Tech Support Forum banner
Cancel

problems with permissions, possibly registry and hijackker

Jump to Latest Follow
Status
Not open for further replies.
1 - 12 of 12 Posts
D

·
Registered
Joined
·
10 Posts
Discussion Starter · #1 ·
Hello, I am having some problems with accessing files, and possibly registry problems, a disk error and possibly a hijack attempt.

Permissions:
“S-1-5-21-2052111302-651377827-839522115-1003” appears in the group or user names. This is the same user that I notice associated with the following error:
Source: Userenv Event ID:1505:

"Windows cannot load the user's profile but has logged you on with the default profile for the system.
DETAIL - Incorrect function."

In the registry, for HKEY users, there exists HKEY_USERS\S-1-5-21-2052111302-651377827-839522115-1017.

I think that my registry may have become corrupted, or that, perhaps, my user profile was deleted or corrupted. I have removed the user from the group (of permissions) and have re-assigned ownership settings, but this has not granted me access privileges (despite having administrator status). I have checked the online documentations regarding this issue: <http://www.brajeshwar.com/archives/2005/09/file-access-denied-on-windows-xp-and-how-to-take-ownership/>…but I am still prevented from accessing the files. (“Word cannot open the document: user does not have access privileges.”)

Further, I have noticed that I have a disk error (event ID 7) and although I have removed the cables from my D drive, I continue to see the message.

I am running AVG and it claims that I everything is clean; however, the housecall online checker abruptly ended (halfway through the scan), so I was unable to identify errors.

The event log displays a few (repeated) errors including the following:

Source: MsiInstaller Event ID 11719:

"Product: Microsoft Office Professional Edition 2003 -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed."

Source: MsiInstaller Event ID: 1004:

"The resource 'HKEY_CURRENT_USER\Software\ODBC\ODBC.INI\MS Access Database\' does not exist."

Also the message (event ID 7001):

"The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
A device attached to the system is not functioning."

Finally, “I/O error 103” when opening Security Task Manager

:upset:
I have run Adaware, Spybot S&D, CCleaner, (I haven’t installed or run the CWShredder) and here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:29:50 PM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Soltek] C:\WINDOWS\system32\autorun.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {00000000-0709-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int21.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156330967140
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.198 85.255.112.138
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.198 85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.198 85.255.112.138
O18 - Protocol: ebk - {1E411CE8-FE8B-4973-B8E0-6EA2CC3C6B06} - C:\WINDOWS\system32\ebkp.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
 
tetonbob

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
#2 ·
Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

I'm uncertain if fixing the malware I do see in this log will help you with all the issues you're describing. You may be better off with a repair install. If you're willing to try, we'll go forward and do the best we can.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {00000000-0709-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int21.exe
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.198 85.255.112.138
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.198 85.255.112.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.198 85.255.112.138
O18 - Protocol: ebk - {1E411CE8-FE8B-4973-B8E0-6EA2CC3C6B06} - C:\WINDOWS\system32\ebkp.dll


Click FIX CHECKED. Close HijackThis.

Delete this file if it exists:

C:\WINDOWS\system32\ebkp.dll

If it resists deletion, boot to safe mode and delete it from there.

  1. Download combofix.exe to your desktop.
  2. Double click on combofix.exe & follow the prompts.
  3. When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Finally, please post C:\ComboFix.txt, the contents of the FixWareout text file that opened earlier (you can find it at C:\fixwareout\report.txt ), along with a new HijackThis log into this topic.


----------------------------------------------------------------------------------------------------------
 
D

·
Registered
Joined
·
10 Posts
Discussion Starter · #3 ·
fixware log, combofix and HJT logs

Thank you for all of your assistance.

I am willing ot go through with a repair install if that will eradicate the junk from my machine; however, here are the results so far:

FIXWAREOUT LOG:


Fixwareout
Last edited 12/06/2006
Post this report in the forums please
...
Prerun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="csive.exe"

...
...
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nbilbaj
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Random Runs removed from HKLM
...
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.
...
Postrun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

...




