON~1\SCANSO~1\SSBKGD~1\BAK 10/14/2003 11:22 AM 155,648 SSBkgdupdate.exe 1 File(s) 155,648 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 1957888 Apr 14 2005 "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" 1961984 Oct 11 2005 "C:\Program Files\Ahead\Nero BackItUp\bak\NBJ.exe" 155648 Oct 14 2003 "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" 155648 Oct 14 2003 "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe" end of report Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:29:14 AM, on 9/9/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\devldr32.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\QUICKENW\QWDLLS.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\WINDOWS\System32\dlbtcoms.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmr...6.1&bm=ho_home O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" O4 - HKLM\..\Run: [PPScheduler] "C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {02A5F34E-6AE3-430D-934D-A4A2038DCCA3} (SChartCtrl Class) - http://humanarc.softscape.com/ly/hum...vex/schart.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://ohvpn.bristolwest.com/CACHE/...ies/stcweb.cab O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab O16 - DPF: {327FA9B6-BBC9-4CE1-A4E9-00C71C5537A3} (SDHtmlEditLib.SDHtmlEdit) - https://pathmark.softscape.com/ly/pa...tmleditlib.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1173764483250 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://ontrak.smallbizpros.com/eDPN...rt/arview2.cab O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab O16 - DPF: {CFEC05A7-790C-4D22-B3E0-EBA34C8CACF2} (LYScripting.FileAccessor) - http://ppm.bristolwest.com/ly/Bristo...yscripting.cab O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.co...oadControl.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...15/mcfscan.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing) O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe -- End of file - 8938 bytes 
|
|
|
|
|
09-07-2007, 09:54 PM
|
#10 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 42,269
OS: 2000 Pro; XP Pro; XP Home
|
Re: HiJacked - please help
Well, it holds a legit, clean file, so it's not really a problem. We're just tidying up.
See if you can navigate to it, and manually delete it. C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\bak Let me know how that goes.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009
|
|
|
|
|
09-07-2007, 10:30 PM
|
#12 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 42,269
OS: 2000 Pro; XP Pro; XP Home
|
Re: HiJacked - please help
Good work.
This next step will take a while. Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009
|
|
|
|
|
09-08-2007, 10:45 AM
|
#13 (permalink) |
|
Registered User
Join Date: Sep 2007
Posts: 12
OS: WinXP
|
Re: HiJacked - please help
Here you go...
------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Sunday, September 09, 2007 1:39:11 PM Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600) Kaspersky Online Scanner version: 5.0.93.1 Kaspersky Anti-Virus database last update: 8/09/2007 Kaspersky Anti-Virus database records: 410282 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ Scan Statistics: Total number of scanned objects: 144589 Number of viruses found: 27 Number of infected objects: 56 Number of suspicious objects: 8 Duration of the scan process: 03:50:34 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy1.zip/msexreg.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy1.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy18.zip/msexreg.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy18.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy34.zip/msexreg.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy34.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS.zip/124844.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\Garofalo family\Application Data\acccore\nss\cert8.db Object is locked skipped C:\Documents and Settings\Garofalo family\Application Data\acccore\nss\key3.db Object is locked skipped C:\Documents and Settings\Garofalo family\Application Data\AIMPro\log\aimpro.exe_PL_Trace.txt Object is locked skipped C:\Documents and Settings\Garofalo family\Application Data\AIMPro\log\apExtCmp.log Object is locked skipped C:\Documents and Settings\Garofalo family\Application Data\erht.exe Infected: not-a-virus:AdWare.Win32.PurityScan.w skipped C:\Documents and Settings\Garofalo family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\java.class-4ef464a-68483aa6.class Infected: Exploit.Java.Gimsh.a skipped C:\Documents and Settings\Garofalo