Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Need Help Removing Smithfeld-C Coreservices

  1. 2007-10-13, 23:53 #1
    sbolyard
    sbolyard is offline
    Junior Member
    Join Date
    Sep 2007
    Posts
    20

    Default Need Help Removing Smithfeld-C Coreservices

    Hi there Here is a copy of Kaspersky Virus Scan per you sticky

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Saturday, October 13, 2007 5:46:41 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 14/10/2007
    Kaspersky Anti-Virus database records: 435619
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\

    Scan Statistics:
    Total number of scanned objects: 37055
    Number of viruses found: 10
    Number of infected objects: 38
    Number of suspicious objects: 0
    Duration of the scan process: 00:41:10

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\ mon080.log Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\ciyryqff.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tl skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\dtonqxbk.exe Infected: Trojan.Win32.Agent.bck skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\ewpkmovn.exe Infected: Trojan.Win32.Agent.bck skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\fvvreqco.exe Infected: Trojan.Win32.Agent.bck skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\hsjxwoti.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tl skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\JET8195.tmp Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\JET8202.tmp Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\JET82CD.tmp Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\JET82FC.tmp Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\JET830C.tmp Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\JET832B.tmp Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\JET836A.tmp Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\JET8389.tmp Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\JVMD.tmp Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\MBDownloader_876919.exe Infected: not-a-virus:AdWare.Win32.NetNucleus.b skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\mit17B.tmp/NNBar_VCSetup_876919_LOG_IES_NoDMY_AFF.exe Infected: not-a-virus:AdWare.Win32.Mirar.i skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\mit17B.tmp CAB: infected - 1 skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\mit17B.tmp.cab/NNBar_VCSetup_876919_LOG_IES_NoDMY_AFF.exe Infected: not-a-virus:AdWare.Win32.Mirar.i skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\mit17B.tmp.cab CAB: infected - 1 skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\mit3AB.tmp/NNBar_VCSetup_876919_LOG_IES_NoDMY_AFF.exe Infected: not-a-virus:AdWare.Win32.Mirar.i skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\mit3AB.tmp CAB: infected - 1 skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\mit3AB.tmp.cab/NNBar_VCSetup_876919_LOG_IES_NoDMY_AFF.exe Infected: not-a-virus:AdWare.Win32.Mirar.i skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\mit3AB.tmp.cab CAB: infected - 1 skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\nbddblsn.exe Infected: Trojan.Win32.Agent.bck skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\NNBar_VCSetup_876919_LOG_IES_NoDMY_AFF.exe Infected: not-a-virus:AdWare.Win32.Mirar.i skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\Outerinfo-1281.exe/data0004/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\Outerinfo-1281.exe/data0004 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\Outerinfo-1281.exe NSIS: infected - 2 skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\qacdkxjy.exe Infected: Trojan.Win32.Agent.bck skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\vinovexk.exe Infected: Trojan.Win32.Agent.bck skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\WinAntiSpyware 2007 FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\WinAntiSpyware2007Setup.exe/file03 Infected: Trojan-Downloader.Win32.Agent.dhj skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\WinAntiSpyware2007Setup.exe/file05/file2 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\WinAntiSpyware2007Setup.exe/file05 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\WinAntiSpyware2007Setup.exe/file26 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\WinAntiSpyware2007Setup.exe/file39 Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\WinAntiSpyware2007Setup.exe Inno: infected - 5 skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\~DF10AC.tmp Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\~DF96FE.tmp Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Temp\~DFE01.tmp Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Admin\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Helios11\Data\Checkin.ldb Object is locked skipped
    C:\Program Files\Helios11\Data\Checkin.mdb Object is locked skipped
    C:\Program Files\Helios11\Data\Clients.ldb Object is locked skipped
    C:\Program Files\Helios11\Data\Clients.mdb Object is locked skipped
    C:\Program Files\Helios11\Data\Employee.ldb Object is locked skipped
    C:\Program Files\Helios11\Data\Employee.mdb Object is locked skipped
    C:\Program Files\Helios11\Data\Helios.ldb Object is locked skipped
    C:\Program Files\Helios11\Data\Helios.mdb Object is locked skipped
    C:\Program Files\Helios11\Data\Hyperion.ldb Object is locked skipped
    C:\Program Files\Helios11\Data\Hyperion.mdb Object is locked skipped
    C:\Program Files\Helios11\Data\Invt.ldb Object is locked skipped
    C:\Program Files\Helios11\Data\Invt.mdb Object is locked skipped
    C:\Program Files\Helios11\Data\Salecode.ldb Object is locked skipped
    C:\Program Files\Helios11\Data\Salecode.mdb Object is locked skipped
    C:\Program Files\Helios11\Data\Transact.ldb Object is locked skipped
    C:\Program Files\Helios11\Data\Transact.mdb Object is locked skipped
    C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
    C:\Program Files\WinAntiSpyware 2007\InstUp.exe/file2 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
    C:\Program Files\WinAntiSpyware 2007\InstUp.exe Inno: infected - 1 skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\WINDOWS\cfg32.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
    C:\WINDOWS\cfg32a.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\ModemLog_Intel(R) 537EP Data Fax Modem.txt Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
    C:\WINDOWS\system32\drivers\core.sys Object is locked skipped
    C:\WINDOWS\system32\drrrqmwl.exe Infected: Trojan.Win32.Agent.bck skipped
    C:\WINDOWS\system32\fiosqunm.exe Infected: Trojan.Win32.Agent.bck skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\jygrpmrb.exe Infected: Trojan.Win32.Agent.bck skipped
    C:\WINDOWS\system32\lmbkwkww.exe Infected: Trojan.Win32.Agent.bck skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\system32\xhacdlpf.exe Infected: Trojan.Win32.Agent.bck skipped
    C:\WINDOWS\system32\xvubqiel.exe Infected: Trojan.Win32.Agent.bck skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.
  2. 2007-10-14, 00:24 #2
    sbolyard
    sbolyard is offline
    Junior Member
    Join Date
    Sep 2007
    Posts
    20

