View Full Version : Firefox hijacked plus slow performance
(re-posting - I waited too long to post in Waiting Room...:oops:
Original post is here: http://forums.spybot.info/showthread.php?t=44656 )
When the main account used by everyone in the family (non-administrator) logs in, Firefox is fired up automatically and goes to a specific site (see original post linked above for address).
When logged in as administrator, it does not happen.
Also, overall performance is excruciatingly slow. Also, computer sometimes seems to just get stuck. When stuck, we have to power off to restart.
I've attached TWO HJT logs this time - one from the affected account and one from the administrator account.
Thanks for your help!
Yosh
========= HJT log from affected account =========
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:19 PM, on 2/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Mozy\mozystat.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Hadassah\Application Data\mjusbsp\magicJack.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "D:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] c:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TitleSave] C:\PROGRA~1\ELSE POLL FILE\Mpegheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [X1FileMonitor.exe] D:\Program Files\X1\X1FileMonitor.exe
O4 - HKCU\..\Run: [WindowsAdvisor] "C:\Program Files\WindowsAdvisor\AdvAgent.exe" /startup
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Hadassah\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Netvision Cable Connect.url
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MozyHome Status.lnk = D:\Program Files\Mozy\mozystat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &הורד באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &הורד הכל באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://service.pelephone.co.il/WebPhone/jsp/Client/CfxIEAx.cab
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - http://www.yorkphoto.com/YorkUpload.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/Disk1/isetupml.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - c:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - c:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - c:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - c:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Indexing Service (cisvc) - Unknown owner - C:\WINDOWS\System32\cisvc.exe (file missing)
O23 - Service: GoBack Polling Service (GBPoll) - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - d:\Program Files\Mozy\mozybackup.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - d:\Program Files\No-IP\DUC20.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: RemotePC Support (remote support) - Unknown owner - C:\Program Files\Remote Support Host\RemoteSM.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\Apache.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - D:\Program Files\UltraVNC\winvnc.exe
O24 - Desktop Component 0: (no name) - http://forumsgallery.tapuz.co.il/ForumsGallery/galleryimages/329gallery_46292.jpg
O24 - Desktop Component 1: (no name) - http://www.geocities.com/negohot/images/map1.jpg
--
End of file - 10332 bytes
=====================================
===== HJT log from the adminstrator account =======
=====================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:06 PM, on 2/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
c:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
c:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\LogMeIn\x86\RaMaint.exe
D:\Program Files\LogMeIn\x86\LogMeIn.exe
D:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
d:\Program Files\Mozy\mozybackup.exe
d:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
c:\wamp\mysql\bin\mysqld-nt.exe
D:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\fxssvc.exe
c:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
c:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
D:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
D:\Program Files\Mozy\mozystat.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Documents and Settings\QuickAdmin\Application Data\mjusbsp\magicJack.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Program Files\Mozilla Firefox\firefox.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.googl.com/
F2 - REG:system.ini: Shell=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "D:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] c:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\QuickAdmin\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MozyHome Status.lnk = D:\Program Files\Mozy\mozystat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://service.pelephone.co.il/WebPhone/jsp/Client/CfxIEAx.cab
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - http://www.yorkphoto.com/YorkUpload.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/Disk1/isetupml.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - c:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - c:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - c:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - c:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Indexing Service (cisvc) - Unknown owner - C:\WINDOWS\System32\cisvc.exe (file missing)
O23 - Service: GoBack Polling Service (GBPoll) - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - d:\Program Files\Mozy\mozybackup.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - d:\Program Files\No-IP\DUC20.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: RemotePC Support (remote support) - Unknown owner - C:\Program Files\Remote Support Host\RemoteSM.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\Apache.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - D:\Program Files\UltraVNC\winvnc.exe
--
End of file - 10153 bytes
yoshm,
Welcome, sorry for the delay .
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKCU\..\Run: [TitleSave] C:\PROGRA~1\ELSE POLL FILE\Mpegheck.exe
O24 - Desktop Component 0: (no name) - http://forumsgallery.tapuz.co.il/For...lery_46292.jpg G
O24 - Desktop Component 1: (no name) - http://www.geocities.com/negohot/images/map1.jpg
Please Download No Lop (http://www.spywareedge.net/nolop/NoLop.exe) to your desktop
First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labeled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should pop-up from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log after completing the next steps.
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx (http://www.boletrice.com/downloads/mscomctl.ocx) to your system32 folder then rerun the program.
I don't need the log from the Administrator
HI Ken,
Many thanks.
I followed all your instructions and below is the NoLop log. FYI, it did not find an infection, but I rebooted anyway. Also FYI, on reboot Firefox ran by itself going to that "nana10" site (as it did before).
Thanks - I await your further directions,
Yosh
--------------
NoLop! Log by Skate_Punk_21
Fix running from: C:\Documents and Settings\Hadassah\Desktop
[2/10/2009]
[1:35:19 AM]
---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.