family\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\dbc2e.ht1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\dbdam Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\dbdao Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\dbeam Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\dbeao Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\dbm Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\dbu2d.ht1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\dbvm.cf1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\dbvmh.ht1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\fii.cf1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\fiih.ht1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\hp Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\hpt2i.ht1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\rpm.cf1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\rpm1n.cf1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\rpm1n1m.cf1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\rpm1n1mh.ht1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\rpm1nh.ht1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\rpmh.ht1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-black-enchashm.cf1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-black-enchashmh.ht1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-black-urlm.cf1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-black-urlmh.ht1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-malware-domainm.cf1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-malware-domainmh.ht1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-white-domainm.cf1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-white-domainmh.ht1 Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Temp\trace.txt Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Temp\tricon-aol.txt Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Temp\~DF25E6.tmp Object is locked skipped C:\Documents and Settings\Garofalo family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Garofalo family\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Garofalo family\NTUSER.DAT.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.me Object is locked skipped C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.mm Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\BWKDLogs\BWTargetInf.log Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.dat Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.idx Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.dat Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.idx Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\D0000000.FCS Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\inuse.txt Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\L0000007.FCS Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\main.log Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.dat Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.idx Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.dat Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.idx Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.dat Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.idx Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.dat Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.idx Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.dat Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.idx Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.dat Object is locked skipped C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.idx Object is locked skipped C:\Program Files\radmin22\RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped C:\Program Files\radmin22\RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped C:\Program Files\radmin22\RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped C:\Program Files\radmin22\RADMIN22.EXE Gentee: infected - 3 skipped C:\Program Files\Trend Micro\HijackThis\HijackThis.exe Object is locked skipped C:\qoobox\Quarantine\C\VundoFix Backups\efcywtr.dll.bad.vir Infected: Trojan.Win32.Agent.bew skipped C:\qoobox\Quarantine\C\WINDOWS\DOWNLO~1\UDC6_0001_D19M1908NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.m skipped C:\qoobox\Quarantine\C\WINDOWS\system32\ivhjregf.exe.vir Infected: Trojan.Win32.Agent.bck skipped C:\qoobox\Quarantine\C\WINDOWS\system32\ocfmluum.exe.vir Infected: Trojan.Win32.Agent.bck skipped C:\qoobox\Quarantine\C\WINDOWS\system32\wovjymhy.exe.vir Infected: Trojan.Win32.Agent.bck skipped C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\SmitfraudFix.exe RarSFX: infected - 2 skipped C:\System Volume Information\_restore{1E689687-029D-4B6B-A644-C3C3CAF178A6}\RP892\A0063587.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped C:\System Volume Information\_restore{1E689687-029D-4B6B-A644-C3C3CAF178A6}\RP892\A0063587.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped C:\System Volume Information\_restore{1E689687-029D-4B6B-A644-C3C3CAF178A6}\RP892\A0063587.exe RarSFX: infected - 2 skipped C:\System Volume Information\_restore{1E689687-029D-4B6B-A644-C3C3CAF178A6}\RP971\A0070378.exe/UCMTSAIE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped C:\System Volume Information\_restore{1E689687-029D-4B6B-A644-C3C3CAF178A6}\RP971\A0070378.exe/IUCMORE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore skipped C:\System Volume Information\_restore{1E689687-029D-4B6B-A644-C3C3CAF178A6}\RP971\A0070378.exe ZIP: infected - 2 skipped C:\System Volume Information\_restore{1E689687-029D-4B6B-A644-C3C3CAF178A6}\RP971\A0070380.exe Infected: Trojan-Downloader.Win32.IstBar.gv skipped C:\System Volume Information\_restore{1E689687-029D-4B6B-A644-C3C3CAF178A6}\RP972\A0070427.dll Infected: Trojan.Win32.Agent.bew skipped C:\System Volume Information\_restore{1E689687-029D-4B6B-A644-C3C3CAF178A6}\RP973\A0070488.exe Infected: Trojan.Win32.Agent.bck skipped C:\System Volume Information\_restore{1E689687-029D-4B6B-A644-C3C3CAF178A6}\RP973\A0070489.exe Infected: Trojan.Win32.Agent.bck skipped C:\System Volume Information\_restore{1E689687-029D-4B6B-A644-C3C3CAF178A6}\RP973\A0070554.