Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Member
    Join Date
    Nov 2007
    Posts
    8
    Points
    0

    Default Somethings wrong and I don't know where to start.

    I don't have hijackthis, so I can't include a log, (I don't really know anything about hijackthis either) but my pc has begun to lag badly constantly and my browser (firefox) will just close randomly while i'm doing things - the only constant I have noticed that it always closes is attempting to download any attatchment on an email, whether it be picture, music, document or video. It was running fine until recently, and I didnt install anything when it started having problems. I did install memturbo to see if that would help, but it hasnt helped. What information do you need to figure out what i can do to fix it? If you just need a hijackthis log, can someone tell me where to get hijackthis? Thank you in advance for your time.

  2. #2
    Member
    Join Date
    Nov 2007
    Posts
    8
    Points
    0

    Default update with hijackthis report

    I found hijackthis, and so here is its report - I just dont know what to do next beyond trying to figure out how to remove the mywebsearch, since that at least I recognize and know shouldnt be there.
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:56:26 AM, on 11/15/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\taskswitch.exe
    D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\WINDOWS\system32\ctfmon.exe
    D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    D:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\svchost.exe
    D:\TMD-Recruit.5.0\mirc.exe
    D:\Program Files\Trillian\trillian.exe
    D:\Program Files\DTaskManager\DTaskManager.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    D:\PROGRA~1\Mozilla Firefox\firefox.exe
    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {538F9C24-774A-491F-8201-50BD14F1A927} - C:\WINDOWS\system32\D2HTLS3.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: superiorads browser optimizer - {8E015787-B1E3-404a-95DE-3E71E1FA0305} - C:\WINDOWS\system32\spads.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: dcads - {C7C90A5E-BE0A-44DD-83D2-1BE138460BAC} - C:\WINDOWS\system32\nsd67.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZK
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46.../bejeweled.cab
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{30CBD034-89CA-4B69-92EB-7825D5C499D4}: NameServer = 4.2.2.2,4.2.2.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{30CBD034-89CA-4B69-92EB-7825D5C499D4}: NameServer = 4.2.2.2,4.2.2.3
    O17 - HKLM\System\CS2\Services\Tcpip\..\{30CBD034-89CA-4B69-92EB-7825D5C499D4}: NameServer = 4.2.2.2,4.2.2.3
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Unknown owner - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe

    --
    End of file - 8205 bytes

  3. #3
    Member
    Join Date
    Nov 2007
    Posts
    8
    Points
    0

    Default hijcakthis log after "fix this" button

    I selected the lines I recognized as things that shouldnt be ther and hit the fix this button, here is the new hijackthis log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:02:37 AM, on 11/15/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\taskswitch.exe
    D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\WINDOWS\system32\ctfmon.exe
    D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    D:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\svchost.exe
    D:\TMD-Recruit.5.0\mirc.exe
    D:\Program Files\Trillian\trillian.exe
    D:\Program Files\DTaskManager\DTaskManager.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {538F9C24-774A-491F-8201-50BD14F1A927} - C:\WINDOWS\system32\D2HTLS3.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{30CBD034-89CA-4B69-92EB-7825D5C499D4}: NameServer = 4.2.2.2,4.2.2.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{30CBD034-89CA-4B69-92EB-7825D5C499D4}: NameServer = 4.2.2.2,4.2.2.3
    O17 - HKLM\System\CS2\Services\Tcpip\..\{30CBD034-89CA-4B69-92EB-7825D5C499D4}: NameServer = 4.2.2.2,4.2.2.3
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Unknown owner - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe

    --
    End of file - 6752 bytes

  4. #4
    Member
    Join Date
    Nov 2007
    Posts
    2
    Points
    0

    Default this is my hijack log, can you please help me?

    ruchirpurwar:

    Please stay with your own topic.

    BG

  5. #5
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    migeode:

    Once you post a HJT log, really need to wait on our advice.

    Please run the HJT program again. Click on :

    "Open the Misc tool section"

    Then click on "Back ups"Check all the files and then check on "Restore".

    The reason being, it is making us compare one log to other and try figure out what is different. Then post a new HJT log.