COMBOFIX LOG:

"doctorwho" - 07-01-02 16:05:46.21 Service Pack 2
ComboFix 06-12-29W-BetaE2 - Running from: "C:\Documents and Settings\doctorwho\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Program Files\YMANTE~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-02 to 2007-01-02 ))))))))))))))))))))))))))))))))))


2007-01-02 15:42 <DIR> d-------- C:\fixwareout
2007-01-01 23:23 <DIR> d-------- C:\DOCUME~1\DOCTOR~1\APPLIC~1\Help
2007-01-01 22:43 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-01 22:40 <DIR> d-------- C:\DOCUME~1\DOCTOR~1\.housecall6.6
2007-01-01 21:56 <DIR> d---s---- C:\DOCUME~1\DOCTOR~1\UserData
2007-01-01 21:53 <DIR> d-------- C:\DOCUME~1\DOCTOR~1\APPLIC~1\Sun
2007-01-01 21:50 <DIR> d-------- C:\Program Files\Common Files\Java
2007-01-01 21:21 <DIR> d-------- C:\DOCUME~1\DOCTOR~1\APPLIC~1\Lavasoft
2007-01-01 15:21 <DIR> d-------- C:\HJT
2006-12-31 20:04 <DIR> d-------- C:\DOCUME~1\DOCTOR~1\APPLIC~1\Talkback
2006-12-31 20:03 <DIR> d-------- C:\DOCUME~1\DOCTOR~1\APPLIC~1\AVG7
2006-12-31 15:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AVG7
2006-12-31 01:14 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2006-12-31 00:05 <DIR> d-------- C:\Program Files\CCleaner
2006-12-28 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-12-28 14:28 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-28 14:28 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-12-28 14:28 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-28 14:28 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-12-28 14:28 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-28 14:28 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-28 14:28 <DIR> d-------- C:\Program Files\Grisoft
2006-12-28 14:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-12-28 14:18 <DIR> d-------- C:\Program Files\msn gaming zone
2006-12-21 19:32 <DIR> d-------- C:\Program Files\Microsoft.NET
2006-12-21 19:31 <DIR> d-------- C:\WINDOWS\SHELLNEW
2006-12-21 13:21 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2006-12-21 12:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback
2006-12-19 19:24 <DIR> d-------- C:\WINDOWS\pss
2006-12-19 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2006-12-19 18:40 <DIR> d-------- C:\Program Files\Security Task Manager
2006-12-10 17:43 <DIR> d-------- C:\Program Files\Ontrack
2006-12-10 17:14 <DIR> d-------- C:\Program Files\RegistryFix
2006-12-10 14:08 <DIR> d-------- C:\Program Files\Update Cleanup
2006-12-10 13:04 <DIR> d-------- C:\Program Files\ExplorerXP


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-02 15:56 -------- d-------- C:\Program Files\mozilla firefox
2007-01-02 15:26 -------- d-------- C:\Program Files\winamp
2007-01-02 12:02 -------- d-------- C:\DOCUME~1\DOCTOR~1\Application Data\avg7
2007-01-01 23:23 -------- d-------- C:\DOCUME~1\DOCTOR~1\Application Data\help
2007-01-01 21:53 -------- d-------- C:\DOCUME~1\DOCTOR~1\Application Data\sun
2007-01-01 21:52 -------- d-------- C:\Program Files\java
2007-01-01 21:21 -------- d-------- C:\DOCUME~1\DOCTOR~1\Application Data\lavasoft
2007-01-01 19:01 -------- d---s---- C:\DOCUME~1\DOCTOR~1\Application Data\microsoft
2006-12-31 20:05 -------- d-------- C:\DOCUME~1\DOCTOR~1\Application Data\macromedia
2006-12-31 20:04 -------- d-------- C:\DOCUME~1\DOCTOR~1\Application Data\talkback
2006-12-31 20:03 -------- d-------- C:\DOCUME~1\DOCTOR~1\Application Data\mozilla
2006-12-31 20:03 -------- d-------- C:\DOCUME~1\DOCTOR~1\Application Data\identities
2006-12-28 19:24 -------- d-------- C:\Program Files\shareaza
2006-12-21 19:32 -------- d-------- C:\Program Files\microsoft activesync
2006-12-21 19:11 -------- d-------- C:\Program Files\Common Files\adobe
2006-12-21 18:32 -------- d-------- C:\Program Files\microsoft frontpage
2006-12-10 17:45 -------- d--h----- C:\Program Files\installshield installation information
2006-12-06 21:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-16 11:20 -------- d-------- C:\Program Files\msxml 4.0
2006-11-07 21:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-19 05:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 04:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 04:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 04:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"Soltek"="C:\\WINDOWS\\system32\\autorun.exe"
"SoundMan"="SOUNDMAN.EXE"
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Easy-PrintToolBox"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0




~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070102-155333-201
O18 - Protocol: ebk - {1E411CE8-FE8B-4973-B8E0-6EA2CC3C6B06} - C:\WINDOWS\system32\ebkp.dll
backup-20070102-155333-160
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.198 85.255.112.138
backup-20070102-155333-975
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.198 85.255.112.138
backup-20070102-155333-385
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
backup-20070102-155333-797
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.198 85.255.112.138
backup-20070102-155332-404
O16 - DPF: {00000000-0709-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int21.exe
backup-20070102-155332-549
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
Completion time: 07-01-02 16:08:00.59