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\System Volume Information\_restore{1E689687-029D-4B6B-A644-C3C3CAF178A6}\RP973\A0070554.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\System Volume Information\_restore{1E689687-029D-4B6B-A644-C3C3CAF178A6}\RP973\A0070554.exe RarSFX: infected - 2 skipped C:\System Volume Information\_restore{1E689687-029D-4B6B-A644-C3C3CAF178A6}\RP975\A0070687.exe Infected: Trojan.Win32.Agent.bck skipped C:\System Volume Information\_restore{1E689687-029D-4B6B-A644-C3C3CAF178A6}\RP975\A0070694.dll Object is locked skipped C:\System Volume Information\_restore{1E689687-029D-4B6B-A644-C3C3CAF178A6}\RP975\A0070718.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped C:\System Volume Information\_restore{1E689687-029D-4B6B-A644-C3C3CAF178A6}\RP975\change.log Object is locked skipped C:\upgradetb093.exe Infected: not-a-virus:AdWare.Win32.EliteBar.q skipped C:\WINDOWS\Debug\oakley.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped C:\WINDOWS\system32\drivers\msos.sys Infected: Trojan.Win32.Zapchast skipped C:\WINDOWS\system32\en4ol1h31.dll Infected: not-a-virus:AdWare.Win32.Look2Me.u skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\oldr.exe Infected: Backdoor.Win32.Masteseq.gen skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped F:\WINDOWS\SYSTEM\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped F:\WINDOWS\SYSTEM\admdll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped F:\WINDOWS\SYSTEM\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped F:\WINDOWS\SYSTEM\td01.dll Infected: not-a-virus:AdWare.Win32.F1Organizer.l skipped F:\WINDOWS\TEMP\THI3515.TMP\wsebate0.exe/data0121 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped F:\WINDOWS\TEMP\THI3515.TMP\wsebate0.exe NSIS: infected - 1 skipped F:\WINDOWS\TEMP\THI2E8E.TMP\wsebate0.exe/data0121 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped F:\WINDOWS\TEMP\THI2E8E.TMP\wsebate0.exe NSIS: infected - 1 skipped F:\WINDOWS\Application Data\plg_ie0.dll Infected: not-a-virus:AdWare.Win32.Lop skipped F:\WINDOWS\Downloaded Program Files\webdlg32.dll Infected: not-a-virus:AdWare.Win32.SBSoft.g skipped F:\WINDOWS\newdotnet3_36.dll Infected: not-a-virus:AdWare.Win32.NewDotNet skipped F:\Program Files\Internet Explorer\PLUGINS\NPONFLOW.DLL Infected: not-a-virus:AdWare.Win32.OnFlow skipped F:\Program Files\Internet Explorer\PLUGINS\onflowreport.exe Infected: not-a-virus:AdWare.Win32.OnFlow skipped F:\Program Files\Norton AntiVirus\Quarantine\2B0E38B9.scr Infected: Email-Worm.Win32.Lentin.g skipped F:\Program Files\Netscape\Communicator\Program\Plugins\nponflow.dll Infected: not-a-virus:AdWare.Win32.OnFlow skipped F:\Program Files\Radmin\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped F:\Program Files\Radmin\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped F:\Program Files\Radmin\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped F:\Program Files\Radmin\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped F:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe Infected: not-a-virus:AdWare.Win32.WebRebates.c skipped F:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe Infected: not-a-virus:AdWare.Win32.WebRebates.c skipped F:\Program Files\Ebates_MoeMoneyMaker\disp350.exe Infected: not-a-virus:AdWare.Win32.WebRebates.c skipped F:\System Volume Information\_restore{1E689687-029D-4B6B-A644-C3C3CAF178A6}\RP975\change.log Object is locked skipped Scan process completed. |
|
|
|
|
09-08-2007, 01:42 PM
|
#14 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 42,269
OS: 2000 Pro; XP Pro; XP Home
|
Re: HiJacked - please help
What is your F drive, please?
I need a bit more information: Create an uninstall list:
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009
|
|
|
|
|
09-08-2007, 05:42 PM
|
#15 (permalink) |
|
Registered User
Join Date: Sep 2007
Posts: 12
OS: WinXP
|
Re: HiJacked - please help
My F: drive is a spare HDD that I use for storage.
Houston, we have a problem. I think HJT got infected somehow. When I attempted to open it, AVG came up with an infection warning, saying hijackthis.exe was infected with a "Worm/generic.DHT". I attempted to deinstall HJT but add/remove programs was unable to do so, so I deleted it manually, emptied the recycle bin, re-downloaded the file, then disconnected from the internet and rebooted, and when I attempted to reinstall I got the same message. Help? |
|
|
|
|
09-08-2007, 06:22 PM
|
#16 (permalink) |
|
Registered User
Join Date: Sep 2007
Posts: 12
OS: WinXP
|
Re: HiJacked - please help
Update-- my instinct told me this was a false positive, so I downloaded the latest update from AVG and sure enough it let me install HJT with no virus warning!