    Default Hijack Log File

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:15:20 AM, on 10/13/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\TightVNC\WinVNC.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: 0 - {2CD64D37-EE67-48E0-42BA-1805D11EEA7D} - C:\Program Files\ComPlus Applications\woqugeqe287.dll (file missing)
    O2 - BHO: (no name) - {341C12DE-DC19-D8C9-1A61-FC8DCA21D4CE} - C:\WINDOWS\system32\prm.dll (file missing)
    O2 - BHO: (no name) - {37D925B1-4609-47D8-A2FF-F4DAAB4BEDA9} - C:\Program Files\MSN\safemu83122.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: (no name) - {6B15E788-3664-441C-8126-3E835DE48362} - C:\WINDOWS\system32\awvvs.dll (file missing)
    O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\csubhftp.dll
    O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - C:\WINDOWS\system32\cbxyxxu.dll (file missing)
    O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HPHUPD05] "C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\itpb_11.exe SKY003
    O4 - HKLM\..\Run: [WinTouch] C:\Program Files\WinTouch\WinTouch.exe
    O4 - HKLM\..\Run: [winprotector] "C:\WINDOWS\winprotector.exe"
    O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\vperkymn.dll",sitypnow
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\RunOnce: [SpybotDeletingA2426] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC7001] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA3574] command /c del "C:\WINDOWS\system32\drivers\core.sys"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC2373] cmd /c del "C:\WINDOWS\system32\drivers\core.sys"
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    O4 - HKCU\..\Run: [Arma] "C:\PROGRA~1\COMMON~1\CROSOF~1.NET\userinit.exe" -vt ndrv
    O4 - HKCU\..\Run: [Lurr] "C:\Documents and Settings\Admin\Application Data\W?nSxS\??erinit.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\RunOnce: [SpybotDeletingB9659] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD2737] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB20] command /c del "C:\WINDOWS\system32\drivers\core.sys"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD2235] cmd /c del "C:\WINDOWS\system32\drivers\core.sys"
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AOL Fast Start] "c:\progra~1\americ~1.0b\AOL.EXE" -b (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AOL Fast Start] "c:\progra~1\americ~1.0b\AOL.EXE" -b (User 'Default user')
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\itpb_11.exe
    O8 - Extra context menu item: &Search - ?p=ZU
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O15 - Trusted Zone: *.errorprotector.com
    O15 - Trusted Zone: *.errorsafe.com
    O15 - Trusted Zone: *.systemdoctor.com
    O15 - Trusted Zone: *.winantivirus.com
    O15 - Trusted Zone: *.winfixer.com
    O15 - Trusted Zone: *.errorprotector.com (HKLM)
    O15 - Trusted Zone: *.errorsafe.com (HKLM)
    O15 - Trusted Zone: *.systemdoctor.com (HKLM)
    O15 - Trusted Zone: *.winantivirus.com (HKLM)
    O15 - Trusted Zone: *.winfixer.com (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
    O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/40...er/Coupons.cab
    O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
    O20 - Winlogon Notify: awvvs - C:\WINDOWS\system32\awvvs.dll (file missing)
    O20 - Winlogon Notify: cbxyxxu - cbxyxxu.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\bazyrtaku.html
    O24 - Desktop Component 1: (no name) - http://www.plentyoffish.com/thumbnai...5jt_198119.jpg
    O24 - Desktop Component 2: (no name) - http://shutter01.pictures.aol.com/da...-iMlju00A0.jpg

