Unwanted Popups and disabled Control Panel

G

grateful26

New member
Hi,
For the last day, I keep getting a pop up every 5 minutes saying

Windows Security Alert "warning! potential spyware operation! Your computer is making unauthorized copies of your system and Internet files. Run full scan now to pervent any unathorised access to your files! Click YES to download spyware remover ... " :oops:

I use AVG Free edition, and it recognized the virus, named "Trojan Horse Downloader.Small.AJY", and put it in the Vault. But there is one file that AVG also found, but it says the file is not a threat. This one:

C:\WINDOWS\System 32\drivers\etc\hosts :mad:

So I still have 2 problems: 1. the incessant popup mentioned above, and 2. I cannot access things like my Control Panel, or the Date function at the bottom right cornet, there is a Restrictions error message saying: "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator".

It seems the 'hosts' file is the problem, but is something important so I likely shouldn't delete it.

I have done a few things like installing and running AVG Anti-Spyware 7.5 in safe mode, and it detected a few things and put them into Quarantine, but the problem persists. The other apps I used didn't find much. :sick:

Here is the HijackThis report from an hour ago:

Logfile of HijackThis v1.99.1
Scan saved at 6:47:30 PM, on 02/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\printer.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\sulimo.dat
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


You rock for helping the online community, and its refreshing to see people helping others. :angel:
I really appreciate any help regarding this problem. :)
 
Last edited by a moderator:
Hi grateful26

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
 
okay ... so I ran Combofix, and it made some changes (FYI - I'm running Spybot S&D, and it asked me if the changes that were proposed were okay, and I accepted them all - I dunno if that makes any difference) :sad:

Here is the log it produced:

ComboFix 07-10-03.7 - Pooria&Maryam 2007-10-03 13:25:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.93 [GMT -4:00]
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\Pooria&Maryam\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Pooria&Maryam\Start Menu\Programs\Startup\system.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\WinAvXX.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-03 to 2007-10-03 )))))))))))))))))))))))))))))))
.

2007-10-03 13:25 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-02 18:46 218,112 --a------ C:\Program Files\HijackThis.exe
2007-10-02 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-02 00:44 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-02 00:31 <DIR> d-------- C:\VundoFix Backups
2007-10-01 17:31 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-01 17:04 12,288 --a------ C:\WINDOWS\svhjdsah.exe
2007-10-01 16:53 39,424 --a------ C:\WINDOWS\system32\vtr.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-02 18:47 4702 --a------ C:\Program Files\hijackthis.log
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-22 13:21 229732 --a------ C:\WINDOWS\Burn4Free_Toolbar_Uninstaller_5703.exe
2007-07-22 02:32 765952 --------- C:\WINDOWS\UNNERO.exe
2007-07-22 02:32 532480 --------- C:\WINDOWS\system32\imagx5.dll
2007-07-22 02:32 507904 --------- C:\WINDOWS\system32\imagr5.dll
2007-07-22 02:32 35328 --------- C:\WINDOWS\system32\picn20.dll
2007-07-22 02:32 275312 --------- C:\WINDOWS\system32\ImagXpr5.dll
2007-07-22 02:32 106496 --------- C:\WINDOWS\system32\TwnLib20.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2001-10-27 01:32 C:\WINDOWS\system32\atiptaxx.exe]
"HydarVisionDesktopManager"="" []
"SoundMan"="SOUNDMAN.EXE" [2002-09-10 22:57 C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-01 05:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-17 01:21]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-26 15:03]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2001-10-02 16:23]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"Shareaza"="C:\Program Files\Shareaza\Shareaza.exe" [2007-02-05 05:05]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\sulimo.dat

R2 ATITUNEP;ATI WDM TV Tuner;C:\WINDOWS\System32\DRIVERS\atintuxx.sys
R2 ATIXSAudio;ATI WDM TV Audio Crossbar;C:\WINDOWS\System32\DRIVERS\atinxsxx.sys
R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\System32\DRIVERS\CINEMSUP.SYS
R2 PCDCODEC;ATI WDM Specialized PCD Codec;C:\WINDOWS\System32\DRIVERS\atinpdxx.sys
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys
R3 ativraxx;ATI WDM Rage Theater Audio;C:\WINDOWS\System32\DRIVERS\atinraxx.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-03 13:27:50
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0





----- and this is the updated HijackThis log -----
Logfile of HijackThis v1.99.1
Scan saved at 1:40:45 PM, on 03/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\sulimo.dat
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE



Thanks for your continued help Shaba! U rock. :cool:
 
Hi grateful26

This is the next step:

We can definitely help you, but first you need to help us. You are quite behind on your Windows Updates and Patches!!

The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here to get WinXP SP1a: http://www.microsoft.com/downloads/details...&DisplayLang=en

Apply the update, reboot, then go to Windows Update and install all the Critical Updates (Note: Except for WinXP SP2)
Click here for Windows Update: http://www.windowsupdate.com/

After installing all the Patches and updates, reboot, then post a fresh Hijack This log.
 
I tried to download Service Pack 1 from the link, but received the following error message:

Service Pack 1 Setup Error - Setup has detected that the Service Pack version of the system installed is newer than the update you are applying to it. You can only install this update on Service Pack 1.

My operating system disks came with Service Pack 2, and maybe it's not showing as being up to date, but I'm sure it has Service Pack 2.

Now I'll try to download all the updates...
 
sorry ... I made a mistake ... pls completely disregard my post above. :oops:

okay, so I followed the SP 1a link and I get the "cannot find server" site, but every other site works! :eek:
I tried it both through Firefox and Int. Explorer.