---Listing AppData sub directories---
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Sony Corporation
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Avg8 -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Olympus
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Skype
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Cyberlink
C:\Documents and Settings\All Users\Application Data\Pure Networks
C:\Documents and Settings\All Users\Application Data\Raxco
C:\Documents and Settings\All Users\Application Data\Aol Downloads
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Real -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
C:\Documents and Settings\All Users\Application Data\Tcpiq
C:\Documents and Settings\All Users\Application Data\Microsoft Help
C:\Documents and Settings\All Users\Application Data\Lavasoft
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Logmein
C:\Documents and Settings\All Users\Application Data\Brother
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Identities -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Mozilla
C:\Documents and Settings\Localservice\Application Data\Talkback
C:\Documents and Settings\Localservice\Application Data\Macromedia
C:\Documents and Settings\Hadassah\Application Data\Microsoft
C:\Documents and Settings\Hadassah\Application Data\Identities
C:\Documents and Settings\Hadassah\Application Data\Sony Corporation
C:\Documents and Settings\Hadassah\Application Data\Help
C:\Documents and Settings\Hadassah\Application Data\Macromedia
C:\Documents and Settings\Hadassah\Application Data\Mozilla
C:\Documents and Settings\Hadassah\Application Data\Talkback
C:\Documents and Settings\Hadassah\Application Data\Real
C:\Documents and Settings\Hadassah\Application Data\Adobe
C:\Documents and Settings\Hadassah\Application Data\Gurunet
C:\Documents and Settings\Hadassah\Application Data\Sun
C:\Documents and Settings\Hadassah\Application Data\Mailwasher -- EMPTY Directory
C:\Documents and Settings\Hadassah\Application Data\Roxio
C:\Documents and Settings\Hadassah\Application Data\C2media -- EMPTY Directory
C:\Documents and Settings\Hadassah\Application Data\Skype
C:\Documents and Settings\Hadassah\Application Data\Pdfcreator
C:\Documents and Settings\Hadassah\Application Data\Icqlite
C:\Documents and Settings\Hadassah\Application Data\Vlc
C:\Documents and Settings\Hadassah\Application Data\Installshield
C:\Documents and Settings\Hadassah\Application Data\Google
C:\Documents and Settings\Hadassah\Application Data\Media Player Classic
C:\Documents and Settings\Hadassah\Application Data\Dvdcss
C:\Documents and Settings\Hadassah\Application Data\Cyberlink
C:\Documents and Settings\Hadassah\Application Data\Corel
C:\Documents and Settings\Hadassah\Application Data\Contentguard -- EMPTY Directory
C:\Documents and Settings\Hadassah\Application Data\Lavasoft
C:\Documents and Settings\Hadassah\Application Data\Leadertech
C:\Documents and Settings\Hadassah\Application Data\Installshield Installation Information
C:\Documents and Settings\Hadassah\Application Data\Vidalia
C:\Documents and Settings\Hadassah\Application Data\Tor
C:\Documents and Settings\Hadassah\Application Data\Arcsoft
C:\Documents and Settings\Hadassah\Application Data\Brother
C:\Documents and Settings\Hadassah\Application Data\Gtek
C:\Documents and Settings\Hadassah\Application Data\Mjusbsp
C:\Documents and Settings\Shira & Oren\Application Data\Microsoft
C:\Documents and Settings\Shira & Oren\Application Data\Identities
C:\Documents and Settings\Shira & Oren\Application Data\Sony Corporation
C:\Documents and Settings\Shira & Oren\Application Data\Macromedia
C:\Documents and Settings\Shira & Oren\Application Data\Real
C:\Documents and Settings\Shira & Oren\Application Data\Sun
C:\Documents and Settings\Shira & Oren\Application Data\Gurunet
C:\Documents and Settings\Shira & Oren\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Shira & Oren\Application Data\Mozilla
C:\Documents and Settings\Shira & Oren\Application Data\Talkback
C:\Documents and Settings\Shira & Oren\Application Data\Icqlite
C:\Documents and Settings\Shira & Oren\Application Data\Adobe
C:\Documents and Settings\Shira & Oren\Application Data\Google
C:\Documents and Settings\Shira & Oren\Application Data\Vlc
C:\Documents and Settings\Tamara\Application Data\Microsoft
C:\Documents and Settings\Tamara\Application Data\Identities
C:\Documents and Settings\Tamara\Application Data\Sony Corporation
C:\Documents and Settings\Tamara\Application Data\Macromedia
C:\Documents and Settings\Tamara\Application Data\Real
C:\Documents and Settings\Tamara\Application Data\Adobe
C:\Documents and Settings\Tamara\Application Data\Sun
C:\Documents and Settings\Tamara\Application Data\Gurunet
C:\Documents and Settings\Tamara\Application Data\Skype
C:\Documents and Settings\Tamara\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Tamara\Application Data\Mozilla
C:\Documents and Settings\Tamara\Application Data\Talkback
C:\Documents and Settings\Tamara\Application Data\Opera
C:\Documents and Settings\Tamara\Application Data\Media Player Classic
C:\Documents and Settings\Tamara\Application Data\Vlc
C:\Documents and Settings\Tamara\Application Data\Arcsoft
C:\Documents and Settings\Zusha\Application Data\Microsoft
C:\Documents and Settings\Zusha\Application Data\Identities
C:\Documents and Settings\Zusha\Application Data\Sony Corporation
C:\Documents and Settings\Zusha\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Zusha\Application Data\Macromedia
C:\Documents and Settings\Zusha\Application Data\Sun
C:\Documents and Settings\Zusha\Application Data\Real
C:\Documents and Settings\Zusha\Application Data\Adobe
C:\Documents and Settings\Zusha\Application Data\Mozilla
C:\Documents and Settings\Zusha\Application Data\Talkback
C:\Documents and Settings\Zusha\Application Data\Gurunet
C:\Documents and Settings\Zusha\Application Data\Roxio
C:\Documents and Settings\Zusha\Application Data\Skype
C:\Documents and Settings\Zusha\Application Data\Icqlite
C:\Documents and Settings\Zusha\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Zusha\Application Data\Media Player Classic
C:\Documents and Settings\Zusha\Application Data\Vlc
C:\Documents and Settings\Zusha\Application Data\Lavasoft
C:\Documents and Settings\Zusha\Application Data\Google -- EMPTY Directory
C:\Documents and Settings\Zusha\Application Data\Cyberlink
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Adobe
C:\Documents and Settings\Administrator\Application Data\Mozilla
C:\Documents and Settings\Administrator\Application Data\Talkback
C:\Documents and Settings\Amichai\Application Data\Microsoft
C:\Documents and Settings\Amichai\Application Data\Identities
C:\Documents and Settings\Amichai\Application Data\Sony Corporation
C:\Documents and Settings\Amichai\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Amichai\Application Data\Macromedia
C:\Documents and Settings\Amichai\Application Data\Sun
C:\Documents and Settings\Amichai\Application Data\Real
C:\Documents and Settings\Amichai\Application Data\Adobe
C:\Documents and Settings\Amichai\Application Data\Gurunet
C:\Documents and Settings\Amichai\Application Data\Opera
C:\Documents and Settings\Amichai\Application Data\Roxio
C:\Documents and Settings\Amichai\Application Data\Mozilla
C:\Documents and Settings\Amichai\Application Data\Skype
C:\Documents and Settings\Amichai\Application Data\Mailwasher
C:\Documents and Settings\Amichai\Application Data\C2media -- EMPTY Directory
C:\Documents and Settings\Amichai\Application Data\Talkback
C:\Documents and Settings\Amichai\Application Data\Icqlite
C:\Documents and Settings\Amichai\Application Data\Google
C:\Documents and Settings\Amichai\Application Data\Media Player Classic