    --
    End of file - 11683 bytes
  3. 2007-10-19, 11:42 #3
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    The Waiting Room
    http://forums.spybot.info/forumdisplay.php?f=37

    I apologize for the wait, seems you missed the link above. If you have not resolved your problems, post a new HJT log and I will take a look.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006
  4. 2007-10-19, 19:37 #4
    sbolyard
    sbolyard is offline
    Junior Member
    Join Date
    Sep 2007
    Posts
    20

    Default Not sure what link I have missed Still same problem

    Still have the same problem here is a new Hijack This logfile.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:53:59 PM, on 10/19/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\DynIP\DynIP Client v5.51\Client.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TightVNC\WinVNC.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Helios11\TimerSrv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Helios11\Helios11.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://red.clientapps.yahoo.com/cust...ch/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar -
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}
    - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O1 - Hosts:
    iS{o|C1rYI$/(b`ߢ{Kԕ>4J~2@V~LF8U~&@IR0
    O1 - Hosts: X+fH
    O1 - Hosts:
    *d$2ZƐIKq- |LD_\ʪԎ޺BA*Zw%lL50#%z1ݔW5jiN*&V+2z&'KJr)o
    O1 - Hosts: 60 y+,Ez~z_
    O1 - Hosts: E8$ )Fr1wq[ ^:B l67;2
    !f_4[NEk94Q3`MLTof)u_^
    O1 - Hosts: fzhbS!Ŭ߉?
    yqHc7sfD, (~Kp2*lp9=zN52^KO2jJTBT_Է(Z
    0rhkg9P rcvK>Kmk|`]0k,)LJ7`Sa;| Og
    O1 - Hosts: ֕^#7ҐNs`
    O1 - Hosts: y`[R
    O2 - BHO: &Yahoo! Toolbar Helper -
    {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Ask Search Assistant BHO -
    {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: Adobe PDF Reader Link Helper -
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: 0 - {2CD64D37-EE67-48E0-42BA-1805D11EEA7D} - C:\Program
    Files\ComPlus Applications\woqugeqe287.dll (file missing)
    O2 - BHO: (no name) - {341C12DE-DC19-D8C9-1A61-FC8DCA21D4CE} -
    C:\WINDOWS\system32\prm.dll (file missing)
    O2 - BHO: (no name) - {37D925B1-4609-47D8-A2FF-F4DAAB4BEDA9} -
    C:\Program Files\MSN\safemu83122.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection -
    {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button -
    {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: (no name) - {6B15E788-3664-441C-8126-3E835DE48362} -
    C:\WINDOWS\system32\awvvs.dll (file missing)
    O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} -
    C:\WINDOWS\system32\csubhftp.dll
    O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} -
    C:\WINDOWS\system32\cbxyxxu.dll (file missing)
    O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} -
    C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
    C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} -
    C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program
    Files\Intel\NCS\PROSet\PRONoMgr.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HPHUPD05] "C:\Program
    Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
    Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program
    Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client
    Foundation\CFD.exe"
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\itpb_11.exe SKY003
    O4 - HKLM\..\Run: [WinTouch] C:\Program Files\WinTouch\WinTouch.exe
    O4 - HKLM\..\Run: [winprotector] "C:\WINDOWS\winprotector.exe"
    O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe
    "C:\WINDOWS\system32\vperkymn.dll",sitypnow
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe"
    -servicehelper
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
    /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search
    Protection\SearchProtection.exe"
    O4 - HKCU\..\Run: [Arma]
    "C:\PROGRA~1\COMMON~1\CROSOF~1.NET\userinit.exe" -vt ndrv
    O4 - HKCU\..\Run: [Lurr] "C:\Documents and Settings\Admin\Application
    Data\W?nSxS\??erinit.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search
    & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe
    /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe
    /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AOL Fast Start]
    "c:\progra~1\americ~1.0b\AOL.EXE" -b (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AOL Fast Start]
    "c:\progra~1\americ~1.0b\AOL.EXE" -b (User 'Default user')
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\itpb_11.exe
    O8 - Extra context menu item: &Search - ?p=ZU
    O8 - Extra context menu item: E&xport to Microsoft Excel -
    res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
    C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console -
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Yahoo! Services -
    {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
    C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
    {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
    C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
    {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O15 - Trusted Zone: *.errorprotector.com
    O15 - Trusted Zone: *.errorsafe.com
    O15 - Trusted Zone: *.systemdoctor.com
    O15 - Trusted Zone: *.winantivirus.com
    O15 - Trusted Zone: *.winfixer.com
    O15 - Trusted Zone: *.errorprotector.com (HKLM)
    O15 - Trusted Zone: *.errorsafe.com (HKLM)
    O15 - Trusted Zone: *.systemdoctor.com (HKLM)
    O15 - Trusted Zone: *.winantivirus.com (HKLM)
    O15 - Trusted Zone: *.winfixer.com (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
    http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation
    Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX
    Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
    O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader
    Control) - http://www.slide.com/uploader/SlideImageUploader.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo
    Uploader Control) -
    http://upload.facebook.com/controls/...toUploader.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
    http://a19.g.akamai.net/7/19/7125/40...er/Coupons.cab
    O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL
    Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
    O20 - Winlogon Notify: awvvs - C:\WINDOWS\system32\awvvs.dll (file
    missing)
    O20 - Winlogon Notify: cbxyxxu - cbxyxxu.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB -
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: DynIP Client (DynIPClient) - DynIP, a division of CanWeb
    Internet Services Ltd. - C:\Program Files\DynIP\DynIP Client
    v5.51\Client.exe
    O23 - Service: iPod Service - Unknown owner - C:\Program
    Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
    (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation -
    C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: PrismXL - Lanovation - C:\Program Files\Common
    Files\Lanovation\PrismXL\PRISMXL.SYS
    O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program
    Files\TightVNC\WinVNC.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus
    Applications\bazyrtaku.html
    O24 - Desktop Component 1: (no name) -
    http://www.plentyoffish.com/thumbnai...5jt_198119.jpg
    O24 - Desktop Component 2: (no name) -
    http://shutter01.pictures.aol.com/da...-iMlju00A0.jpg

    --
    End of file - 11863 bytes
  5. 2007-10-19, 21:05 #5
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for returning your information you are very infected so do not expect easy, I suggest you stay offline except when troubleshooting.

    1) Looks like you are formating the log, open notepad and click on Format then uncheck Word Wrap and leave it unchecked until we finish.

    2) Download HostsXpert v4.1 - Hosts File Manager.
    http://www.funkytoad.com/download/HostsXpert.zip
    Unzip HostsXpert 4.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
    Click HostsXpert.exe to Run HostsXpert 4.1 - Hosts File Manager from its new home
    Click "Make Hosts Writable?" in the upper right corner (If available).
    Click Restore Microsoft's Hosts file and then click OK.
    Click the X to exit the program.
    Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

    3) Thanks to sUBs and anyone else who helped with this fix.