    BG

  6. #6
    Member
    Join Date
    Nov 2007
    Posts
    8
    Points
    0

    Default fixed hjt log

    sorry about that - i recognized a few items that didnt belong and so i just removed them - i put them back and here is the new log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:00:21 PM, on 11/16/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\WINDOWS\system32\taskswitch.exe
    D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    D:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    D:\PROGRA~1\Grisoft\AVG7\avgwb.dat
    D:\TMD-Recruit.5.0\mirc.exe
    D:\Program Files\Trillian\trillian.exe
    D:\Program Files\DTaskManager\DTaskManager.exe
    D:\PROGRA~1\Mozilla Firefox\firefox.exe
    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
    O2 - BHO: (no name) - {538F9C24-774A-491F-8201-50BD14F1A927} - C:\WINDOWS\system32\D2HTLS3.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: superiorads browser optimizer - {8E015787-B1E3-404a-95DE-3E71E1FA0305} - C:\WINDOWS\system32\spads.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: dcads - {C7C90A5E-BE0A-44DD-83D2-1BE138460BAC} - C:\WINDOWS\system32\nsd67.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
    O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\spads.dll" DllVerify
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZK
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{30CBD034-89CA-4B69-92EB-7825D5C499D4}: NameServer = 4.2.2.2,4.2.2.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{30CBD034-89CA-4B69-92EB-7825D5C499D4}: NameServer = 4.2.2.2,4.2.2.3
    O17 - HKLM\System\CS2\Services\Tcpip\..\{30CBD034-89CA-4B69-92EB-7825D5C499D4}: NameServer = 4.2.2.2,4.2.2.3
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Unknown owner - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe

    --
    End of file - 8472 bytes

  7. #7
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Download Superantispyware.

    http://www.superantispyware.com/

    Once downloaded and installed update the definitions
    and then run a full system scan quarantine what it finds!

    * Double-click SUPERAntiSypware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

    http://www.superantispyware.com/definitions.html

    * Under "Configuration and Preferences", click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    o Close browsers before scanning.
    o Scan for tracking cookies.
    o Terminate memory threats before quarantining.
    * Click the "Close" button to leave the control center screen.
    * Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under "Complete Scan", choose Perform Complete Scan.
    * Click "Next" to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    * Make sure everything has a checkmark next to it and click "Next".
    * A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    * If asked if you want to reboot, click "Yes".
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    o Click Preferences, then click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    o Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.

    THEN ...

    Please download Combofix: http://download.bleepingcomputer.com...a/ComboFix.exe
    and save to the desktop.

    1. Double click on combo.exe & follow the prompts.
    2. When finished, it will produce a logfile located at C:\ComboFix.txt.
    3. Post the contents of that log in your next reply with a new hijackthis log.

    Notes:
    * Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
    * Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

    Please remember to post :-

    1. SUPERAntiSpyware Scan Log
    2. C:\ComboFix.txt
    3. a new hijackthis log.( run after everything else)

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  8. #8
    Member
    Join Date
    Nov 2007
    Posts
    8
    Points
    0

    Default combofix.exe ......

    I have run the spyware scan, but how long does the combofix take to run? it has been running for over a day straight now, so I was just wondering how long to expect it to take to finish. I have a 350 mhx system with 320 MB ram and an 8 GB primary hdd and a 250 GB secondary hdd. How much longer should I let it run? ( I do still see the cursor flashing around in the DOS window that combofix brought up, flashing back and forth up and down)

  9. #9
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    Forget Combo for the time being.

    You say that the primary HD is only 8 Gig, can I assume that is where your operating system is installed? Unless you have about 1.6 gigs of free space, it is to full.

    What version of XP do you have, Home or Pro ?

    Post the SuperAnti spyware log and a new HJT log.

    BG

  10. #10
    Member
    Join Date
    Nov 2007
    Posts
    8
    Points
    0

    Default logs and system info

    Yes, I am running xp pro, and yes, the 8GB drive is where the os is installed - and I have 2.34 GB free on that drive - I install everything to the 250 GB drive for that very reason. Here are the hjt and superantispyware logs.


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 11/18/2007 at 05:58 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3346
    Trace Rules Database Version: 1347

    Scan type : Complete Scan
    Total Scan Time : 17:14:31

    Memory items scanned : 581
    Memory threats detected : 0
    Registry items scanned : 6058
    Registry threats detected : 11
    File items scanned : 56412
    File threats detected : 130

    Adware.MyWebSearch
    HKLM\Software\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}
    HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
    HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
    HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32
    HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32#ThreadingModel
    HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\Programmable
    C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
    HKLM\Software\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
    HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
    HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
    HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\InprocServer32
    HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\InprocServer32#ThreadingModel
    C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL

    Adware.Tracking Cookie
    C:\Documents and Settings\Geode\Cookies\geode@adlegend[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@realmedia[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@ads.pointroll[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@sales.liveperson[2].txt
    C:\Documents and Settings\Geode\Cookies\geode@adopt.specificclick[2].txt
    C:\Documents and Settings\Geode\Cookies\geode@statcounter[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@mediaplex[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@2o7[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@richmedia.yahoo[2].txt
    C:\Documents and Settings\Geode\Cookies\geode@advertising[2].txt
    C:\Documents and Settings\Geode\Cookies\geode@ehg-youtube.hitbox[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@casalemedia[2].txt
    C:\Documents and Settings\Geode\Cookies\geode@atdmt[2].txt
    C:\Documents and Settings\Geode\Cookies\geode@questionmarket[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@mywebsearch[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@pbteen[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@hitbox[2].txt
    C:\Documents and Settings\Geode\Cookies\geode@fastclick[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@adrevolver[3].txt
    C:\Documents and Settings\Geode\Cookies\geode@doubleclick[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@atwola[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@msnportal.112.2o7[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@revsci[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@trafficmp[2].txt
    C:\Documents and Settings\Geode\Cookies\geode@perf.overture[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@ehg-vzw.hitbox[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@statse.webtrendslive[2].txt
    C:\Documents and Settings\Geode\Cookies\geode@free.wegcash[2].txt
    C:\Documents and Settings\Geode\Cookies\geode@ad.yieldmanager[2].txt
    C:\Documents and Settings\Geode\Cookies\geode@adinterax[2].txt
    C:\Documents and Settings\Geode\Cookies\geode@adopt.euroclick[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@ads.bridgetrack[2].txt
    C:\Documents and Settings\Geode\Cookies\geode@adserver[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@overture[2].txt
    C:\Documents and Settings\Geode\Cookies\geode@reunioncom.112.2o7[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@52168016[2].txt
    C:\Documents and Settings\Geode\Cookies\geode@microsoftoffice.112.2o7[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@specificclick[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@server.iad.liveperson[2].txt
    C:\Documents and Settings\Geode\Cookies\geode@apmebf[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@adrevolver[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@bluestreak[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@zedo[1].txt
    C:\Documents and Settings\Geode\Cookies\geode@44153975[2].txt
    C:\Documents and Settings\Amanda\Cookies\amanda@drivecleaner[2].txt
    C:\Documents and Settings\Amanda\Cookies\amanda@go.drivecleaner[2].txt
    C:\Documents and Settings\Amanda\Cookies\amanda@go.winantivirus[1].txt
    C:\Documents and Settings\Amanda\Cookies\amanda@stats.drivecleaner[2].txt
    C:\Documents and Settings\Amanda\Cookies\amanda@stats.privacyprotector[2].txt
    C:\Documents and Settings\Amanda\Cookies\amanda@toplist[1].txt
    C:\Documents and Settings\Amanda\Cookies\amanda@winantivirus[1].txt
    C:\Documents and Settings\Amanda\Cookies\amanda@www.crackspider[1].txt
    C:\Documents and Settings\Amanda\Cookies\amanda@www.drivecleaner[1].txt
    D:\Documents and Settings\Amanda\Cookies\amanda@ad.bannerconnect[2].txt
    D:\Documents and Settings\Amanda\Cookies\amanda@adultadworld[1].txt
    D:\Documents and Settings\Amanda\Cookies\amanda@drivecleaner[1].txt
    D:\Documents and Settings\Amanda\Cookies\amanda@winantivirus[2].txt
    D:\Documents and Settings\Amanda\Cookies\amanda@www.advertyz[1].txt
    D:\Documents and Settings\Amanda\Cookies\amanda@www.drivecleaner[1].txt
    D:\Documents and Settings\Amanda\Cookies\amanda@www.erotixxx[1].txt

    Browser Hijacker.Favorites
    C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\ONLINE SECURITY GUIDE.URL
    C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\SECURITY TROUBLESHOOTING.URL
    C:\DOCUMENTS AND SETTINGS\AMANDA\FAVORITES\ONLINE SECURITY TEST.URL

    Trojan.Downloader-AUPD
    C:\DOCUMENTS AND SETTINGS\GEODE\LOCAL SETTINGS\TEMP\AUPD.EXE

    Trojan.Downloader-Gen/FotoMoto
    D:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20071116-191813-811.DLL