C:\Documents and Settings\Amichai\Application Data\Vlc
C:\Documents and Settings\Default\Application Data\Microsoft
C:\Documents and Settings\Default\Application Data\Identities
C:\Documents and Settings\Default\Application Data\Sony Corporation
C:\Documents and Settings\Default\Application Data\Symantec
C:\Documents and Settings\Default\Application Data\Support.com
C:\Documents and Settings\Default\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Default\Application Data\Macromedia
C:\Documents and Settings\Default\Application Data\Adobe
C:\Documents and Settings\Default\Application Data\Microsoft Web Folders -- EMPTY Directory
C:\Documents and Settings\Default\Application Data\Roxio
C:\Documents and Settings\Default\Application Data\{7148f0a6-6813-11d6-a77b-00b0d0142010}
C:\Documents and Settings\Default\Application Data\Sun
C:\Documents and Settings\Default\Application Data\Opera
C:\Documents and Settings\Default\Application Data\Mozilla
C:\Documents and Settings\Default\Application Data\Talkback
C:\Documents and Settings\Default\Application Data\Adobeum
C:\Documents and Settings\Default\Application Data\Real
C:\Documents and Settings\Default\Application Data\Google
C:\Documents and Settings\Default\Application Data\Wmtools Downloaded Files -- EMPTY Directory
C:\Documents and Settings\Default\Application Data\Mailwasher
C:\Documents and Settings\Default\Application Data\Skype
C:\Documents and Settings\Default\Application Data\Pdfcreator
C:\Documents and Settings\Default\Application Data\Free World Dialup
C:\Documents and Settings\Default\Application Data\Corel
C:\Documents and Settings\Default\Application Data\Visicom Media
C:\Documents and Settings\Default\Application Data\Icqlite
C:\Documents and Settings\Default\Application Data\Lavasoft -- EMPTY Directory
C:\Documents and Settings\Default\Application Data\Media Player Classic
C:\Documents and Settings\Default\Application Data\Vlc
C:\Documents and Settings\Default\Application Data\Applicationhistory
C:\Documents and Settings\Default\Application Data\Leadertech
C:\Documents and Settings\Default\Application Data\Ahead
C:\Documents and Settings\Default\Application Data\Contentguard
C:\Documents and Settings\Default\Application Data\Dvdcss
C:\Documents and Settings\Default\Application Data\Aol
C:\Documents and Settings\Default\Application Data\Acccore
C:\Documents and Settings\Default\Application Data\Toaster
C:\Documents and Settings\Default\Application Data\Microsoft Help -- EMPTY Directory
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Quickadmin\Application Data\Microsoft
C:\Documents and Settings\Quickadmin\Application Data\Identities
C:\Documents and Settings\Quickadmin\Application Data\Gurunet
C:\Documents and Settings\Quickadmin\Application Data\Macromedia
C:\Documents and Settings\Quickadmin\Application Data\Lavasoft
C:\Documents and Settings\Quickadmin\Application Data\Mozilla
C:\Documents and Settings\Quickadmin\Application Data\Talkback
C:\Documents and Settings\Quickadmin\Application Data\Adobe
C:\Documents and Settings\Quickadmin\Application Data\Adobeum
C:\Documents and Settings\Quickadmin\Application Data\Sun
C:\Documents and Settings\Quickadmin\Application Data\Google
C:\Documents and Settings\Quickadmin\Application Data\Installshield
C:\Documents and Settings\Quickadmin\Application Data\Brother
C:\Documents and Settings\Quickadmin\Application Data\Pc-fax Tx
C:\Documents and Settings\Quickadmin\Application Data\Vidalia
C:\Documents and Settings\Quickadmin\Application Data\Reallusion
C:\Documents and Settings\Quickadmin\Application Data\Vlc
C:\Documents and Settings\Quickadmin\Application Data\Gtek
C:\Documents and Settings\Quickadmin\Application Data\Mjusbsp
Lets run this program
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
HI Ken,
It was a bit harder to follow your instructions than I expected. I will explain. I downloaded from the first link, but ComboFix complained the file was corrupt. I then rebooted and tried the second link, and I got an error message that Installation Failed. So I rebooted again and then tried the third link & got the same error message. I rebooted again, closed everything I could in the system tray and tried again and got more error messages:
Abort! Interference detected! Please perform a Rootkit scan.
and
Error: Some files could not be created. Please close all applications, reboot Windows and restart this installation.
I did so. I lost track of how many times I rebooted. A couple times the machine hung after reboot & I had to power it off.
Next time, I got a new warning message:
Parasites found!! The following files were trying to attach to ComboFix.
They shall be disabled. ...
C:\WINDOWS\System32\wmfhotfix.dll
Then I got a message that ComboFix couldn't run because I was not Administrator.
So I ran it again as an Administrator. This time a message appeared briefly warning that "You cannot rename ComboFix as ComboFix", but then it disappeared. After that it seemed to run normally and do its stuff. No warnings this time about Parasites nor Rootkits nor Installation Failed.
Here are the logs you requested. I await your further instructions.
Many Thanks,
Yosh
==== ComboFix Log ======
ComboFix 09-02-08.02 - QuickAdmin 02/10/2009 19:26:59.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1255.972.1033.18.495.118 [GMT 2:00]
Running from: c:\documents and settings\Hadassah\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Hadassah\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Amichai\Favorites\Games.url
c:\windows\hosts
c:\windows\start.exe
c:\windows\system32\mdm.exe
c:\windows\system32\windows.scr
c:\windows\Web\default.htt
.
((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 23:35 106 ----a-w C:\delete.bat
2008-12-25 10:09 --------- d-----w c:\program files\Alwil Software
2008-12-25 09:53 410,984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2008-12-25 09:13 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2008-12-19 08:35 --------- d-----w c:\documents and settings\QuickAdmin\Application Data\mjusbsp
2008-12-18 16:50 --------- d-----w c:\documents and settings\Hadassah\Application Data\mjusbsp
2008-12-13 06:40 3,593,216 ----a-w c:\windows\SYSTEM32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\SYSTEM32\dllcache\srv.sys
2008-11-13 09:52 91,648 ----a-w c:\windows\SYSTEM32\lua5.1a.dll
2008-11-13 09:52 9,728 ----a-w c:\windows\SYSTEM32\udefrag.dll
2008-11-13 09:52 9,728 ----a-w c:\windows\SYSTEM32\lua5.1a.exe
2008-11-13 09:52 9,728 ----a-w c:\windows\SYSTEM32\defrag_native.exe
2008-11-13 09:52 86,016 ----a-w c:\windows\SYSTEM32\ultradefrag.exe
2008-11-13 09:52 7,680 ----a-w c:\windows\SYSTEM32\udefrag.exe
2008-11-13 09:52 6,656 ----a-w c:\windows\SYSTEM32\udefrag-gui.exe
2008-11-13 09:52 6,656 ----a-w c:\windows\SYSTEM32\bootexctrl.exe
2008-11-13 09:52 17,408 ----a-w c:\windows\SYSTEM32\zenwinx.dll
2008-11-13 09:52 13,824 ----a-w c:\windows\SYSTEM32\lua5.1a_gui.exe
2008-10-28 19:27 448,208 ----a-w c:\documents and settings\Hadassah\Application Data\GDIPFONTCACHEV1.DAT
2008-01-08 21:17 444,456 ----a-w c:\documents and settings\default\Application Data\GDIPFONTCACHEV1.DAT
2006-02-05 11:14 115 ----a-w c:\documents and settings\default\Application Data\fusioncache.dat
2001-02-06 08:11 16,384 ----a-w c:\windows\inf\kbcam.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
11/16/2008 11:32 PM 3044664 --a------ d:\program files\Mozy\mozyshell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
11/16/2008 11:32 PM 3044664 --a------ d:\program files\Mozy\mozyshell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [04/14/2008 03:12 AM 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [04/14/2008 03:12 AM 15360]