As I mentioned, F: is an old HD I use for storage. Here is the log, brother. Many thanks, Dave ABBYY FineReader 5.0 Sprint Plus Active Directory Sizer Ad-Aware SE Personal Adobe Acrobat 6.0 Standard Adobe Flash Player 9 ActiveX Adobe Shockwave Player AIM Pro AOL Instant Messenger Apple Software Update ArcSoft PhotoImpression Audacity 1.2.6 AVG 7.5 AviSynth 2.5 BitComet 0.59 BitLord 1.1 BitPim 0.9.08 BlueSoleil CCHelp CCScore Cisco SSL VPN Client CR2 DAO 3.5 DeductionPro 2006 Dell Photo AIO Printer 922 DVD Decrypter (Remove Only) DVD Shrink 3.2 EPSON Copy Utility EPSON Photo Print EPSON Scanner Reference Guide EPSON Smart Panel EPSON TWAIN 5 ESSAdpt ESSANUP ESSBrwr ESSCAM ESSCDBK ESScore ESSCT ESSEMAIL ESSgui ESShelp ESSini ESSPCD ESSSONIC ESSvpaht ESSvpot Final Draft 7 foobar2000 v0.9.3.1 Google Desktop Google Earth Hello (remove only) HijackThis 2.0.2 HLPCCTR HLPIndex HLPSFO Intel A/V Codecs V2.0 InterActual Player iPod for Windows User Guide iPod System Software Updater 2.0.1 iTunes iTunes J2SE Runtime Environment 5.0 Update 5 Jasc Paint Shop Photo Album Jasc Paint Shop Pro 8 Dell Edition JFK Reloaded 1.1 Kaspersky Online Scanner Kodak EasyShare software KSU Logitech iTouch Software Logitech MouseWare 9.75 Macromedia Flash Player Microsoft .NET Framework 1.1 Microsoft Office 2000 SR-1 Disc 2 Microsoft Office 2000 SR-1 Professional Microsoft Tool Web Package:Diruse.exe Move Networks Player for Internet Explorer Mozilla Firefox (2.0.0.6) MSN Messenger 7.5 MSN Music Assistant MUSICMATCH iPod Plug-in MUSICMATCH® Jukebox Nero 6 Ultra Edition neroxml Notifier OfotoXMI OTtBP OTtBPSDK PCDLNCH PCFriendly Pdf995 PureVoice Quicken Deluxe 99 QuickTime RealPlayer Return of Arcade Anniversary Edition ScanSoft PaperPort 10.0 ScanSoft PDF Create 2.0 ScanToWeb SFR SFR2 Spybot - Search & Destroy 1.4 TaxCut 2004 TaxCut Deluxe 2005 TaxCut Premium 2006 TextPad 4.7 TorrentSpy Rufus Update for Windows XP (KB931836) VCAMCEN Verizon Online Videora iPod Converter 0.91 Viewpoint Media Player VPRINTOL Windows Installer 3.0 (KB884016) Windows Media Format Runtime Windows Media Player 10 Windows XP Hotfix - KB842773 Windows XP Hotfix - KB887472 WinRAR archiver |
|
|
|
|
09-08-2007, 09:02 PM
|
#17 (permalink) | |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 42,269
OS: 2000 Pro; XP Pro; XP Home
|
Re: HiJacked - please help
Yes, that was a false positive report. Good work.