It's weird ... is it possible that this is due to the virus/trojan thing?
 
I have a laptop, but it doesn't have a CD burner ... I don't know if this is being caused by the malware ... it likely that it is because I can access every other website BUT Microsoft's.

By the way, FYI, as of a couple of days ago, I can now access my Control Panel and all other Administrative functions, but AVG Anti-virus still finds the "non-threatening" file called "hosts", and I still cannot access the Microsoft website. I'm surprised that I was suddenly able to access my control panel and such so spontaneously. :eek:

So, I'm wondering ... is it possible to get rid of the malware first, so that I can download from Microsoft's website?

Thanks!
 
Hi

First thing is to install service pack 1.

Can you ask some friend to burn it for you to CD?
 
By the way, I'm also running Residentshield and every 3 seconds or so, it keeps telling me that my default browser is being requested to change to another and do I authorise this. I said "deny change" and set it to "don't ask me again", but I see that every couple of seconds there is a new entry in that application asking the same question, and it automatically denies it.
Weird huh??? What do u think?

Thanks!
 
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
 
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
 
Re-opened.

grateful26, please post a fresh HijackThis log and tell me if my link helped.
 
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
 
Thanks for re-opening!

Okay here is the HijackThis log; I wanted to mention that I clicked on 'Do a System Scan and Save a Logfile' and it almost immediately gave me the result. I found that a bit odd because there is usually a longer time taken to scan, but maybe this program is different ... I thought it was worth mentioning. Nonetheless, here it is:


Logfile of HijackThis v1.99.1
Scan saved at 10:39:51 AM, on 12/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\printer.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\parentalcontrol\parentalcontrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe
O2 - BHO: Burn4Free Toolbar Helper - {60BF5EE3-0105-4858-AD98-17C19F86B042} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O2 - BHO: (no name) - {7AC00675-4BA7-4E21-8C47-1B5365B594BB} - c:\windows\system32\atippaxxd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Burn4Free Toolbar - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - C:\Program Files\Burn4Free Toolbar\v3.3.0.0\Burn4Free_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKLM\..\Run: [parentalcontrol] "C:\Program Files\parentalcontrol\parentalcontrol.exe" "C:\Program Files\parentalcontrol\parentalcontrol.dll" "parentalcontrol"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\sulimo.dat
O20 - Winlogon Notify: fzjetldg - C:\WINDOWS\SYSTEM32\atippaxxd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
 
Hi

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from one of these links and save it to Desktop:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh HijackThis log
- combofix report
 
Combofix report log

ComboFix 07-12-17.1 - Pooria&Maryam 2007-12-17 13:19:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.67 [GMT -5:00]
Running from: C:\Documents and Settings\Pooria&Maryam\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Pooria&Maryam\Start Menu\Programs\Startup\system.exe
C:\WINDOWS\svhjdsah.exe
C:\WINDOWS\system32\atippaxxd.dll
C:\WINDOWS\system32\drivers\izgmngwg.dat
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\vtr.dll
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\Tasks.\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_JOVOHQYR
-------\LEGACY_POOF
-------\LEGACY_QVNVESLE
-------\jovohqyr
-------\kprof
-------\poof
-------\qvnvesle


((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.

2007-12-06 23:04 . 2007-12-06 23:04 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-06 23:04 . 2005-02-24 22:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-06 22:58 . 2007-12-06 22:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-18 14:26 . 2007-11-18 14:26 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-11-18 14:26 . 2007-11-18 14:26 <DIR> d-------- C:\WINDOWS\ehome
2007-11-18 14:17 . 2002-08-29 05:40 1,180,672 --a------ C:\WINDOWS\system32\d3d8.dll
2007-11-17 18:07 . 2007-11-17 18:07 229,732 --a------ C:\WINDOWS\Burn4Free_Toolbar_Uninstaller_8734.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-17 17:04 --------- d-----w C:\Documents and Settings\Pooria&Maryam\Application Data\AVG7
2007-12-12 15:39 5,104 ----a-w C:\Program Files\hijackthis.log
2007-11-18 00:53 --------- d-----w C:\Program Files\Burn4Free
2007-10-31 14:35 --------- d-----w C:\Program Files\parentalcontrol
2007-10-31 14:33 1,210,816 ----a-w C:\Program Files\parentalcontrolsetup.exe
2005-02-16 15:06 218,112 ----a-w C:\Program Files\HijackThis.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 05:41]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2001-10-02 15:23]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"Shareaza"="C:\Program Files\Shareaza\Shareaza.exe" [2007-02-05 04:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2001-10-27 00:32 C:\WINDOWS\system32\atiptaxx.exe]
"HydarVisionDesktopManager"="" []
"SoundMan"="SOUNDMAN.EXE" [2002-09-10 21:57 C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-01 04:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-26 14:03]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"parentalcontrol"="C:\Program Files\parentalcontrol\parentalcontrol.exe" [2006-08-31 09:25]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 05:41]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-05-14 04:49]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

R2 CINEMSUP;Software Cinemaster NT4.0 Driver;C:\WINDOWS\System32\DRIVERS\CINEMSUP.SYS [2001-10-01 15:29]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2001-10-25 01:42]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 13:22:48
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-17 13:24:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-03 12:28
C:\ComboFix2.txt ... 2007-10-03 12:28

Thanks :bigthumb:
 
You must log in or register to reply here.
Back
Top