"cdloader"="c:\documents and settings\QuickAdmin\Application Data\mjusbsp\cdloader2.exe" [12/17/2008 08:36 PM 50520]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [07/09/2001 11:50 AM 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [12/25/2008 11:53 AM 136600]
"LogMeIn GUI"="d:\program files\LogMeIn\x86\LogMeInSystray.exe" [04/17/2007 02:03 PM 63048]
"WinVNC"="d:\program files\UltraVNC\winvnc.exe" [06/18/2006 02:56 PM 712704]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [03/23/2007 01:14 PM 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [01/26/2007 03:58 PM 65536]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [11/26/2008 07:18 PM 81000]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [04/14/2008 03:12 AM 169984]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [04/14/2008 03:12 AM 15360]
c:\documents and settings\default\Start Menu\Programs\Startup\
WinTidy.lnk - c:\program files\WinTidy\WinTidy.exe [2001-10-08 585216]
WampServer.lnk - c:\wamp\wampserver.exe [2004-06-27 1101824]
c:\documents and settings\Hadassah\Start Menu\Programs\Startup\
Netvision Cable Connect.url [2008-02-07 97]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-04-24 113664]
MozyHome Status.lnk - d:\program files\Mozy\mozystat.exe [2008-11-16 2954552]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
GoBack.lnk - c:\program files\Roxio\GoBack\GBTray.exe [2003-09-23 565248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
10/17/2008 06:32 PM 87352 c:\windows\SYSTEM32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\wmfhotfix.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"VIDC.MJPG"= sonymjpg.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0defrag_native
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel MEDIA FOLDERS INDEXER 8.LNK]
backup=c:\windows\pss\Corel MEDIA FOLDERS INDEXER 8.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
backup=c:\windows\pss\GetRight - Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^j2 Tray Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\j2 Tray Menu.lnk
backup=c:\windows\pss\j2 Tray Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Live Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Live Menu.lnk
backup=c:\windows\pss\Live Menu.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Mozy Status.lnk]
backup=c:\windows\pss\Mozy Status.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VAIO Action Setup (Server).lnk.disabled]
backup=c:\windows\pss\VAIO Action Setup (Server).lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^default^Start Menu^Programs^Startup^Backyard Skateboarding Registration.lnk]
backup=c:\windows\pss\Backyard Skateboarding Registration.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^default^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anonymizer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChrisTV Agent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
--a------ 07/11/2006 12:06 PM 3144800 c:\program files\ICQLite\ICQLite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaKey]
--a------ 08/01/2000 04:11 AM 73728 c:\progra~1\INTERN~2\MEDIAKEY.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 03/24/2006 02:23 AM 36864 d:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"pdfFactory Pro Dispatcher v1"=c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"NAV Premend OEM Utility"=a:\0107301.sym\PREMEND.EXE -silent
"ZTgServerSwitch"=c:\program files\support.com\client\lserver\server.vbs
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\FXSCLNT.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\wamp\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\ICQLite\\ICQLite.exe"=
"c:\\Program Files\\Free World Dialup\\FWD.Communicator\\FWD.Communicator.exe"=
"d:\\Program Files\\UltraVNC\\winvnc.exe"=
"d:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"d:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\X-LiteFWD\\X-LiteFWD.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Hadassah\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\QuickAdmin\\Application Data\\mjusbsp\\magicJack.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11911:TCP"= 11911:TCP:*:Disabled:IdriveE Port
R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [2008-12-25 111184]
R1 mozyFilter;mozyFilter;c:\windows\SYSTEM32\DRIVERS\mozy.sys [2007-04-30 53752]
R1 SonyFanC;FAN Control Device Service;c:\windows\SYSTEM32\DRIVERS\SonyFanC.sys [2001-10-26 43160]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [2008-12-25 20560]
R2 cssproct;Microsoft Corporation Process Trigger Driver for CSS;c:\windows\SYSTEM32\DRIVERS\cssproct.sys [2008-09-12 5504]
R2 LMIInfo;LogMeIn Kernel Information Provider;d:\program files\LogMeIn\x86\rainfo.sys [2007-06-12 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\SYSTEM32\DRIVERS\LMIRfsDriver.sys [2007-06-12 47640]
R2 msunid01;Microsoft PCHealth UniDriver v.2.0.130.0;c:\windows\SYSTEM32\DRIVERS\UniDr001\msunidrv.sys [2008-09-12 6144]
R2 V7;V7;c:\windows\SYSTEM32\DRIVERS\V7.SYS [2003-09-22 7196]
R2 vnccom;vnccom;c:\windows\SYSTEM32\DRIVERS\vnccom.SYS [2007-02-11 6016]
R3 SiS630;SiS630;c:\windows\SYSTEM32\DRIVERS\sis630p.sys [2002-01-08 124928]
S2 BT848;AVerMedia, AVerTV WDM Video Capture;c:\windows\SYSTEM32\DRIVERS\BT848.sys [2004-01-28 261696]
S2 BTTUNER;AVerMedia, AVerTV WDM TvTuner;c:\windows\SYSTEM32\DRIVERS\bttuner.sys [2004-01-28 22016]
S2 BTXBAR;AVerMedia, AVerTV WDM Crossbar;c:\windows\SYSTEM32\DRIVERS\btxbar.sys [2004-01-28 13312]
S2 PDSched;PDScheduler;d:\program files\Raxco\PerfectDisk\PDSched.exe [2005-11-29 241731]
S2 remote support;RemotePC Support;c:\program files\Remote Support Host\RemoteSM.exe --> c:\program files\Remote Support Host\RemoteSM.exe [?]
S3 KBCAM;JamC@m USB service;c:\windows\SYSTEM32\DRIVERS\KBCAM.sys [2003-11-11 16384]
S3 sky_bus;SKTT USB Composite Device driver (WDM);c:\windows\SYSTEM32\DRIVERS\sky_bus.sys [2005-07-22 58288]
S3 sky_mdfl;SKTT IMT-2000 Handset Filter;c:\windows\SYSTEM32\DRIVERS\sky_mdfl.sys [2005-07-22 8336]
S3 sky_mdm;SKTT IMT-2000 Handset Drivers;c:\windows\SYSTEM32\DRIVERS\sky_mdm.sys [2005-07-22 93904]
S3 sky_serd;SKTT IMT-2000 Handset Diagnostic Serial Port (WDM);c:\windows\SYSTEM32\DRIVERS\sky_serd.sys [2005-07-22 73728]
S3 ultradfg;ultradfg;c:\windows\SYSTEM32\DRIVERS\ultradfg.sys [2008-11-13 24576]
S4 ATMhelpr;ATMhelpr;c:\windows\SYSTEM32\DRIVERS\ATMHELPR.SYS [2003-11-11 4064]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder
2009-02-10 c:\windows\Tasks\PCHealth Scheduler for Data Collection.job
- c:\windows\PCHEALTH\SUPPORT\PCHSCHD.EXE []
2009-01-30 c:\windows\Tasks\Scan for Viruses.job
- c:\program files\Norton AntiVirus\NAVW32.EXE []
2003-09-21 c:\windows\Tasks\Video Reminder.job
- c:\windows\TUNEUP.EXE []
2003-09-27 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\SYSTEM\OOBE\MSOOBE.EXE []
2003-09-28 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\SYSTEM\OOBE\MSOOBE.EXE []
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-Line Speed Meter - d:\program files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe
MSConfigStartUp-Pixley Picture Server - d:\program files\Granada Software\Pixley\Pixley.exe
MSConfigStartUp-ShellDispenser - c:\program files\ShellDispenser\ShellDispenser.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
uInternet Connection Wizard,ShellNext = hxxp://www.googl.com/
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\QuickAdmin\Application Data\Mozilla\Firefox\Profiles\8bzon1kf.default\
FF - plugin: d:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npunagi2.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 19:35:24
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(436)
c:\windows\System32\wmfhotfix.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'lsass.exe'(492)
c:\windows\System32\wmfhotfix.dll
.