Open notepad and copy/paste the text in the quotebox below into it: Quote:
Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009
|
|
|
|
|
|
09-08-2007, 10:29 PM
|
#18 (permalink) |
|
Registered User
Join Date: Sep 2007
Posts: 12
OS: WinXP
|
Re: HiJacked - please help
ComboFix 07-09-08.7 - "Garofalo family" 2007-09-09 0:44:34.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.173 [GMT -4:00] Command switches used :: C:\Documents and Settings\Garofalo family\Desktop\cfscript.txt * Created a new restore point FILE:: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy1.zip C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy18.zip C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy34.zip C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS.zip C:\Documents and Settings\Garofalo family\Application Data\erht.exe C:\Documents and Settings\Garofalo family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\java.class-4ef464a-68483aa6.class C:\upgradetb093.exe C:\WINDOWS\system32\drivers\msos.sys C:\WINDOWS\system32\en4ol1h31.dll C:\WINDOWS\system32\oldr.exe F:\WINDOWS\SYSTEM\td01.dll F:\WINDOWS\TEMP\THI3515.TMP\wsebate0.exe F:\WINDOWS\Application Data\plg_ie0.dll F:\WINDOWS\Downloaded Program Files\webdlg32.dll F:\WINDOWS\newdotnet3_36.dll F:\Program Files\Norton AntiVirus\Quarantine\2B0E38B9.scr F:\Program Files\Netscape\Communicator\Program\Plugins\nponflow.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy1.zip C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy18.zip C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy34.zip C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS.zip C:\Documents and Settings\Garofalo family\Application Data\erht.exe C:\Documents and Settings\Garofalo family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\java.class-4ef464a-68483aa6.class C:\upgradetb093.exe C:\WINDOWS\system32\drivers\msos.sys C:\WINDOWS\system32\en4ol1h31.dll C:\WINDOWS\system32\oldr.exe F:\Program Files\Ebates_MoeMoneyMaker F:\Program Files\Ebates_MoeMoneyMaker\Ap350\merc351.dat F:\Program Files\Ebates_MoeMoneyMaker\Ap350\psid385.dat F:\Program Files\Ebates_MoeMoneyMaker\Da350\350sh.dat F:\Program Files\Ebates_MoeMoneyMaker\Da350\419ac985350a.dat F:\Program Files\Ebates_MoeMoneyMaker\Da350\419ac9883308.dat F:\Program Files\Ebates_MoeMoneyMaker\Da350\Default\419ac98de40.dat F:\Program Files\Ebates_MoeMoneyMaker\disp350.exe F:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe F:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Html\popo350a_counv.htm F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Html\popo350a_couyv.htm F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Html\popo350a_non.htm F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Html\popo350a_nv.htm F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Html\pref350a_dis.htm F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Html\scri350a.htm F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Html\spec350a_yv.htm F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm.gif F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm.ico F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_button_clickhere.gif F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_button_getcashbck.gif F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_button_no.gif F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_button_submit.gif F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_button_yes.gif F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_clear.gif F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_cou_button_savenow.gif F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_cou_logo_greenbground.gif F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_cou_moe.gif F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_cou_moe_logo.gif F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_hot.ico F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_logo_topmox.gif F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_logo1.gif F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_moe_question.gif F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_moe_reminder.gif F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_moe_top.gif F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_moe_with_cash.gif F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\ebmm_spacer.gif F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Images\logtime.log F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Sy350\350_0.dat F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Sy350\350_2.dat