    Download ComboFix from Here or Here to your Desktop.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006
  6. 2007-10-23, 16:49 #6
    sbolyard
    sbolyard is offline
    Junior Member
    Join Date
    Sep 2007
    Posts
    20

    Default Combo Fix Log file

    ComboFix 07-10-23.2 - Admin 2007-10-22 20:30:33.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.117 [GMT -4:00]
    Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Admin\Application Data\WNSXS~1
    C:\Documents and Settings\Admin\Start Menu\Programs\Startup\ta_start.lnk
    C:\Documents and Settings\All Users\Application Data.\salesmonitor
    C:\Program Files\Common Files\crosof~1.net
    C:\Program Files\Common Files\crosof~1.net\??crosoft.NET\
    C:\Program Files\poolsv
    C:\Program Files\svhost
    C:\Program Files\svhost\wr-1-0000077.exe
    C:\Program Files\winpop
    C:\Program Files\wintouch
    C:\Program Files\wintouch\fusion.cfg.27deac0888578aa1077f73e3a09dda51.99b8141f332ed90bf6761b817a82000b
    C:\Program Files\wintouch\wintouch.cfg
    C:\Program Files\wintouch\WTUninstaller.exe
    C:\temp\tn3
    C:\WINDOWS\cfg32.exe
    C:\WINDOWS\cfg32a.exe
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\cs_cache.ini
    C:\WINDOWS\curity~1
    C:\WINDOWS\system32\csubhftp.dll
    C:\WINDOWS\system32\drivers\core.cache.dsk
    C:\WINDOWS\system32\drivers\core.sys
    C:\WINDOWS\system32\drrrqmwl.exe
    C:\WINDOWS\system32\fiosqunm.exe
    C:\WINDOWS\system32\jygrpmrb.exe
    C:\WINDOWS\system32\lmbkwkww.exe
    C:\WINDOWS\system32\o02PrEz
    C:\WINDOWS\system32\svvwa.bak1
    C:\WINDOWS\system32\svvwa.bak2
    C:\WINDOWS\system32\svvwa.ini
    C:\WINDOWS\system32\svvwa.ini2
    C:\WINDOWS\system32\svvwa.tmp
    C:\WINDOWS\system32\win
    C:\WINDOWS\system32\wnscpisv.exe
    C:\WINDOWS\system32\X1
    C:\WINDOWS\system32\X2
    C:\WINDOWS\system32\X3
    C:\WINDOWS\system32\X4
    C:\WINDOWS\system32\X5
    C:\WINDOWS\system32\X9
    C:\WINDOWS\system32\xhacdlpf.exe
    C:\WINDOWS\system32\xvubqiel.exe
    C:\WINDOWS\system32\ymbols~1
    C:\WINDOWS\wbun.exe
    C:\WINDOWS\wr.txt

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_CMDSERVICE
    -------\LEGACY_CORE
    -------\LEGACY_DOMAINSERVICE
    -------\LEGACY_NETWORK_MONITOR
    -------\LEGACY_NET_AGENT
    -------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
    -------\core
    -------\Net Agent


    ((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 )))))))))))))))))))))))))))))))
    .