Completion time: 02/10/2009 19:40:55
ComboFix-quarantined-files.txt 2009-02-10 17:40:48
Pre-Run: 2,224,689,152 bytes free
Post-Run: 3,548,606,464 bytes free
227 --- E O F --- 2009-02-03 20:30:59
=================================
===== HJT Log ======================
=================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:18 PM, on 2/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
D:\Program Files\Mozy\mozystat.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "D:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] c:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [X1FileMonitor.exe] D:\Program Files\X1\X1FileMonitor.exe
O4 - HKCU\..\Run: [WindowsAdvisor] "C:\Program Files\WindowsAdvisor\AdvAgent.exe" /startup
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Hadassah\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Netvision Cable Connect.url
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MozyHome Status.lnk = D:\Program Files\Mozy\mozystat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &הורד באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &הורד הכל באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://service.pelephone.co.il/WebPhone/jsp/Client/CfxIEAx.cab
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - http://www.yorkphoto.com/YorkUpload.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/Disk1/isetupml.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - c:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - c:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - c:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - c:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Indexing Service (cisvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: GoBack Polling Service (GBPoll) - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - d:\Program Files\Mozy\mozybackup.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - d:\Program Files\No-IP\DUC20.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: RemotePC Support (remote support) - Unknown owner - C:\Program Files\Remote Support Host\RemoteSM.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\Apache.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - D:\Program Files\UltraVNC\winvnc.exe
--
End of file - 9488 bytes
Hello Yosh,
C:\Program Files\Remote Support Host <-- Is this a program you use and know about?
Remove this entry with HJT.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
C:\Program Files\Remote Support Host <-- Is this a program you use and know about?
Thanks for noticing that. It may have been used in the distant past. I don't have any current use for it. I do not see it listed in the programs in Control Panel "Add/Remove..."
BTW, I see some other programs that concern me. I hope you don't mind my asking about them:
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto <-- may be left over from an aborted attempt to install a Beta of PC-Health software
O4 - HKCU\..\Run: [X1FileMonitor.exe] D:\Program Files\X1\X1FileMonitor.exe <-- I uninstalled X1, I thought...
O4 - HKCU\..\Run: [WindowsAdvisor] "C:\Program Files\WindowsAdvisor\AdvAgent.exe" /startup <-- not sure where this comes from or what it is
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDSched.exe
<-- I thought I'd uninstalled PerfectDisk after the eval period ended. I see it's still listed in Control Panel. If you don't object I will uninstall it. May I?
Also I notice I still have WAMP installed though I no longer use it. May I uninstall it? (I'm asking becuase I don't want to do anything that will disturb the cleanup process you're guiding me through).
Remove this entry with HJT.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
I did it - but when I re-scanned it still appears.
Please download Malwarebytes' Anti-Malware ...<snip>
Done. Logs for it & HJT are below
Question: Were the messages from ComboFix regarding "Rootkit" and "Parasites" false positives?
Many many thanks,
yosh
----
Malwarebytes' Anti-Malware 1.33
Database version: 1747
Windows 5.1.2600 Service Pack 3
2/11/2009 2:19:41 PM
mbam-log-2009-02-11 (14-19-41).txt
Scan type: Quick Scan
Objects scanned: 79479
Time elapsed: 15 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\SYSTEM32\system32 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\system32\drivers (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
(No malicious items detected)
===============================
===============================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:46:29 PM, on 2/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
D:\Program Files\LogMeIn\x86\LMIGuardian.exe
D:\Program Files\Mozy\mozystat.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Documents and Settings\Hadassah\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "D:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] c:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [X1FileMonitor.exe] D:\Program Files\X1\X1FileMonitor.exe
O4 - HKCU\..\Run: [WindowsAdvisor] "C:\Program Files\WindowsAdvisor\AdvAgent.exe" /startup
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Hadassah\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Netvision Cable Connect.url
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MozyHome Status.lnk = D:\Program Files\Mozy\mozystat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &הורד באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &הורד הכל באמצעות פלאש-גט - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://service.pelephone.co.il/WebPhone/jsp/Client/CfxIEAx.cab
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - http://www.yorkphoto.com/YorkUpload.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/Disk1/isetupml.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - c:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - c:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - c:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - c:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Indexing Service (cisvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: GoBack Polling Service (GBPoll) - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - d:\Program Files\Mozy\mozybackup.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - d:\Program Files\No-IP\DUC20.exe
O23 - Service: PDEngine - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - D:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: RemotePC Support (remote support) - Unknown owner - C:\Program Files\Remote Support Host\RemoteSM.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\Apache.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - D:\Program Files\UltraVNC\winvnc.exe
--
End of file - 9851 bytes
You can uninstall any programs you no longer use, sometimes bad uninstalls leave entries behind.
Open Hijackthis
Go to Misc Tools> Open Uninstall Manager.
Click on Save List.
The list will open in Notepad.
Copy and Paste the List into this thread
Thanks. I uninstalled WAMP, PerfectDisk & a couple others. I assume your not reacting to the messages I got earlier about Rootkit & Parasite mean I should ignore them, so I will.
Here is the listing you requested. BTW, I tried uninstalling Yahoo Toolbar and MSN Music Agent, but the uninstalls failed...
