Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page DSS log
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 01-01-2008, 09:47 AM   #1 (permalink)
Registered User
 
Join Date: Sep 2007
Posts: 38
OS: xp


DSS log
last 2 weeks, i have had several pop-ups, registry change requests and dead websites. if i reboot, the website performs normally but after 30 min, i need to reboot again. the DSS scan did not give me an ext text file.

Deckard's System Scanner v20070905.67
Run by Admin on 2008-01-01 08:03:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 384 MiB (512 MiB recommended).


-- HijackThis (run as Admin.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2008-01-01 0846
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
D:\WINDOWS\system32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Internet Call Director\ICD.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Grisoft\AVG7\avgamsvr.exe
D:\Program Files\Grisoft\AVG7\avgupsvc.exe
D:\Program Files\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Admin\Desktop\dss.exe
D:\Program Files\Trend Micro\HijackThis\Admin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - D:\WINDOWS\system32\4Sx024va.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKEY_LOCAL_MACHINE\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKEY_LOCAL_MACHINE\..\Run: [Printer] D:\WINDOWS\system32\printer.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Internet Call Director.LNK = D:\Program Files\Internet Call Director\ICD.EXE
O8 - Extra context menu item: Download using LeechGet - file://D:\Program Files\LeechGet 2007\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\Program Files\LeechGet 2007\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://D:\Program Files\LeechGet 2007\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_12\bin\NPJPI150_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_12\bin\NPJPI150_12.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191770462879
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1191776916633
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{3613A810-532C-4085-BF7A-264CF5255B75}: NameServer = 209.139.247.254 209.53.200.2
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - "D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"


-- Files created between 2007-12-01 and 2008-01-01 -----------------------------

2008-01-01 07:38:32 0 d-------- D:\WINDOWS\LastGood
2007-12-19 17:39:38 184320 --a------ D:\WINDOWS\system32\4Sx024va.dll <Not Verified; ; WebAssist>
2007-12-19 15:23:55 184320 --a------ D:\WINDOWS\system32\4TEs87l5.dll <Not Verified; ; WebAssist>
2007-12-19 12:52:32 184320 --a------ D:\WINDOWS\system32\G7B185W0.dll <Not Verified; ; WebAssist>
2007-12-19 10:51:28 184320 --a------ D:\WINDOWS\system32\bBNB0s0A.dll <Not Verified; ; WebAssist>
2007-12-19 08:33:59 184320 --a------ D:\WINDOWS\system32\Hab47Hhv.dll <Not Verified; ; WebAssist>
2007-12-17 22:02:49 184320 --a------ D:\WINDOWS\system32\6EkWydWv.dll <Not Verified; ; WebAssist>
2007-12-17 20:01:56 184320 --a------ D:\WINDOWS\system32\LHX5e3KH.dll <Not Verified; ; WebAssist>
2007-12-17 15:44:53 184320 --a------ D:\WINDOWS\system32\2M0168h7.dll <Not Verified; ; WebAssist>
2007-12-17 08:45:09 184320 --a------ D:\WINDOWS\system32\UpiW0yGK.dll <Not Verified; ; WebAssist>
2007-12-17 01:57:52 184320 --a------ D:\WINDOWS\system32\3HP5D0aN.dll <Not Verified; ; WebAssist>
2007-12-16 21:22:37 184320 --a------ D:\WINDOWS\system32\p73D0r4b.dll <Not Verified; ; WebAssist>
2007-12-16 17:05:35 184320 --a------ D:\WINDOWS\system32\dLs8Gjl7.dll <Not Verified; ; WebAssist>
2007-12-16 15:04:43 184320 --a------ D:\WINDOWS\system32\8PG263r6.dll <Not Verified; ; WebAssist>
2007-12-14 15:35:16 184320 --a------ D:\WINDOWS\system32\ipJf0wBT.dll <Not Verified; ; WebAssist>
2007-12-13 14:00:31 184320 --a------ D:\WINDOWS\system32\2yR2p74v.dll <Not Verified; ; WebAssist>
2007-12-12 15:30:55 184320 --a------ D:\WINDOWS\system32\uHqkqq25.dll <Not Verified; ; WebAssist>
2007-12-06 19:15:52 184320 --a------ D:\WINDOWS\system32\6fxDR543.dll <Not Verified; ; WebAssist>
2007-12-06 17:14:20 184320 --a------ D:\WINDOWS\system32\h6rd5gxN.dll <Not Verified; ; WebAssist>
2007-12-06 13:16:51 184320 --a------ D:\WINDOWS\system32\mx85nce7.dll <Not Verified; ; WebAssist>
2007-12-05 13:58:27 184320 --a------ D:\WINDOWS\system32\H37Qb5O8.dll <Not Verified; ; WebAssist>
2007-12-01 15:34:58 27200 --a------ D:\WINDOWS\system32\e8EboY1G.exe