NEW HIJACKTHIS LOG:


Logfile of HijackThis v1.99.1
Scan saved at 4:23:54 PM, on 1/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Soltek] C:\WINDOWS\system32\autorun.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156330967140
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
 
tetonbob

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
#4 ·
OK, that seems to have knocked out the bulk of what was showing. Please perform this general system scan and cleaning to see if anything else is lurking, and to see if it will help us ID what may have caused the profile corruption/file access issues.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

---------------------------------------------------------------------------------------------------

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs_edits/xp_whichcpu.exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (if present)
  • Cleanup! All Users
  • Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.
Click OK
Press the CleanUp! button to start the program.

It may ask you to log-off/reboot at the end, if it does please do so.

---------------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on
    located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on
    then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with logs from:

AVG Anti-Spyware
Panda
HJT
 
D

·
Registered
Joined
·
10 Posts
Discussion Starter · #5 ·
here are the logs...

Smoother sailing so far, but I have two questions:

Before the Panda active scan completed, it reported that there was no profile (for outlook express) and there was a prompt for me to create a new one, but I didn’t (should I create a new profile?)

On the C: drive, I can now see the folder named “Qoobox” and subfolder “purity” (earlier identified by the HJT log). Is it safe/ recommendable to remove it? I think that it has been quarantined.


Here are the scan logs (in order) of AVG Anti-Spyware, Panda, and HJT:


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:03:56 PM 1/2/2007

+ Scan result:



:mozilla.221:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.222:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.116:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.166:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.70:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.71:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.72:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.73:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.20:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.24:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.25:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.56:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.57:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.58:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.60:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.32:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.162:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.188:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.191:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.45:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.213:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Centrport : Cleaned.
:mozilla.214:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Centrport : Cleaned.
:mozilla.33:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.34:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.35:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.36:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.92:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.142:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.138:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.6:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\qmxphmxq.default\cookies.txt -> TrackingCookie.Findwhat : Cleaned.
:mozilla.227:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.228:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.229:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.230:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.281:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.129:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.130:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.131:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.132:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.100:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.179:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned.
:mozilla.180:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned.
:mozilla.233:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.156:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.157:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.158:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.159:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.160:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.93:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.94:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.95:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.96:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.97:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.98:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.99:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.284:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Spinbox : Cleaned.
:mozilla.170:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.173:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.189:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.190:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.22:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.23:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.26:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.149:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.150:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.151:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.152:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.231:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.282:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.283:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.128:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.74:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.75:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\system32\WinIo.dll -> Trojan.Agent.f : Cleaned.
C:\WINDOWS\system32\wnstssv.exe -> Trojan.Small : Cleaned.


::Report end






PANDA :


Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\doctorwho\Application Data\Mozilla\Firefox\Profiles\zf05iz0o.default\cookies.txt[.com.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\doctorwho\Application Data\Mozilla\Firefox\Profiles\zf05iz0o.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\doctorwho\Application Data\Mozilla\Firefox\Profiles\zf05iz0o.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\doctorwho\Application Data\Mozilla\Firefox\Profiles\zf05iz0o.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ube3j7u2.default\cookies.txt[www.advnt01.com/]
HIJACKTHIS :


Logfile of HijackThis v1.99.1
Scan saved at 8:06:21 PM, on 1/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Soltek] C:\WINDOWS\system32\autorun.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156330967140
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

:normal:
 
tetonbob

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
#6 ·
Before the Panda active scan completed, it reported that there was no profile (for outlook express) and there was a prompt for me to create a new one, but I didn’t (should I create a new profile?)
Click to expand...
Odd, haven't encountered that. I'll have to look into it, but I'd say you took the correct action.

On the C: drive, I can now see the folder named “Qoobox” and subfolder “purity” (earlier identified by the HJT log). Is it safe/ recommendable to remove it? I think that it has been quarantined.
Click to expand...
Qoobox is exactly that....a quarantine folder created by combofix. It can be deleted.

That looks pretty good, let's do a couple more things.

Clear your Firefox cookies. From the open browser, go to Tools>Options>Privacy>Cookies>Clear

Go here and do the BitDefender online virus scan.
  • Click "I Agree" to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Leave the scanning options at default and press "Click here to scan" to begin the scan.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on "Click here to export the scan results"
  • Save the report to your desktop then come back here and post it in your next reply.

How is your system behaving now, please?
 