Many thanks,
Yosh
-----------------
7-Zip 4.47 beta
Adaptec UDF Reader
Ad-Aware
Adobe Acrobat 4.0
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop Elements
Adobe Reader 7.1.0
Adobe SVG Viewer
Adobe Type Manager 4.0
Agent Ransack Version 1.7.3
ArcSoft PhotoImpression
Asterisk Key
Audacity 1.2.1
AvantGo Client
avast! Antivirus
Backyard Skateboarding
Belarc Advisor 6.1
BEST Online Trading v7.0
Brother MFL-Pro Suite
Calculator Powertoy for Windows XP
ClearSkinFX for Digital Cameras
CLIE Album Plugin
CmdHere Powertoy For Windows XP
ColorCastFX for Digital Cameras
CopyTo Synchronizer 2.7A
Dagesh2000
DataManager[SK-6100]
DrawPlus 3.0
Duplicate Music Files Finder 1.5.5
DVDExpress
DVgate
Easy CD Creator 5 Platinum
EPSON Printer Software
EPSON TWAIN 5
ERUNT 1.1j
eSignal
Express Scribe Uninstall
FaceFilter Studio Brother Edition
FastFontSet
FileAlyzer 1.4
FinePrint pdfFactory Pro
FontBrowser
FreeUndelete
FWD.Communicator
FX Trading Station
GetRight
GMail Drive Shell Extension
GoBack Deluxe Edition
Google Talk (remove only)
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
hotComm CL®
Hotfix for Windows Internet Explorer 7 (KB947864)
HTML Slideshow Powertoy for Windows XP
ICQ 5.1
Image Resizer Powertoy for Windows XP
ImCat
InCD
InstallRTC
Internet Explorer Q903235
Internet Keyboard
j2 Messenger
JamCam 3.0 Software
JamCam 3.0 Update V.GM6
JamCam 3.0F
Java 2 Runtime Environment, SE v1.4.2_01
Java(TM) 6 Update 11
LEGO Sports 2003
LogMeIn
Magnifier Powertoy for Windows XP
MailWasher
Malwarebytes' Anti-Malware
Media Bar 3.2.11
MGI PhotoSuite III SE (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Data Access Components KB870669
Microsoft Midtown Madness 2 Trial
Microsoft MSDN 2005 Express Edition - ENU
Microsoft Office 2003 Resource Kit
Microsoft Office Converter Pack
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server Compact 3.5 Design Tools ENU
Microsoft SQL Server Compact 3.5 ENU
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C# 2008 Express Edition - ENU
Microsoft Visual C# 2008 Express Edition - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework
Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32
Motion JPEG Software Decoder
MovieShaker
Mozilla (1.7.3)
Mozilla Firefox (2.0.0.11)
MozyHome Remote Backup
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Multi-Edit 9
Multi-Edit 9 Update
Multimedia Launcher
Music Visualizer Library 1.1
MWSnap 3
My DSC
Nero OEM
NetAlyzer 0.3
NetLoad 4.2a
No-IP.com DUC (remove only)
OLYMPUS CAMEDIA Master 2.5
OLYMPUS CAMEDIA Master 4.1
OpenMG Secure Module 3.0.01
Opera 9.0
Palm Desktop
PDFCreator 0.8.0
Pegasus Mail
PhoTags 2.0
PhotoAlbum Add-In
PhotoPrinter 2000 Pro
PhotoRescue 3.1.3 Demo Version (build 10708)
PictureGear Studio 1.0
Plucker 1.6
PowerDVD
PowerProducer
PrintMaster
Quicken 2001 New User Edition
QuickTime Alternative 1.41
Real Alternative 1.50
RealProducer ActiveX Control
RunAlyzer
Sam Spade version 1.14
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
SIMPLE 4.5V
SiS Audio Driver
SiS630_730 V2.03a.00
Skype™ 3.5
Slideshow Generator Powertoy for Windows XP
Smart Capture
SonicStage
Sony DV CODEC for QT
Sony Support Actions ME
Sony VAIO Registration
Sound Converter 2
SpeedFan (remove only)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
The Complete Herman Collection
Tomb Raider Chronicles
Tweakui Powertoy for Windows XP
Ultra Defragmenter
UltraVNC v1.0.2
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
VAIO Action Setup
VAIO Action Setup Upgrade #001
VAIO Support
VAIO Wallpaper
VideoLAN VLC media player 0.8.5
Viewpoint Media Player
Virtual VCR
VisualFlow 2.0
What's Running 2.1
Windows Genuine Advantage v1.3.0254.0
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Creativity Fun Packs - Windows Movie Maker 2
Windows XP Service Pack 3
WinGrab 1.50.09
WinTidy 2.0
Wise Disk Cleaner 3.74
Wise Registry Cleaner 3 Free 3.82
WMatch Version 2.1
WordSmith 2.2.24
World Book 2002
X-Lite Free World Dialup 2.0 private build 1101
Yahoo! Toolbar
YahooPOPs! 0.5
Zinio Reader
Hi yoshm,
You can open IE and go to View > Toolbars and take the checkmark out of Yahoo.
Spybot - Search & Destroy 1.5.2.20 <--This is outdated, you should uninstall it and download and install the latest version 1.6.2
http://www.safer-networking.org/en/spybotsd/index.html
Viewpoint Media Player <-- This installed without your knowledge or consent and is not needed, you can uninstall this.
Wise Registry Cleaner 3 Free 3.82<-- A word of caution about Registry Cleaners, remove wrong entry or entries ( and these programs sometimes do ) and it could make your system inoperable, remove a bunch of legit items and you will see no difference in system performance. Been around computers for about 12 years and never had any need for programs like this.
When you ran Combofix, if you had rootkit activity it would have sent up a warning and it did not. You can run this quick scan to doublecheck.
Download Blacklight Rootkit Detection and Elimination Tool (ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe) to your desktop
Click on fsbl.exe to run it and follow the prompts, post the log please
yoshm, if you still need help removing some programs let me know and I will link you to some windows support sites that do that kind of work, this forum is for the removal of malware only
Ken :)
You can open IE and go to View > Toolbars and take the checkmark out of Yahoo.
Done - but still can't uninstall it from the system - When I try to, it does nothing...
Spybot - Search & Destroy 1.5.2.20 <--This is outdated, you should uninstall it and download and install the latest version 1.6.2
http://www.safer-networking.org/en/spybotsd/index.html
Done. I will run a full system scan with the new version (after updating). Do you want to see the results?
Viewpoint Media Player <-- This installed without your knowledge or consent and is not needed, you can uninstall this.
Done - thanks for noticing it.
Wise Registry Cleaner 3 Free 3.82<-- A word of caution about Registry Cleaners, remove wrong entry or entries ( and these programs sometimes do ) and it could make your system inoperable, remove a bunch of legit items and you will see no difference in system performance. Been around computers for about 12 years and never had any need for programs like this.
Yes - I read the sticky on the subject & have stopped using it. It never caused me problems & it was my impression that registry bloat could slow down performance but I decided to heed your and others' advice.
When you ran Combofix, if you had rootkit activity it would have sent up a warning and it did not. You can run this quick scan to doublecheck.
Download Blacklight Rootkit Detection and Elimination Tool (ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe) to your desktop
Click on fsbl.exe to run it and follow the prompts, post the log please
done. Log pasted below. (I asked because ComboFix did mention it once while I was trying to get it to run.)
yoshm, if you still need help removing some programs let me know and I will link you to some windows support sites that do that kind of work, this forum is for the removal of malware only
Thanks. Yes, I would appreciate the referral.
FYI, system performance is still awful. The main program affected seems to be Windows Explorer - just opening "My Computer" can take minutes! I thought malware was to blame, but all your tests seem not to have turned up a culprit. In Task Manager I see Explorer consuming almost all the CPU for long periods of time and everything else is stuck until it finally finishes whatever it's doing.