    Adware.Vundo Variant
    D:\SYSTEM VOLUME INFORMATION\_RESTORE{40B4A6FF-FFB7-421E-BE13-4A3EBB0F5C5C}\RP14\A0002881.DLL
    D:\SYSTEM VOLUME INFORMATION\_RESTORE{40B4A6FF-FFB7-421E-BE13-4A3EBB0F5C5C}\RP14\A0002882.DLL

    Trojan.Downloader-Gen/Blah
    D:\SYSTEM VOLUME INFORMATION\_RESTORE{40B4A6FF-FFB7-421E-BE13-4A3EBB0F5C5C}\RP14\A0002883.DLL

    Trace.Known Threat Sources
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\U34NBA19\icon_update[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\V963FDXJ\protect[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\1GUZA5UP\small-part-b[1].jpg
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0FFR24GV\main_fill[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0FFR24GV\ico1[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\V963FDXJ\small-part-c[1].jpg
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0FFR24GV\top1[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\U34NBA19\logo[3].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\U34NBA19\style[2].css
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\1GUZA5UP\menu_fill[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\V963FDXJ\side-left[1].jpg
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\U34NBA19\menu_left[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0FFR24GV\corner-left[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\1GUZA5UP\ico2[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0FFR24GV\CAZIYXFZ.js
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0FFR24GV\footer[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\V963FDXJ\download[2].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\1GUZA5UP\default[2].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\V963FDXJ\interface[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0FFR24GV\table-4[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\U34NBA19\menu_right[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\1GUZA5UP\ie[1].css
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0FFR24GV\main_features[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0FFR24GV\how[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\1GUZA5UP\10-30935822[1].htm
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\U34NBA19\checksoft[1].js
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\V963FDXJ\button2[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0FFR24GV\table-2[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\1GUZA5UP\shield[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\V963FDXJ\button_buy_now[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\1GUZA5UP\wav_banner[1].swf
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\U34NBA19\table-3[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0FFR24GV\2007[1].htm
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\U34NBA19\top1_menu[1].gif
    C:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0FFR24GV\top_pic2[1].gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\TUVEF15R\checksoft[1].js
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\C9NLBXB7\brd-top-3[1].gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\TUVEF15R\part6[1].jpg
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\IJYHWDQD\top[1].gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\TUVEF15R\brd-top-1[1].gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\TUVEF15R\CA6NW7DA.gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0P0F4H25\noflash[1].jpg
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0P0F4H25\part4[1].gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0P0F4H25\sirena2[1].gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\IJYHWDQD\bg1[1].gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\IJYHWDQD\part7[1].jpg
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\TUVEF15R\bg3[1].gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\IJYHWDQD\CAW90D07.js
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\TUVEF15R\spacer[1].gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\IJYHWDQD\t2[1].gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\C9NLBXB7\t4[1].gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\C9NLBXB7\bg2[1].gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0P0F4H25\t5[1].gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\C9NLBXB7\bg6[1].gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\C9NLBXB7\t3[1].gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0P0F4H25\part3[1].gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0P0F4H25\part5[1].gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0P0F4H25\2007[1].htm
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\TUVEF15R\t1[1].gif
    D:\Documents and Settings\Amanda\Local Settings\Temporary Internet Files\Content.IE5\0P0F4H25\boton2[1].gif


    and HJT:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:48:00 PM, on 11/19/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\WINDOWS\system32\taskswitch.exe
    D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    D:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    D:\TMD-Recruit.5.0\mirc.exe
    D:\Program Files\DTaskManager\DTaskManager.exe
    D:\PROGRA~1\Mozilla Firefox\firefox.exe
    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {538F9C24-774A-491F-8201-50BD14F1A927} - C:\WINDOWS\system32\D2HTLS3.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
    O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{30CBD034-89CA-4B69-92EB-7825D5C499D4}: NameServer = 4.2.2.2,4.2.2.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{30CBD034-89CA-4B69-92EB-7825D5C499D4}: NameServer = 4.2.2.2,4.2.2.3
    O17 - HKLM\System\CS2\Services\Tcpip\..\{30CBD034-89CA-4B69-92EB-7825D5C499D4}: NameServer = 4.2.2.2,4.2.2.3
    O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Unknown owner - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe

    --
    End of file - 7955 bytes

    The only problem I'm still having is AVG detecting a trojan in c:\windows\system32\d2htls3.dll everytime it boots up, says it heals and must reboot to complete the removal, but on reboot it re-detects it every time. If you need me to reboot again to get the exact name of the trojan or make sure of the filename it infests, just let me know. Thank you again for your time and effort.

Page 1 of 2 12 LastLast