D

·
Registered
Joined
·
10 Posts
Discussion Starter · #7 ·
thank you

The BitDefender scan shows zero viruses (although here it reads "virus detected"); Confusing.
The option "click here to export the scan results was not apparent, so I just did copy & paste:


BitDefender Online Scanner - Real Time Virus Report


Generated at: Tue, Jan 02, 2007 - 23:05:25


Scan Info



Scanned Files


341110

Infected Files

0

Virus Detected

No virus found.


I assume that my computer is dramatically cleaner, thanks to your help, but I am still having the probs with permissions (the "access is denied" error).
It is a frustrating issue...Is there any way I can set the permissions to grant full access to my files?

Also frustrating (and serious) is the disk error problem (event ID 7):


The device, \Device\Harddisk0\D, has a bad block.

Can you please recommend how I might fix this one? as I stated, I have already disconnected the D drive from the motherboard (although the cables are still attached to the motherboard).

I remember your comment solving those problems may be more complex, but any help you could offer would be much appreciated.

cheers,

doctorwho
 
tetonbob

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
#8 ·
Answers to those other questions will be better asked in our Windows XP support forum, or the Hardware Support forum. The staff and members in that area will be better able to assist you with that.


Before we do that, let's use one more tool, to help rule out anything hidden.


Download and run Blacklight

Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this

When it finishes, click Next. You may get a screen similar to the picture below. Click on Close

BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log
 
D

·
Registered
Joined
·
10 Posts
Discussion Starter · #9 ·
hmm

Hello Tetonbob,


Is it ok to download all of these checker programs (my gf is particularily skeptical). I understand that they seem legit, and useful for diagnosing errors, but , out of curiousity, are they all necessary to avoid the ongoing daily battle with spyware, malware, trojans and hijackers? I mean if I had a new system would I be fine just with Adaware, AVG and a firewall (and router)? Also, my gf is curious about this forum, are you recompensated for your support in some way? Or do you priimarily rely on donations? (sorry if this is posted somewhere and I missed the boat). Again I really appreciate all of your help.

cheers,

DW
 
tetonbob

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
#10 ·
OK in what way? What's to be skeptical about?

Of course they are, or I wouldn't ask you to use them. Malware has many ways to bury itself in your system, so we need many ways to ferret it out. That's why I asked for the rootkit scanner. Rootkits are hidden from typical tools.

I mean if I had a new system would I be fine just with Adaware, AVG and a firewall (and router)?
Click to expand...
Well, that's a start. It takes a multi-layered approach to secure one's sytem on todays internet. Of course, prevention begins at the keyboard.

Read this thread for a better idea:

http://www.techsupportforum.com/f174/pc-safety-and-security-what-do-i-need-115548.html

Also, my gf is curious about this forum, are you recompensated for your support in some way?
Click to expand...
I do this for free, because I love the hunt, and helping those with less knowledge. We're all volunteers here. The website offers free help and accepts donations to defray costs. See the link in my signature.

Please post the blacklight log.
 
D

·
Registered
Joined
·
10 Posts
Discussion Starter · #11 ·
Thanks for the informative responses.


I have tried running BlackLight, but it does not open:

"F-secure BlackLight could not acquire necessary privileges [SeDebug Privilege]

-your computer settigns may prevent acquiring these privileges.
-A malicious program might have disabled these privileges."

...

As I am still worried about the disk-error and the access privileges (among other worries) I think that a fresh install may be the best option. I have heard that besides the cost differences, Linux (linspire 5-O or freespire) is a much more safe alternative and remains compatible with several common windows programs. As a relatively inexperienced home user, would you recommend a fresh install (using either of these linux OS's)?

I understand that this may be the wrong forum to ask this, but I just wanted to know what you think.

cheers,

DW
 
tetonbob

·
TSF Security Manager, Emeritus
Joined
·
52,196 Posts
#12 ·
Hi DW -

As I am still worried about the disk-error and the access privileges (among other worries) I think that a fresh install may be the best option.
Click to expand...
I think you may be right.

Sorry to say, I don't speak Linux. We do have a subforum that deals with those flavors of OS, though.

They would heartily agree with you about Linux being more secure, but you'd have to ask over there to get any intelligent discussion about it's workings.
 
1 - 12 of 12 Posts
Status
Not open for further replies.
About this Discussion
11 Replies
2 Participants
Last post:
tetonbob
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Recommended Communities
Community avatar for Toyota Nation Forum
Toyota Nation Forum
543K+ members
Community avatar for SkyscraperCity
SkyscraperCity
1M+ members
Community avatar for The Ducati Streetfighter V2
The Ducati Streetfighter V2
30+ members
Top