    2007-10-22 20:29 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-10-22 19:11 <DIR> d-------- C:\HostsXpert
    2007-10-17 00:35 <DIR> d-------- C:\Program Files\Belarc
    2007-10-17 00:35 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
    2007-10-16 23:57 <DIR> d-------- C:\Program Files\Lavasoft
    2007-10-16 23:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-10-13 16:46 <DIR> d-------- C:\Program Files\DynIP
    2007-10-13 01:11 <DIR> d-------- C:\Program Files\Trend Micro
    2007-10-13 00:24 <DIR> d-------- C:\Program Files\TightVNC
    2007-10-12 23:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-10-12 22:36 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\AVG7
    2007-10-12 22:35 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
    2007-10-01 15:24 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
    2007-10-01 15:24 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
    2007-10-01 15:24 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
    2007-10-01 15:24 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
    2007-10-01 15:22 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
    2007-10-01 15:22 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-10-17 16:54 --------- d-----w C:\Program Files\Helios11
    2007-10-13 02:20 --------- d-----w C:\Program Files\Common Files\AOL
    2007-10-13 02:14 --------- d-----w C:\Documents and Settings\Admin\Application Data\AOL
    2007-10-12 14:08 --------- d-----w C:\Documents and Settings\Admin\Application Data\Apple Computer
    2007-10-10 13:55 --------- d-----w C:\Documents and Settings\Admin\Application Data\Yahoo!
    2007-10-03 16:44 --------- d-----w C:\Program Files\Yahoo!
    2007-10-03 16:43 --------- d-----w C:\Program Files\Common Files\Scanner
    2007-10-03 16:42 --------- d-----w C:\Program Files\IrfanView
    2007-09-22 19:46 164 ----a-w C:\install.dat
    2007-09-22 19:42 --------- d-----w C:\Program Files\AskSBar
    2007-09-21 08:37 59,392 ----a-w C:\Documents and Settings\Admin\wn629.exe
    2006-05-26 18:58 65,016 ----a-w C:\Documents and Settings\Admin\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
    2007-09-22 15:42 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CD64D37-EE67-48E0-42BA-1805D11EEA7D}]
    C:\Program Files\ComPlus Applications\woqugeqe287.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{341C12DE-DC19-D8C9-1A61-FC8DCA21D4CE}]
    C:\WINDOWS\system32\prm.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37D925B1-4609-47D8-A2FF-F4DAAB4BEDA9}]
    C:\Program Files\MSN\safemu83122.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B15E788-3664-441C-8126-3E835DE48362}]
    C:\WINDOWS\system32\awvvs.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
    2007-09-22 15:42 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2007-09-22 15:42 267592]

    [HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2007-09-22 15:42 267592]

    [HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 14:22]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 14:19]
    "HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 00:55]
    "HPHUPD05"="C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 00:55]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 09:38]
    "HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2005-07-08 00:55]
    "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
    "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
    "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 14:23]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
    "winprotector"="C:\WINDOWS\winprotector.exe" []
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-12 22:35]
    "WinVNC"="C:\Program Files\TightVNC\WinVNC.exe" [2007-05-07 19:28]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
    "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 10:59]
    "Arma"="C:\PROGRA~1\COMMON~1\CROSOF~1.NET\userinit.exe" []
    "Lurr"="C:\Documents and Settings\Admin\Application Data\W?nSxS\??erinit.exe" []
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "AOL Fast Start"="c:\progra~1\americ~1.0b\AOL.EXE" -b

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    Source= C:\Program Files\ComPlus Applications\bazyrtaku.html
    FriendlyName=

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvvs]
    C:\WINDOWS\system32\awvvs.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxyxxu]
    cbxyxxu.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^Helios11.lnk]
    path=C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Helios11.lnk
    backup=C:\WINDOWS\pss\Helios11.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
    backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
    backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2001 Delivery Agent.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks 2001 Delivery Agent.lnk
    backup=C:\WINDOWS\pss\QuickBooks 2001 Delivery Agent.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
    "C:\PROGRA~1\AMERIC~1.0B\AOL.EXE" -b

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
    "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    "C:\Program Files\Common Files\AOL\1147559086\ee\AOLSoftware.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    C:\WINDOWS\System32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    C:\WINDOWS\System32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    %systemroot%\system32\dumprep 0 -k

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProfileWatcher]
    C:\Program Files\ProfileWatcher\profilewatcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
    "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    "C:\Program Files\Windows Media Player\WMPNSCFG.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
    "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

    R2 CBUSB;MARX Software Security;C:\WINDOWS\system32\Drivers\CBUSB.sys
    R2 DynIPClient;DynIP Client;"C:\Program Files\DynIP\DynIP Client v5.51\Client.exe"
    R2 MarxDev1;MarxDev1;\??\C:\WINDOWS\System32\Drivers\MARXDEV1.SYS
    R2 MarxDev2;MarxDev2;\??\C:\WINDOWS\System32\Drivers\MARXDEV2.SYS
    R2 MarxDev3;MarxDev3;\??\C:\WINDOWS\System32\Drivers\MARXDEV3.SYS
    S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
    AutoRun\command - F:\LaunchU3.exe -a