Also, I have been carefully scrutinizing my system during this process & last night I found the source of the Firefox Hijack. It was so obvious I'm embarrassed I didn't see it from the start. There's an URL that was added to my Startup menu!
Thanks again for all your help. Please let me know if you have any other advice as to why my system seems to be drenched with molasses. Meanwhile, the log is posted below.
Best,
Yosh
----------------------FSBL Log ---------------
02/13/09 11:29:14 [Info]: BlackLight Engine 2.2.1092 initialized
02/13/09 11:29:14 [Info]: OS: 5.1 build 2600 (Service Pack 3)
02/13/09 11:29:15 [Note]: 7019 4
02/13/09 11:29:15 [Note]: 7005 0
02/13/09 11:29:20 [Note]: 7006 0
02/13/09 11:29:20 [Note]: 7011 1580
02/13/09 11:29:20 [Note]: 7035 0
02/13/09 11:29:21 [Note]: 7026 0
02/13/09 11:29:21 [Note]: 7026 0
02/13/09 11:29:43 [Note]: FSRAW library version 1.7.1024
02/13/09 11:31:54 [Note]: 7006 0
02/13/09 11:31:54 [Note]: 7011 1580
02/13/09 11:31:55 [Note]: 7035 0
02/13/09 11:31:55 [Note]: 7026 0
02/13/09 11:31:55 [Note]: 7026 0
02/13/09 11:32:01 [Note]: FSRAW library version 1.7.1024
02/13/09 11:34:43 [Note]: 7007 0
Hello Yosh,
No Rootkit was detected. Lets do a few more things before you head over to a windows forum..
Spybot Search and Destroy, when you install it, keep the TeaTimer disabled as it will prevent removal of malware if any is present. Let me know if it picked up anything??
This will remove more bloat than the registry cleaner
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Run this free online scan using Internet Explorer:
Kaspersky Online Virus Scanner (http://www.kaspersky.com/virusscanner)
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan: Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Post the log along with a New HJT Log into your next reply.
If you have problems with Kaspersky, then run this next one
Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
Then post a new Hijackthis log please
Hi. I was away for a 1.5 days - sorry for the delay.
Spybot turned up absolutely nothing.
I did the Cleanup you advised.
Kaspersy is running now & looks like it's going to take a long time.
I'm leaving it running & will get back to my PC in a few hours & will post the results then & a new HJT log.
Thanks,
Yosh
It says it's at 4% - at this rate I may not have the results until tomorrow...
Just wanted to let you know why I haven't posted the results yet.
Thanks,
Yosh
Yosh,
Sometimes Kaspersky takes awhile but it shouldn't take this long. You have a few options. You can abort the scan and run ESET. You can also try booting to Safemode with Networking if your on a broadband connection and running the scan that way.
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Hi. Thanks for the suggestion. Actually, it started moving "quickly" again. I think it was hung while I was away because shortly before I left, I had noticed that Mozy had started doing a backup. So I canceled the backup and also suspended Mozy so it wouldn't start up again (I wanted to give all the CPU to Kaspersky). When I got back, I saw a message up from Mozy, which I OK'ed. Afterwards, I noticed that the timer on Kaspersky said it had only been running for about an hour - even though I'd left the computer for about 4-5 hours. So I deduced it must have hung for part of the time until I OK'ed the Mozy message. Now it's almost at 50%, so I think I'll let it finish.
BTW, FYI, it's now a Java-based scanner, instead of ActiveX. I had to install a new version of Java to run it. The interface seems slightly different, but it was easy to "translate" from your instructions to the new interface. You may want to update the instructions for the next time you help someone.
Thanks for the ongoing care - I'll probably be able to post results in another couple hours.
Thanks again,
Yosh
It finally finished. I've attached the logfile below. Also the HJT.
Note that re: Kaspersky,I know about VNC & LogMeIn, I installed them. The viruses it found in archived mailboxes don't concern me so much - they are never accessed - I should probably delete them though, I guess.
However, this entry (first in series) seems odd (to my untrained eyes):
C:\WINDOWS\pk_zip1.log Infected: Email-Worm.Win32.NetSky.aa 1
OK, many thanks - I await your assessment & feedback.
Best,
Yosh
------
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, February 16, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, February 14, 2009 21:19:29
Records in database: 1797429
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan statistics:
Files scanned: 266220
Threat name: 22
Infected objects: 46
Suspicious objects: 12
Duration of the scan: 22:34:12
File name / Threat name / Threats count
D:\Program Files\UltraVNC\winvnc.exe/D:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\WINDOWS\pk_zip1.log Infected: Email-Worm.Win32.NetSky.aa 1
C:\WINDOWS\pk_zip2.log Infected: Email-Worm.Win32.NetSky.aa 1
C:\WINDOWS\pk_zip3.log Infected: Email-Worm.Win32.NetSky.aa 1
C:\WINDOWS\pk_zip4.log Infected: Email-Worm.Win32.NetSky.aa 1
C:\WINDOWS\pk_zip5.log Infected: Email-Worm.Win32.NetSky.aa 1
C:\WINDOWS\pk_zip6.log Infected: Email-Worm.Win32.NetSky.aa 1
C:\WINDOWS\pk_zip7.log Infected: Email-Worm.Win32.NetSky.aa 1
C:\WINDOWS\pk_zip8.log Infected: Email-Worm.Win32.NetSky.aa 1
D:\Downloads\LogMeIn.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 2
D:\Downloads\UltraVnc-101-Setup.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 2
D:\Downloads\UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 2
D:\Downloads\UltraVNC-102-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1
D:\Old Disk Drive from Yosh's WINNT PC\MYDOCS$BKUP (K)\Backup\Hillel\mailbox.pst Infected: Virus.MSExcel.Laroux.cs 1
D:\Program Files\LogMeIn\update\2-30-557.bak\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1
D:\Program Files\LogMeIn\update\2-30-557.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a 1
D:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1
D:\Program Files\UltraVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1
D:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
D:\WINPMAIL\MAIL\Hadassah\FOL01A43.PMM Suspicious: Exploit.HTML.Iframe.FileDownload 1
D:\WINPMAIL\MAIL\Hadassah\FOL01A43.PMM Infected: Email-Worm.Win32.Tanatos.b.dam 2
D:\WINPMAIL\MAIL\Yosh\FOL07489.PMM Suspicious: Exploit.HTML.Iframe.FileDownload 3
D:\WINPMAIL\MAIL\Yosh\FOL07489.PMM Infected: Email-Worm.Win32.Tanatos.a 1
D:\WINPMAIL\MAIL\Yosh\FOL07489.PMM Infected: Email-Worm.Win32.Klez.h 1
D:\WINPMAIL\MAIL\Yosh.sav\FOL03E1A.PMM Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\WINPMAIL\MAIL\Yosh.sav\FOL03E1A.PMM Infected: Trojan-Spy.HTML.Bayfraud.ib 1
D:\WINPMAIL\MAIL\Yosh.sav\FOL03E1A.PMM Infected: Email-Worm.Win32.Hybris.b 1
D:\WINPMAIL\MAIL\Yosh.sav\FOL03E1A.PMM Infected: Email-Worm.Win32.Sircam.c 1
D:\WINPMAIL\MAIL\Yosh.sav\FOL03E1A.PMM Infected: Email-Worm.Win32.Magistr.a 1
D:\WINPMAIL\MAIL\Yosh.sav\FOL03E1A.PMM Infected: Email-Worm.Win32.Badtrans.a 1
D:\WINPMAIL\MAIL\Yosh.sav\FOL062A1.PMM Infected: Email-Worm.VBS.KakWorm 3
D:\WINPMAIL\MAIL\Yosh.sav\FOL062A1.PMM Infected: Email-Worm.Win32.MTX 1
D:\WINPMAIL\MAIL\Yosh.sav\FOL062A1.PMM Infected: Email-Worm.Win32.Hybris.b 1
D:\WINPMAIL\MAIL\Yosh.sav\FOL07489.PMM Suspicious: Exploit.HTML.Iframe.FileDownload 2
D:\WINPMAIL\MAIL\Yosh.sav\FOL07489.PMM Infected: Email-Worm.Win32.Tanatos.a 1
D:\WINPMAIL\MAIL\Yosh.sav2\FOL07489.PMM Suspicious: Exploit.HTML.Iframe.FileDownload 4
D:\WINPMAIL\MAIL\Yosh.sav2\FOL07489.PMM Infected: Email-Worm.Win32.Tanatos.a 1
D:\WINPMAIL\MAIL\Yosh.sav2\FOL07489.PMM Infected: Email-Worm.Win32.Klez.h 1
H:\BACKUP\Mail\Hadassah\FOL01A43.PMM Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\BACKUP\Mail\Hadassah\FOL01A43.PMM Infected: Email-Worm.Win32.Tanatos.b.dam 2
H:\BACKUP\Mail\Hadassah\FOL01A43.PMM Infected: Email-Worm.Win32.Mydoom.a 1
H:\BACKUP\Mail\Hadassah\FOL01A43.PMM Infected: Email-Worm.Win32.NetSky.q 2
H:\BACKUP\Mail\Hadassah\FOL01A43.PMM Infected: Email-Worm.Win32.NetSky.r 1
H:\BACKUP\Mail\Hadassah\PQXSL3KP.CNM Infected: Trojan-Spy.HTML.Citifraud.ae 1
The selected area was scanned.
==================================================
==================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:46 AM, on 2/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
c:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
c:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\LogMeIn\x86\RaMaint.exe
D:\Program Files\LogMeIn\x86\LogMeIn.exe
D:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
d:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\system32\fxssvc.exe
D:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
D:\Program Files\Mozy\mozystat.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
D:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
d:\Program Files\Mozy\mozybackup.exe
C:\Documents and Settings\QuickAdmin\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.googl.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "D:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [WinVNC] "D:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] c:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\QuickAdmin\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: MozyHome Status.lnk = D:\Program Files\Mozy\mozystat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://service.pelephone.co.il/WebPhone/jsp/Client/CfxIEAx.cab
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - http://www.yorkphoto.com/YorkUpload.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/Disk1/isetupml.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - c:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - c:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - c:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - c:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Indexing Service (cisvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: GoBack Polling Service (GBPoll) - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - D:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - d:\Program Files\Mozy\mozybackup.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - d:\Program Files\No-IP\DUC20.exe
O23 - Service: RemotePC Support (remote support) - Unknown owner - C:\Program Files\Remote Support Host\RemoteSM.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe (file missing)
O23 - Service: VNC Server (winvnc) - UltraVNC - D:\Program Files\UltraVNC\winvnc.exe
--
End of file - 9693 bytes
Hello Yoshm,
Thanks for hanging in with me on this
Delete all these in Red
C:\WINDOWS\pk_zip1.log
C:\WINDOWS\pk_zip2.log
C:\WINDOWS\pk_zip3.log
C:\WINDOWS\pk_zip4.log
C:\WINDOWS\pk_zip5.log
C:\WINDOWS\pk_zip6.log
C:\WINDOWS\pk_zip7.log
C:\WINDOWS\pk_zip8.log
Empty out your mail folder
D:\WINPMAIL\MAIL\Yosh<--Not Yosh but eveything inside it
Remove these with HJT
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
C:\Program Files\Remote Support Host <---If you no longer use this than uninstall it via Add Remove Programs
What part of this world of ours are you from? How is your system running now Yosh???
Thanks for hanging in with me on this
Thank YOU.
Delete all these...
Empty out your mail folder...
Remove these with HJT...
Done.
C:\Program Files\Remote Support Host <---If you no longer use this than uninstall it via Add Remove Programs
Unfortunately, it does not appear among items available to uninstall...
However, when I look inside that directory - it is empty. It apparently left some detritus behind...
What part of this world of ours are you from?
born: Texas.
Lived in: Texas, Missouri, Illinois, North Carolina, California, New York
Now in: Israel
How is your system running now Yosh???<sigh> as slow as ever...
E.G., opening "My Computer" - just tried it - took over 2 minutes till the window was populated. During that time, looking at Task Manager, Windows Explorer was consuming between 70-95% of CPU - busy doing I don't know what. It also grows & grows - e.g., right now it is using more than 170k of memory. Every time I try to open a file - as you know it invokes Explorer - and it can be excruciatingly slow. And while Explorer is consuming almost all the CPU cycles - there's nothing left for anything else, so the whole system crawls...
I don't know how to solve it - maybe I'll have to do what I've been dreading, which is reformat the hard disk and reinstall everything from scratch (arghhh).
Any other ideas?
Many thanks,
Yosh
Yosh,
So sorry your still having problems, we have been through a lot. I know a clean install of windows is a real pain, but I know people that reformat and do a clean install once a year just to keep things running smoothly.
I sounds like it could be some corrupt software programs or even a piece of hardware gone bad. I had some issues myself a few months ago on one of my laptops and of all things I found out it was the mouse.
We just do malware removal in this forum, I am going to link you to some good windows support forums , they are better equipped to help you find the correct solution and if a reformat is recommended they can guide you through the process.
Windows Tech Support Forums
Windows Helpnet (http://www.windowsbbs.com/) <-- Excellent XP Forum
PcPitStop (http://pcpitstop.com/) <-- You can take your system in for a checkup here.
Windows Support (http://forums.whatthetech.com/Microsoft_Windows_f119.html)
It's Not Always Malware
Slow Computer (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)
Microsoft (http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx)
Speedup Windows
TechBuilder (http://www.techbuilder.org/recipes/59201471)
Windows Tips
Techruler (http://www.techruler.com/tips.html#1)
Kellys Korner (http://www.kellys-korner-xp.com/xp_abc.htm)
Good luck Yosh, its been a pleasure helping you.
Ken:)
Many thanks, Ken.
Best,
Yosh
Your very welcome Yoshm
Take care
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.