-- Find3M Report ---------------------------------------------------------------

Nothing modified in this timespan.


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
12/19/2007 05:39 PM 184320 --a------ D:\WINDOWS\system32\4Sx024va.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" []
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 02:25 AM]
"Printer"="D:\WINDOWS\system32\printer.exe" []
"KernelFaultCheck"="D:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="D:\Program Files\Messenger\msmsgs.exe" [08/04/2004 01:06 AM]
"Uniblue RegistryBooster 2"="D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05/31/2005 01:04 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

D:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Internet Call Director.LNK - D:\Program Files\Internet Call Director\ICD.EXE [12/2/2006 3:17:51 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-01-01 08:09:13 ------------
joelCAMEL is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 01-03-2008, 01:13 AM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,473
OS: N/A


Re: DSS log
Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - D:\WINDOWS\system32\4Sx024va.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [Printer] D:\WINDOWS\system32\printer.exe


---------------


www.bleepingcomputer.com
www.forospyware.com
www.geekstogo.com

1. Please choose from any of the above links. Download the file & Save it to Desktop.

2. Double click on ComboFix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that & a fresh Hijackthis log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-03-2008, 05:54 PM   #3 (permalink)
Registered User
 
Join Date: Sep 2007
Posts: 38
OS: xp


Re: DSS log
hijackthis did not locate thr following for me to check/fix:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore



ComboFix 08-01-04.1 - Admin 2008-01-03 16:32:02.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.154 [GMT -8:00]
Running from: D:\Documents and Settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOWS\msettings.ini
D:\WINDOWS\system32\2M0168h7.dll
D:\WINDOWS\system32\2yR2p74v.dll
D:\WINDOWS\system32\3HP5D0aN.dll
D:\WINDOWS\system32\4Sx024va.dll
D:\WINDOWS\system32\4TEs87l5.dll
D:\WINDOWS\system32\6EkWydWv.dll
D:\WINDOWS\system32\6fxDR543.dll
D:\WINDOWS\system32\8PG263r6.dll
D:\WINDOWS\system32\bBNB0s0A.dll
D:\WINDOWS\system32\dLs8Gjl7.dll
D:\WINDOWS\system32\G7B185W0.dll
D:\WINDOWS\system32\H37Qb5O8.dll
D:\WINDOWS\system32\h6rd5gxN.dll
D:\WINDOWS\system32\Hab47Hhv.dll
D:\WINDOWS\system32\ipJf0wBT.dll
D:\WINDOWS\system32\LHX5e3KH.dll
D:\WINDOWS\system32\mx85nce7.dll
D:\WINDOWS\system32\p73D0r4b.dll
D:\WINDOWS\system32\uHqkqq25.dll
D:\WINDOWS\system32\UpiW0yGK.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-03 16:31 . 2000-08-31 08:00 51,200 --a------ D:\WINDOWS\NirCmd.exe
2008-01-03 11:29 . 2008-01-03 11:29 604 --a------ D:\WINDOWS\system32\msexcr.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 23:34 27,200 ----a-w D:\WINDOWS\system32\e8EboY1G.exe
2004-10-01 23:00 40,960 ----a-w D:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="D:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]
"Uniblue RegistryBooster 2"="D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [ ]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="D:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-09-27 18:41 145920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 12:00 53760 D:\WINDOWS\system32\narrator.exe]

D:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Internet Call Director.LNK - D:\Program Files\Internet Call Director\ICD.EXE [2006-12-02 15:17:51]

S3 W8100PCI;D-Link AirPlus G Wireless Driver;D:\WINDOWS\system32\DRIVERS\mrv8k51.sys [2004-01-08 20:45]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-03 08:00:46 D:\WINDOWS\Tasks\At1.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 09:00:46 D:\WINDOWS\Tasks\At2.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 10:00:46 D:\WINDOWS\Tasks\At3.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 11:00:46 D:\WINDOWS\Tasks\At4.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 12:00:46 D:\WINDOWS\Tasks\At5.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 13:00:46 D:\WINDOWS\Tasks\At6.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 14:00:46 D:\WINDOWS\Tasks\At7.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 15:00:46 D:\WINDOWS\Tasks\At8.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 16:00:46 D:\WINDOWS\Tasks\At9.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 17:00:46 D:\WINDOWS\Tasks\At10.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 18:00:46 D:\WINDOWS\Tasks\At11.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 19:00:46 D:\WINDOWS\Tasks\At12.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 20:00:46 D:\WINDOWS\Tasks\At13.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 21:00:46 D:\WINDOWS\Tasks\At14.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 22:00:46 D:\WINDOWS\Tasks\At15.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 23:01:32 D:\WINDOWS\Tasks\At16.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-04 00:00:46 D:\WINDOWS\Tasks\At17.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 01:01:06 D:\WINDOWS\Tasks\At18.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 02:01:36 D:\WINDOWS\Tasks\At19.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 03:00:46 D:\WINDOWS\Tasks\At20.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 04:00:46 D:\WINDOWS\Tasks\At21.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 05:00:46 D:\WINDOWS\Tasks\At22.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 06:00:46 D:\WINDOWS\Tasks\At23.job"
- D:\WINDOWS\system32\e8EboY1G.exe
"2008-01-03 07:00:46 D:\WINDOWS\Tasks\At24.job"
- D:\WINDOWS\system32\e8EboY1G.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 16:33:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-03 16:34:29
ComboFix-quarantined-files.txt 2008-01-04 00:34:28

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:18 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Messenger\msmsgs.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\Program Files\Internet Call Director\ICD.EXE
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Internet Call Director.LNK = D:\Program Files\Internet Call Director\ICD.EXE
O8 - Extra context menu item: Download using LeechGet - file://D:\Program Files\LeechGet 2007\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\Program Files\LeechGet 2007\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://D:\Program Files\LeechGet 2007\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191770462879
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1191776916633
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 4258 bytes
joelCAMEL is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-04-2008, 02:07 AM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,473
OS: N/A


Re: DSS log
Open notepad and copy/paste the text in the quotebox below into it:

Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/207703-dss-log.html
Collect::
D:\WINDOWS\system32\e8EboY1G.exe
File::
D:\WINDOWS\Tasks\At1.job
D:\WINDOWS\Tasks\At10.job
D:\WINDOWS\Tasks\At11.job
D:\WINDOWS\Tasks\At12.job
D:\WINDOWS\Tasks\At13.job
D:\WINDOWS\Tasks\At14.job
D:\WINDOWS\Tasks\At15.job
D:\WINDOWS\Tasks\At16.job
D:\WINDOWS\Tasks\At17.job
D:\WINDOWS\Tasks\At18.job
D:\WINDOWS\Tasks\At19.job
D:\WINDOWS\Tasks\At2.job
D:\WINDOWS\Tasks\At20.job
D:\WINDOWS\Tasks\At21.job
D:\WINDOWS\Tasks\At22.job
D:\WINDOWS\Tasks\At23.job
D:\WINDOWS\Tasks\At24.job
D:\WINDOWS\Tasks\At3.job
D:\WINDOWS\Tasks\At4.job
D:\WINDOWS\Tasks\At5.job
D:\WINDOWS\Tasks\At6.job
D:\WINDOWS\Tasks\At7.job
D:\WINDOWS\Tasks\At8.job
D:\WINDOWS\Tasks\At9.job
Save this as "CFScript"




Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file on your Desktop, called [4]Submit@Date_Time.zip
Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/subm....php?channel=4


---------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------


In your next post, please include fresh logs from:
  1. Fresh Hijackthis log taken just before replying
  2. Online scan
  3. ComboFix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-04-2008, 02:07 AM   #5 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,473
OS: N/A


Re: DSS log
This is to be performed after you have posted the required logs.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1 - http://java.sun.com/javase/downloads/index.jsp
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windowsi586-p.exe to install the newest version.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-05-2008, 08:47 AM   #6 (permalink)
Registered User
 
Join Date: Sep 2007
Posts: 38
OS: xp


Re: DSS log
#1
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:47 AM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\Program Files\Internet Call Director\ICD.EXE
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\explorer.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\system32\NOTEPAD.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Internet Call Director.LNK = D:\Program Files\Internet Call Director\ICD.EXE
O8 - Extra context menu item: Download using LeechGet - file://D:\Program Files\LeechGet 2007\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\Program Files\LeechGet 2007\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://D:\Program Files\LeechGet 2007\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191770462879
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1191776916633
O17 - HKLM\System\CCS\Services\Tcpip\..\{3613A810-532C-4085-BF7A-264CF5255B75}: NameServer = 209.139.247.254 209.53.200.2
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - D:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 4730 bytes

#2
KASPERSKY ONLINE SCANNER REPORT
Saturday, January 05, 2008 7:33:54 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/01/2008
Kaspersky Anti-Virus database records: 502981
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 61843
Number of viruses found: 6
Number of infected objects: 67
Number of suspicious objects: 0
Duration of the scan process: 02:15:47

Infected Object Name / Virus Name / Last Action
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060152.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060153.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060154.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060155.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060156.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060157.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060158.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060159.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060160.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060161.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060162.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060163.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060164.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060165.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060166.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060167.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060168.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060169.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060170.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP406\A0060171.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP407\A0061241.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP407\A0061242.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\System Volume Information\_restore{E7331A2B-3D35-4835-84B6-6B1EB0EBA1C2}\RP408\change.log Object is locked skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\mx85nce7.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\G7B185W0.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\H37Qb5O8.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\h6rd5gxN.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\6fxDR543.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\uHqkqq25.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\2yR2p74v.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\ipJf0wBT.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\8PG263r6.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\dLs8Gjl7.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\p73D0r4b.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\3HP5D0aN.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\UpiW0yGK.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\2M0168h7.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\LHX5e3KH.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\6EkWydWv.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\Hab47Hhv.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\bBNB0s0A.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\4TEs87l5.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\4Sx024va.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\G73N0vEQ.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\QooBox\Quarantine\D\WINDOWS\system32\66J75cqf.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SYSTEM Object is locked skipped
D:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
D:\WINDOWS\system32\config\DEFAULT Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOWS\ModemLog_Lucent Win Modem.txt Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\Admin\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Admin\Local Settings\History\History.IE5\MSHist012008010520080106\index.dat Object is locked skipped
D:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\WT0DIJCP\93248[1].mp3 Object is locked skipped
D:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Admin\My Documents\Downloads\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
D:\Documents and Settings\Admin\My Documents\Downloads\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
D:\Documents and Settings\Admin\My Documents\Downloads\mirc621.exe NSIS: infected - 2 skipped
D:\Documents and Settings\Admin\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\Documents and Settings\Admin\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\Documents and Settings\Admin\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
D:\Documents and Settings\Admin\Desktop\[4]-Submit_2007-10-03@10.12\WINDOWS\svhjdsah.exe Infected: Trojan.Win32.Small.rt skipped
D:\Documents and Settings\Admin\Desktop\[4]-Submit_2007-10-03@10.12\WINDOWS\system32\vtr.dll Infected: not-virus:Hoax.Win32.Renos.lq skipped
D:\Documents and Settings\Admin\Desktop\[4]-Submit_2007-10-03@10.12\WINDOWS\system32\spoolvs.exe Infected: not-virus:Hoax.Win32.Renos.kq skipped
D:\Documents and Settings\Admin\Desktop\[4]-Submit_2007-10-03@10.12\WINDOWS\shell.exe Infected: not-virus:Hoax.Win32.Renos.kq skipped
D:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped
D:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
D:\Program Files\Trend Micro\HijackThis\backups\backup-20070928-023718-253-findfast.exe Infected: not-virus:Hoax.Win32.Renos.kq skipped
D:\Program Files\Trend Micro\HijackThis\backups\backup-20070928-023719-506-autorun.exe Infected: not-virus:Hoax.Win32.Renos.kq skipped
D:\Program Files\Trend Micro\HijackThis\backups\backup-20070928-103201-437-findfast.exe Infected: not-virus:Hoax.Win32.Renos.kq skipped
D:\Program Files\Trend Micro\HijackThis\backups\backup-20070928-104405-906-findfast.exe Infected: not-virus:Hoax.Win32.Renos.kq skipped
D:\Program Files\Trend Micro\HijackThis\backups\backup-20070928-154032-586-findfast.exe Infected: not-virus:Hoax.Win32.Renos.kq skipped
D:\Program Files\Trend Micro\HijackThis\backups\backup-20070928-224730-813-findfast.exe Infected: not-virus:Hoax.Win32.Renos.kq skipped
D:\Program Files\Trend Micro\HijackThis\backups\backup-20070928-224743-799-findfast.exe Infected: not-virus:Hoax.Win32.Renos.kq skipped
D:\Program Files\Trend Micro\HijackThis\backups\backup-20070929-114543-725-findfast.exe Infected: not-virus:Hoax.Win32.Renos.kq skipped
D:\Program Files\Trend Micro\HijackThis\backups\backup-20070929-124237-753-findfast.exe Infected: not-virus:Hoax.Win32.Renos.kq skipped
D:\Program Files\Trend Micro\HijackThis\backups\backup-20071001-203715-186-findfast.exe Infected: not-virus:Hoax.Win32.Renos.kq skipped
D:\Program Files\Trend Micro\HijackThis\backups\backup-20071001-203717-105-autorun.exe Infected: not-virus:Hoax.Win32.Renos.kq skipped
D:\Program Files\Trend Micro\HijackThis\backups\backup-20080103-155805-358.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped

Scan process completed.

#3
ComboFix 08-01-04.1 - Admin 2008-01-05 1:01:19.5 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.153 [GMT -8:00]
Running from: D:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point

FILE
D:\WINDOWS\Tasks\At1.job
D:\WINDOWS\Tasks\At10.job
D:\WINDOWS\Tasks\At11.job
D:\WINDOWS\Tasks\At12.job
D:\WINDOWS\Tasks\At13.job
D:\WINDOWS\Tasks\At14.job
D:\WINDOWS\Tasks\At15.job
D:\WINDOWS\Tasks\At16.job
D:\WINDOWS\Tasks\At17.job
D:\WINDOWS\Tasks\At18.job
D:\WINDOWS\Tasks\At19.job
D:\WINDOWS\Tasks\At2.job
D:\WINDOWS\Tasks\At20.job
D:\WINDOWS\Tasks\At21.job
D:\WINDOWS\Tasks\At22.job
D:\WINDOWS\Tasks\At23.job
D:\WINDOWS\Tasks\At24.job
D:\WINDOWS\Tasks\At3.job
D:\WINDOWS\Tasks\At4.job
D:\WINDOWS\Tasks\At5.job
D:\WINDOWS\Tasks\At6.job
D:\WINDOWS\Tasks\At7.job
D:\WINDOWS\Tasks\At8.job
D:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOWS\system32\66J75cqf.dll
D:\WINDOWS\system32\e8EboY1G.exe
D:\WINDOWS\system32\G73N0vEQ.dll
D:\WINDOWS\Tasks\At1.job
D:\WINDOWS\Tasks\At10.job
D:\WINDOWS\Tasks\At11.job
D:\WINDOWS\Tasks\At12.job
D:\WINDOWS\Tasks\At13.job
D:\WINDOWS\Tasks\At14.job
D:\WINDOWS\Tasks\At15.job
D:\WINDOWS\Tasks\At16.job
D:\WINDOWS\Tasks\At17.job
D:\WINDOWS\Tasks\At18.job
D:\WINDOWS\Tasks\At19.job
D:\WINDOWS\Tasks\At2.job
D:\WINDOWS\Tasks\At20.job
D:\WINDOWS\Tasks\At21.job
D:\WINDOWS\Tasks\At22.job
D:\WINDOWS\Tasks\At23.job
D:\WINDOWS\Tasks\At24.job
D:\WINDOWS\Tasks\At3.job
D:\WINDOWS\Tasks\At4.job
D:\WINDOWS\Tasks\At5.job
D:\WINDOWS\Tasks\At6.job
D:\WINDOWS\Tasks\At7.job
D:\WINDOWS\Tasks\At8.job
D:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-03 16:31 . 2000-08-31 08:00 51,200 --a------ D:\WINDOWS\NirCmd.exe
2008-01-03 11:29 . 2008-01-03 11:29 604 --a------ D:\WINDOWS\system32\msexcr.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-10-01 23:00 40,960 ----a-w D:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-03_16.34.02.67 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 16:00:00 163,328 ----a-w D:\WINDOWS\ERDNT\subs\F3M\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="D:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]
"Uniblue RegistryBooster 2"="D:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [ ]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="D:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-09-27 18:41 145920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 12:00 53760 D:\WINDOWS\system32\narrator.exe]