    .
    **************************************************************************

    catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-10-22 21:42:11
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-10-22 21:43:58 - machine was rebooted
    .
    --- E O F ---
  7. 2007-10-23, 16:49 #7
    sbolyard
    sbolyard is offline
    Junior Member
    Join Date
    Sep 2007
    Posts
    20

    Default New Hijack This Log

    Edited out second combofix log
    Last edited by pskelley; 2007-10-24 at 00:56. Reason: two combofix logs posted
  8. 2007-10-23, 16:59 #8
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Post the HJT log please, I will edit out one of the combofix logs once I see the HJT log. Please tell me about any malware issues.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006
  9. 2007-10-24, 00:38 #9
    sbolyard
    sbolyard is offline
    Junior Member
    Join Date
    Sep 2007
    Posts
    20

    Default Hijack This Log file

    Sorry about that thought i posted this one.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:48:22 PM, on 10/22/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\DynIP\DynIP Client v5.51\Client.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TightVNC\WinVNC.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: 0 - {2CD64D37-EE67-48E0-42BA-1805D11EEA7D} - C:\Program Files\ComPlus Applications\woqugeqe287.dll (file missing)
    O2 - BHO: (no name) - {341C12DE-DC19-D8C9-1A61-FC8DCA21D4CE} - C:\WINDOWS\system32\prm.dll (file missing)
    O2 - BHO: (no name) - {37D925B1-4609-47D8-A2FF-F4DAAB4BEDA9} - C:\Program Files\MSN\safemu83122.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: (no name) - {6B15E788-3664-441C-8126-3E835DE48362} - C:\WINDOWS\system32\awvvs.dll (file missing)
    O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HPHUPD05] "C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [winprotector] "C:\WINDOWS\winprotector.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    O4 - HKCU\..\Run: [Arma] "C:\PROGRA~1\COMMON~1\CROSOF~1.NET\userinit.exe" -vt ndrv
    O4 - HKCU\..\Run: [Lurr] "C:\Documents and Settings\Admin\Application Data\W?nSxS\??erinit.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AOL Fast Start] "c:\progra~1\americ~1.0b\AOL.EXE" -b (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AOL Fast Start] "c:\progra~1\americ~1.0b\AOL.EXE" -b (User 'Default user')
    O8 - Extra context menu item: &Search - ?p=ZU
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O15 - Trusted Zone: *.errorprotector.com
    O15 - Trusted Zone: *.errorsafe.com
    O15 - Trusted Zone: *.systemdoctor.com
    O15 - Trusted Zone: *.winantivirus.com
    O15 - Trusted Zone: *.winfixer.com
    O15 - Trusted Zone: *.errorprotector.com (HKLM)
    O15 - Trusted Zone: *.errorsafe.com (HKLM)
    O15 - Trusted Zone: *.systemdoctor.com (HKLM)
    O15 - Trusted Zone: *.winantivirus.com (HKLM)
    O15 - Trusted Zone: *.winfixer.com (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
    O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/40...er/Coupons.cab
    O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{70F718C2-3468-498B-A8BB-607CDD9665E1}: Domain = sbcglobal.net
    O17 - HKLM\System\CCS\Services\Tcpip\..\{70F718C2-3468-498B-A8BB-607CDD9665E1}: NameServer = 151.164.8.201
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sbcglobal.net
    O17 - HKLM\System\CS1\Services\Tcpip\..\{70F718C2-3468-498B-A8BB-607CDD9665E1}: Domain = sbcglobal.net
    O17 - HKLM\System\CS1\Services\Tcpip\..\{70F718C2-3468-498B-A8BB-607CDD9665E1}: NameServer = 151.164.8.201
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = sbcglobal.net
    O17 - HKLM\System\CS3\Services\Tcpip\..\{70F718C2-3468-498B-A8BB-607CDD9665E1}: Domain = sbcglobal.net
    O17 - HKLM\System\CS3\Services\Tcpip\..\{70F718C2-3468-498B-A8BB-607CDD9665E1}: NameServer = 151.164.8.201
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sbcglobal.net
    O20 - Winlogon Notify: awvvs - C:\WINDOWS\system32\awvvs.dll (file missing)
    O20 - Winlogon Notify: cbxyxxu - cbxyxxu.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: DynIP Client (DynIPClient) - DynIP, a division of CanWeb Internet Services Ltd. - C:\Program Files\DynIP\DynIP Client v5.51\Client.exe
    O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\bazyrtaku.html
    O24 - Desktop Component 1: (no name) - http://www.plentyoffish.com/thumbnai...5jt_198119.jpg
    O24 - Desktop Component 2: (no name) - http://shutter01.pictures.aol.com/da...-iMlju00A0.jpg