F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\log.txt F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\popo350a_counv.htm F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\popo350a_couyv.htm F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\popo350a_non.htm F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\popo350a_nv.htm F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\pref350a.htm F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\pref350a_dis.htm F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm F:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\spec350a_yv.htm F:\Program Files\Netscape\Communicator\Program\Plugins\nponflow.dll F:\WINDOWS\Application Data\plg_ie0.dll F:\WINDOWS\Downloaded Program Files\webdlg32.dll F:\WINDOWS\newdotnet3_36.dll F:\WINDOWS\SYSTEM\td01.dll F:\WINDOWS\TEMP\THI3515.TMP\wsebate0.exe ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_MSOS -------\LEGACY_OLDR -------\msos -------\oldr ((((((((((((((((((((((((( Files Created from 2007-08-09 to 2007-09-09 ))))))))))))))))))))))))))))))) . 2007-09-09 09:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-09-09 09:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab 2007-09-08 21:19 <DIR> d-------- C:\Program Files\Trend Micro 2007-09-07 19:32 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-06 22:13 113,664 --a------ C:\VundoFix.exe 2007-09-06 21:37 3,166 --a------ C:\WINDOWS\system32\tmp.reg 2007-09-06 21:36 <DIR> d-------- C:\SmitfraudFix 2007-09-06 21:33 1,003,789 --a------ C:\SmitfraudFix.exe 2007-09-06 01:32 <DIR> d-------- C:\DOCUME~1\GAROFA~1\APPLIC~1\Ahead 2007-09-06 01:21 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys 2007-09-06 01:21 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys 2007-09-06 01:20 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll 2007-09-06 01:20 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll 2007-09-06 01:20 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll 2007-09-06 01:20 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe 2007-09-06 01:20 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll 2007-09-06 01:20 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll 2007-09-06 01:20 <DIR> d-------- C:\Program Files\Common Files\Ahead 2007-09-05 23:13 <DIR> d-------- C:\Program Files\BitLord 2007-09-05 21:56 <DIR> d--h-c--- C:\WINDOWS\$MSI30UninstallMSI30-KB884016$ 2007-09-04 00:08 33,280 --a--c--- C:\WINDOWS\system32\dllcache\iprip.dll 2007-09-04 00:08 33,280 --a------ C:\WINDOWS\system32\iprip.dll 2007-09-04 00:08 18,944 --a--c--- C:\WINDOWS\system32\dllcache\simptcp.dll 2007-09-04 00:08 18,944 --a------ C:\WINDOWS\system32\simptcp.dll 2007-09-03 15:27 78,848 --a------ C:\WINDOWS\system32\INLOADER.DLL 2007-09-03 15:27 298,496 --a------ C:\WINDOWS\uninst.exe 2007-09-03 15:27 <DIR> d-------- C:\Program Files\PCFriendly . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-06 01:08 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead 2007-08-29 00:32 --------- d-------- C:\DOCUME~1\GAROFA~1\APPLIC~1\TextPad 2007-08-20 19:43 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink 2007-08-16 12:40 --------- d-------- C:\DOCUME~1\GAROFA~1\APPLIC~1\AdobeUM 2007-08-06 22:37 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple 2007-07-23 17:02 --------- d-------- C:\DOCUME~1\GAROFA~1\APPLIC~1\RipIt4Me . ((((((((((((((((((((((((((((( snapshot_2007-09-08_194447.01 ))))))))))))))))))))))))))))))))))))))))) . ----a-w 7,680 2004-07-01 22:08:18 C:\WINDOWS\system32\bitsprx2.dll ----a-w 7,168 2004-07-01 22:08:18 C:\WINDOWS\system32\bitsprx3.dll ----a-w 569,344 2001-07-06 19:41:30 C:\WINDOWS\system32\imagr5.dll ----a-w 544,768 2001-07-06 17:44:46 C:\WINDOWS\system32\imagx5.dll ----a-w 283,920 2001-07-06 23:24:18 C:\WINDOWS\system32\ImagXpr5.dll ----a-w 152,064 2002-11-08 10:50:00 C:\WINDOWS\system32\lmoufrc.dll ----a-w 974,848 2002-01-05 09:48:16 C:\WINDOWS\system32\mfc70.dll ----a-w 54,784 2002-01-05 08:38:36 C:\WINDOWS\system32\msvci70.dll ----a-w 487,424 2002-01-05 08:40:18 C:\WINDOWS\system32\msvcp70.dll ----a-w 344,064 2002-01-05 08:37:26 C:\WINDOWS\system32\msvcr70.dll ----a-w 348,160 2004-02-25 16:05:28 C:\WINDOWS\system32\msvcr71.dll ----a-w 24,576 2001-08-18 03:43:40 C:\WINDOWS\system32\msxml3a.dll ----a-w 38,912 2001-06-26 13:15:46 C:\WINDOWS\system32\picn20.dll ----a-w 207,872 1998-08-25 02:27:24 C:\WINDOWS\system32\RDMWIN32.DLL ----a-w 14,048 2006-01-19 19:29:19 C:\WINDOWS\system32\spmsg.dll ----a-w 60,416 2007-01-29 08:58:06 C:\WINDOWS\system32\tzchange.exe ----a-w 92,208 1996-02-28 07:00:00 C:\WINDOWS\system32\wing.dll ----a-w 12,800 1996-02-28 07:00:00 C:\WINDOWS\system32\wing32.dll ----a-w 188,960 1996-02-28 07:00:00 C:\WINDOWS\system32\wingde.dll ----a-w 158,720 2004-06-30 23:59:25 C:\WINDOWS\system32\xpob2res.dll ----a-w 361,984 2004-07-01 22:08:18 C:\WINDOWS\system32\bits\qmgr.dll ----a-w 213,048 2005-05-24 15:27:16 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll ----a-w 94,208 2007-09-07 15:29:00 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe ----a-w 946,176 2007-09-07 15:29:00 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll . ------w 7,680 2004-07-01 22:08:18 C:\WINDOWS\system32\bitsprx2.dll ------w 7,168 2004-07-01 22:08:18 C:\WINDOWS\system32\bitsprx3.dll ------w 569,344 2001-07-06 19:41:30 C:\WINDOWS\system32\imagr5.dll ------w 544,768 2001-07-06 17:44:46 C:\WINDOWS\system32\imagx5.dll ------w 283,920 2001-07-06 23:24:18 C:\WINDOWS\system32\ImagXpr5.dll ------w 152,064 2002-11-08 10:50:00 C:\WINDOWS\system32\lmoufrc.dll ------w 974,848 2002-01-05 09:48:16 C:\WINDOWS\system32\mfc70.dll ------w 54,784 2002-01-05 08:38:36 C:\WINDOWS\system32\msvci70.dll ------w 487,424 2002-01-05 08:40:18 C:\WINDOWS\system32\msvcp70.dll ------w 344,064 2002-01-05 08:37:26 C:\WINDOWS\system32\msvcr70.dll ------w 348,160 2004-02-25 16:05:28 C:\WINDOWS\system32\msvcr71.dll ------w 24,576 2001-08-18 03:43:40 C:\WINDOWS\system32\msxml3a.dll ------w 38,912 2001-06-26 13:15:46 C:\WINDOWS\system32\picn20.dll ------w 207,872 1998-08-25 02:27:24 C:\WINDOWS\system32\RDMWIN32.DLL ------w 14,048 2006-01-19 19:29:19 C:\WINDOWS\system32\spmsg.dll ------w 60,416 2007-01-29 08:58:06 C:\WINDOWS\system32\tzchange.exe ------w 92,208 1996-02-28 07:00:00 C:\WINDOWS\system32\wing.dll ------w 12,800 1996-02-28 07:00:00 C:\WINDOWS\system32\wing32.dll ------w 188,960 1996-02-28 07:00:00 C:\WINDOWS\system32\wingde.dll ------w 158,720 2004-06-30 23:59:25 C:\WINDOWS\system32\xpob2res.dll ------w 361,984 2004-07-01 22:08:18 C:\WINDOWS\system32\bits\qmgr.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 15:12] "WCSE Mgr"="" [] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-04 01:12] "Logitech Utility"="Logi_MwX.Exe" [2002-11-08 06:50 C:\WINDOWS\LOGI_MWX.EXE] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 18:14] "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22] "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-10-26 20:07] "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-10-26 20:08] "PPScheduler"="C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe" [2004-10-26 20:21] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-03 22:25] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-04 00:25] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 08:00] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [] "NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 16:56] C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 03:22:40] Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54] Quicken Startup.lnk - C:\QUICKENW\QWDLLS.EXE [2004-11-17 22:23:34] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] C:\Program Files\Ahead\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\System32\DRIVERS\DcCam.sys R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\System32\drivers\dcfs2k.sys R3 cinemclc;CineMaster C 3.0 WDM Main Driver;C:\WINDOWS\System32\drivers\cinemclc.sys R3 itchfltr;iTouch Keyboard Filter;C:\WINDOWS\System32\DRIVERS\itchfltr.sys R3 vdmindvd;Cinemaster C WDM DVD Driver;C:\WINDOWS\System32\drivers\vdmindvd.sys S1 Exportit;Exportit;C:\WINDOWS\System32\DRIVERS\exportit.sys S2 ATNT40K;ActiveTouch NT Appsharing Driver;C:\WINDOWS\System32\DRIVERS\ATNT40K.SYS S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\WINDOWS\System32\DRIVERS\CSVirtA.sys S3 DcFpoint;DcFpoint;C:\WINDOWS\System32\DRIVERS\DcFpoint.sys S3 DcLps;Legacy Polling Service;C:\WINDOWS\System32\DRIVERS\DcLps.sys S3 DcPTP;dcptp;C:\WINDOWS\System32\DRIVERS\DcPTP.sys S4 ISEXEng;ISEXEng;C:\WINDOWS\System32\angelex.exe . Contents of the 'Scheduled Tasks' folder "2007-09-09 07:00:00 C:\WINDOWS\Tasks\backup.job" - C:\WINDOWS\system32\ntbackup.exe . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-09 00:49:52 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-09 0:51:50 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-09-09 00:51 C:\ComboFix2.txt ... 2007-09-08 21:47 C:\ComboFix3.txt ... 2007-09-08 19:45 . --- E O F --- |
|
|
|
|
09-08-2007, 11:20 PM
|
#19 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 42,269
OS: 2000 Pro; XP Pro; XP Home
|
Re: HiJacked - please help
Good. How is your system behaving, please?
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009
|
|
|
|
| Thread Tools | |
|
|