D:\Documents and Settings\Admin\Start Menu\Programs\Startup\
Internet Call Director.LNK - D:\Program Files\Internet Call Director\ICD.EXE [2006-12-02 15:17:51]

S3 W8100PCI;D-Link AirPlus G Wireless Driver;D:\WINDOWS\system32\DRIVERS\mrv8k51.sys [2004-01-08 20:45]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 01:03:31
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 1:04:07
ComboFix-quarantined-files.txt 2008-01-05 09:04:06
ComboFix2.txt 2008-01-04 00:34:32
joelCAMEL is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-05-2008, 08:52 AM   #7 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,473
OS: N/A


Re: DSS log
Quote:
D:\Documents and Settings\Admin\Desktop\[4]-Submit_2007-10-03@10.12\WINDOWS\svhjdsah.exe
Mind telling me how this file got there?
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-05-2008, 06:00 PM   #8 (permalink)
Registered User
 
Join Date: Sep 2007
Posts: 38
OS: xp


Re: DSS log
that looks like the combo-fix from my first visit in oct-07. i have no idea how it got there.
joelCAMEL is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-06-2008, 01:59 AM   #9 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,473
OS: N/A


Re: DSS log
Please take note that unless instructed to do so, you should never extract the files from any such zipped packages. They contain infected files. From your perspective, there's nothing interesting to look; just dangerous files.



Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"
for %%g in (
"D:\Program Files\Trend Micro\HijackThis\backups\backup-20080103-155805-358.dll"
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"D:\Documents and Settings\Admin\Desktop\[4]-Submit_2007-10-03@10.12"
"%systemdrive%\VundoFix Backups"
%systemdrive%\Deckard
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
nircmd wait 7000
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-07-2008, 11:07 AM   #10 (permalink)
Registered User
 
Join Date: Sep 2007
Posts: 38
OS: xp


Re: DSS log
truthfully, i was unaware that it was still there, unzipped. i just deleted it.

Double click on fix.bat & allow it to run - it said deleted successfully
joelCAMEL is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-07-2008, 11:09 AM   #11 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,473
OS: N/A


Re: DSS log
The machine is clean again. Kindly follow these simple steps in order to keep your computer clean and secure:

  1. Uninstall ComboFix ... do not skip this step
    This process will perform some post cleanup measures.
    Do this by going to to Start > Run & typing in ComboFix /u

  2. ANTIVIRUS SOFTWARE
    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  3. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here ? http://www.bleepingcomputer.com/forums/tutorial60.html


  4. Microsoft Windows Update ? http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  5. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-07-2008, 09:31 PM   #12 (permalink)
Registered User
 
Join Date: Sep 2007
Posts: 38
OS: xp


Re: DSS log
thank you very much for your help
joelCAMEL is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 10:29 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85