    --
    End of file - 11418 bytes
  10. 2007-10-24, 01:14 #10
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for the HJT log, follow these directions:

    1) How to make files and folders visible:
    Click Start > Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm. Click OK.
    You may reverse this for safety when we are finished.

    2) Please download ATF Cleaner by Atribune
    http://www.atribune.org/content/view/25/2/
    Save it to your Desktop. We will use this later.

    3) Turn off TeaTimer. it will block changes we must make:
    http://russelltexas.com/malware/teatimer.htm

    4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: 0 - {2CD64D37-EE67-48E0-42BA-1805D11EEA7D} - C:\Program Files\ComPlus Applications\woqugeqe287.dll (file missing)
    O2 - BHO: (no name) - {341C12DE-DC19-D8C9-1A61-FC8DCA21D4CE} - C:\WINDOWS\system32\prm.dll (file missing)
    O2 - BHO: (no name) - {37D925B1-4609-47D8-A2FF-F4DAAB4BEDA9} - C:\Program Files\MSN\safemu83122.dll (file missing)
    O2 - BHO: (no name) - {6B15E788-3664-441C-8126-3E835DE48362} - C:\WINDOWS\system32\awvvs.dll (file missing)
    O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O4 - HKLM\..\Run: [winprotector] "C:\WINDOWS\winprotector.exe"
    O4 - HKCU\..\Run: [Arma] "C:\PROGRA~1\COMMON~1\CROSOF~1.NET\userinit.exe" -vt ndrv
    O4 - HKCU\..\Run: [Lurr] "C:\Documents and Settings\Admin\Application Data\W?nSxS\??erinit.exe"
    O8 - Extra context menu item: &Search - ?p=ZU
    O15 - Trusted Zone: *.errorprotector.com
    O15 - Trusted Zone: *.errorsafe.com
    O15 - Trusted Zone: *.systemdoctor.com
    O15 - Trusted Zone: *.winantivirus.com
    O15 - Trusted Zone: *.winfixer.com
    O15 - Trusted Zone: *.errorprotector.com (HKLM)
    O15 - Trusted Zone: *.errorsafe.com (HKLM)
    O15 - Trusted Zone: *.systemdoctor.com (HKLM)
    O15 - Trusted Zone: *.winantivirus.com (HKLM)
    O15 - Trusted Zone: *.winfixer.com (HKLM)
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/40...er/Coupons.cab
    O20 - Winlogon Notify: awvvs - C:\WINDOWS\system32\awvvs.dll (file missing) G
    O20 - Winlogon Notify: cbxyxxu - cbxyxxu.dll (file missing)
    O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\bazyrtaku.html
    O24 - Desktop Component 1: (no name) - http://www.plentyoffish.com/thumbnai...5jt_198119.jpg
    O24 - Desktop Component 2: (no name) - http://shutter01.pictures.aol.com/da...-iMlju00A0.jpg

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    5) RIGHT Click on Start then click on Explore. Locate and delete these items:

    C:\WINDOWS\winprotector.exe <<< delete that file

    C:\PROGRAM FILES~1\COMMON FILES~1\CROSOF~1.NET\ <<< delete that folder

    C:\Documents and Settings\Administrator\Application Data\W?nSxS\ <<< delete that folder

    6) Run ATF Cleaner
    Double-click ATF-Cleaner.exe to run the program.
    Click Select All found at the bottom of the list.
    Click the Empty Selected button.
    Click Exit on the Main menu to close the program.

    Restart the computer and post a new HJT log, tell me how the computer is running.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules