PDA

View Full Version : Please check my log



Raphael26
2007-07-10, 20:41
Logfile of HijackThis v1.99.1
Scan saved at 17:12:43, on 2007-07-10
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
E:\Program Files\iTunes+QuickTime\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\G DATA AntiVirus Trial\AVKTray\AVKTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\poleng\Translatica2\bin\win\int\ms-oe\taoetray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
C:\PROGRA~1\3BSOFT~1\WINDOW~2\Windows Clean-Up Pro.uzy
E:\Program Files\eMule\emule.exe
C:\WINDOWS\system32\muyshygb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Opera 8.54\Opera.exe
C:\Program Files\G DATA AntiVirus Trial\AVK\AVK.exe
C:\Documents and Settings\Domownik\Dane aplikacji\Simply Super Software\Trojan Remover\mxrBF5.exe
C:\Documents and Settings\Domownik\Dane aplikacji\Simply Super Software\Trojan Remover\mxrBF5.exe
C:\Documents and Settings\Domownik\Pulpit\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assistant/accoona_search_assistant.jsp?&utm_id=400055&utm_content=leftnav&utm_source=wdz3&utm_medium=bund&utm_campaign=wdz0805
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Multi_Media toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMul0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: AKHelper.HelperBHO - {911C4A8E-0F75-4B83-BEB9-02BDDF29D11E} - C:\Program Files\3B Software\3B Ad Blocker Pro\AKHelper.dll
O2 - BHO: Multi_Media toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMul0.dll
O2 - BHO: (no name) - {F52214AB-166C-4435-BA05-D81F17B32DCA} - (no file)
O3 - Toolbar: Kellyfamily.nl toolbar - {3f341c57-3a96-46c5-868b-77b782d74980} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Protection Bar - {5d4831e0-5a7c-4a46-afd5-a79ab8ce36c2} - (no file)
O3 - Toolbar: Multi_Media toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - C:\Program Files\Multi_Media\tbMul0.dll
O3 - Toolbar: Ad Blocker Pro Toolbar - {28BC2EC4-5EAD-45E1-9F9F-82CD5E293601} - C:\Program Files\3B Software\3B Ad Blocker Pro\AKToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes+QuickTime\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [AdBlocker] C:\Program Files\3B Software\3B Ad Blocker Pro\AdBlocker.exe
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [Windows Clean-Up Pro] C:\PROGRA~1\3BSOFT~1\WINDOW~2\WINDOWS CLEAN-UP PRO.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVKTray] "C:\Program Files\G DATA AntiVirus Trial\AVKTray\AVKTray.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [taoetray] C:\Program Files\poleng\Translatica2\bin\win\int\ms-oe\taoetray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Odkurzacz-MCD] E:\Program Files\Odkurzacz\odk_mcd.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [Odkurzacz-QC] E:\Program Files\Odkurzacz\odk_qc.exe
O4 - HKCU\..\Run: [eMuleAutoStart] E:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: VP-EYE.lnk = C:\VP-EYE\control\vpeyev4.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Szybkie dostosowywanie programu Outpost Firewall Pro - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Translate into English - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - C:\Program Files\poleng\Translatica2\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra 'Tools' menuitem: Translate into English - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - C:\Program Files\poleng\Translatica2\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra button: Translate into Polish - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - C:\Program Files\poleng\Translatica2\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra 'Tools' menuitem: Translate into Polish - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - C:\Program Files\poleng\Translatica2\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra button: Save translated page - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - C:\Program Files\poleng\Translatica2\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra 'Tools' menuitem: Save translated page - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - C:\Program Files\poleng\Translatica2\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra button: Options - {CCCE5D73-9AA2-40F1-9C6B-12A255F08500} - C:\Program Files\poleng\Translatica2\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra 'Tools' menuitem: Options - {CCCE5D73-9AA2-40F1-9C6B-12A255F08500} - C:\Program Files\poleng\Translatica2\bin\win\int\browser\iepolengextension.dll (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128629145890
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3AB7FFD-DEDF-410B-B61A-DBB3C41E731A}: NameServer = 192.168.10.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: BCEEHCIE - {773606CC-2429-16A6-12A5-4AB46B150A39} - (no file)
O21 - SSODL: mtklefap - {1D01A95F-3B55-4E3E-6EBF-E968582CC75C} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVKProxy - G DATA Software AG - C:\Program Files\Common Files\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\muyshygb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

katana
2007-07-10, 23:54
Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please note that I am training, this means that any reply I give to you has to be checked first by an expert.
I apologize for any delay this might cause.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I am looking at your log and will get back to you ASAP :)

katana
2007-07-12, 07:38
Hi Raphael26,

You are running a P2P filesharing program.

Many of these programs come with unwanted components bundled with them.
If you wish to find out whether the one you're using does click here (http://p2p.malwareremoval.com/).


Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

My recommendation is you uninstall it.

Please note: you must NOT use this whilst we are cleaning your machine.

AdAware
Please disable AdWatch, as it may hinder the removal of some entries. You can re-enable it after you're clean.

To disable AdWatch:

Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both options. You can enable these after resolving your problem.


Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assist...mpaign=wdz0805
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com

O2 - BHO: (no name) - {F52214AB-166C-4435-BA05-D81F17B32DCA} - (no file)

O3 - Toolbar: Kellyfamily.nl toolbar - {3f341c57-3a96-46c5-868b-77b782d74980} - (no file)
O3 - Toolbar: Protection Bar - {5d4831e0-5a7c-4a46-afd5-a79ab8ce36c2} - (no file)

O4 - Startup: VP-EYE.lnk = C:\VP-EYE\control\vpeyev4.exe

O21 - SSODL: BCEEHCIE - {773606CC-2429-16A6-12A5-4AB46B150A39} - (no file)
O21 - SSODL: mtklefap - {1D01A95F-3B55-4E3E-6EBF-E968582CC75C} - (no file)

O23 - Service: DomainService - - C:\WINDOWS\system32\muyshygb.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

SD Fix

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F5 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


Download and Run ComboFix

Download Combofix from one of the two links below :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Then double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:



File::
C:\WINDOWS\system32\muyshygb.exe
C:\WINDOWS\svchost.exe

Folder::
C:\VP-EYE

Registry::
[-HKEY_CLASSES_ROOT\CLSID\{F52214AB-166C-4435-BA05-D81F17B32DCA}]
[-HKEY_CLASSES_ROOT\CLSID\{3f341c57-3a96-46c5-868b-77b782d74980}]
[-HKEY_CLASSES_ROOT\CLSID\{5d4831e0-5a7c-4a46-afd5-a79ab8ce36c2}]
[-HKEY_CLASSES_ROOT\CLSID\{773606CC-2429-16A6-12A5-4AB46B150A39}]
[-HKEY_CLASSES_ROOT\CLSID\{1D01A95F-3B55-4E3E-6EBF-E968582CC75C}]

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


http://img.photobucket.com/albums/v666/sUBs/CFScript.gif


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Installed Programs
Please could you give me a list of the programs that are installed. This will help me create a fix for you.
Start HijackThis
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.


Logs/Information to Post in Reply
Please post the following logs/Information in your reply

Report.txt
Combofix log (both)
A fresh HJT log (after the above has been done)
Installed programs list

katana
2007-07-15, 23:41
Hi Raphael26,
Are you still with us ??

tashi
2007-07-21, 09:32
Raphael26, due to lack of a response to your helper, this topic has been archived.

Thank you katana. :)