Author Topic: can someone look over my hijack this log for anything bad? (Read 13574 times)

ltdanman44 · « **on:** January 02, 2008, 06:53:56 AM »

THANKS ANY WHO CAN HELP!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:17 AM, on 02/01/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray .exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp .exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Dan\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fark.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\sstqo.exe
O1 - Hosts: 87.106.166.63 www.winmx.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E3F888F-96D7-4A1B-8514-8991264E8B7D} (iSite 3D Renderer Class) - http://www.pc.gc.ca/apps/dci/source/bin/iS3DCtrl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113352044749
O16 - DPF: {821C0E13-32A6-4D85-A62C-C85338C03299} - http://download2.nba.com/Cabs/NBA_1_0_0_2.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://download2.nba.com/Cabs/Entriq_3_6_0_15_Silent.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5775 bytes

ltdanman44 · « **Reply #1 on:** January 02, 2008, 06:58:56 AM »

SUPERANTISPYWARE SAYS I HAVE TOJAN.WINFIXER

everytime i tell it to remove it and reboot it comes back. help!

FreewheelinFrank · « **Reply #2 on:** January 02, 2008, 09:47:15 AM »

Try scans with these specialist tools:

http://www.malwarebytes.org/rogueremover.php
http://siri.geekstogo.com/SmitfraudFix.php

And a couple of general anti-spyware scanners:

AVG Anti-Spyware Free
Spybot Search & Destroy

TedNelly · « **Reply #3 on:** January 02, 2008, 11:55:15 AM »

Suggest installing/using a firewall. Windows firewall is better than none!
Comodo
Comodo ™ Free Firewall Software Download
ZoneAlarm
Download ZoneAlarm Free 7.0.462.0 from filehippo.com

Lisandro · « **Reply #4 on:** January 02, 2008, 12:10:06 PM »

Besides what have already been suggested, why don't you try?

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

polonus · « **Reply #5 on:** January 02, 2008, 02:30:47 PM »

Hi ltdanman44,

This should be fixed: O1 - Hosts: 87.106.166.63 www.winmx.com

Fire up HJT, tag it and click enter

But you also should run vundoFix against winfixer:
VundoFix.exe is a removal tool developed to remove Virtumonde infections. To use the tool follow the instrctions below.

Please download VundoFix.exe to your desktop from: http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

After that post the text file and a new HJT log here,

polonus

ltdanman44 · « **Reply #6 on:** January 04, 2008, 11:54:35 PM »

tried all the above. All the programs/processes mentioned above successfully finds the program, however upon reboot it still is on my system. im at my wits end here, thinking about wiping windows with a fresh install. my system proformance is falling off. My hard drive is constantly churning even with all programs shut down. lsass.exe in processes is taking up most of my CPU time, help!

essexboy · « **Reply #7 on:** January 05, 2008, 12:04:12 AM »

No reformat yet

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

ltdanman44 · « **Reply #8 on:** January 06, 2008, 02:34:04 AM »

COMBOFIX DID IT!!!!!!!!! OMG!!!!!!!!!!1 THANK YOU SO VERY MUCH!!!!!!!!!!!!!!!!!! IM SO HAPPY!!!!!!!

oldman · « **Reply #9 on:** January 06, 2008, 09:46:27 AM »

It probably got some/most but there is probaly more left. You should do as essexboy asks and post the 2 logs he asked for. This way the remnants can be removed.

ltdanman44 · « **Reply #10 on:** January 06, 2008, 10:04:15 AM »

ok here are the results of those 2 files you asked for...but everything seems ok let me know if i have to worry some more

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:56, on 2008-01-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dan\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fark.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E3F888F-96D7-4A1B-8514-8991264E8B7D} (iSite 3D Renderer Class) - http://www.pc.gc.ca/apps/dci/source/bin/iS3DCtrl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113352044749
O16 - DPF: {821C0E13-32A6-4D85-A62C-C85338C03299} - http://download2.nba.com/Cabs/NBA_1_0_0_2.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://download2.nba.com/Cabs/Entriq_3_6_0_15_Silent.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5120 bytes

ltdanman44 · « **Reply #11 on:** January 06, 2008, 10:05:22 AM »

ComboFix 08-01-04.1 - Dan 2008-01-06 3:57:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.609 [GMT -5:00]
Running from: C:\Documents and Settings\Dan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Alwil Software\Avast4\ashDisp .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\QdrDrive
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\sstqo.exe

Code: [Select]

 <pre>
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe" moved to QooBox
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe" replaces infected copy of "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"C:\Program Files\Alwil Software\Avast4\ashDisp .exe" moved to QooBox
"C:\Program Files\Messenger\msmsgs .exe" moved to QooBox
"C:\Program Files\QuickTime\qttask      .exe" replaces infected copy of "C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\QuickTime\qttask     .exe" replaces infected copy of "C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\QuickTime\qttask    .exe" replaces infected copy of "C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\QuickTime\qttask   .exe" replaces infected copy of "C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\QuickTime\qttask  .exe" replaces infected copy of "C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\QuickTime\qttask .exe" replaces infected copy of "C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe" replaces infected copy of "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe" moved to QooBox
</pre>

.
.
((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-06 03:25 . 2007-12-04 08:04   837,496   --a------   C:\WINDOWS\system32\aswBoot.exe
2008-01-06 03:25 . 2004-01-09 04:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2008-01-06 03:25 . 2007-12-04 07:54   95,608   --a------   C:\WINDOWS\system32\AvastSS.scr
2008-01-06 03:25 . 2007-12-04 09:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-06 03:25 . 2007-12-04 09:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-06 03:25 . 2007-12-04 09:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-06 03:25 . 2007-12-04 09:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-06 03:25 . 2007-12-04 09:53   23,152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-05 20:10 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-05 19:05 . 2008-01-05 19:05   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-01-03 19:30 . 2008-01-03 19:30   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-03 19:22 . 2007-09-05 23:22   289,144   --a------   C:\WINDOWS\system32\VCCLSID.exe
2008-01-03 19:22 . 2006-04-27 16:49   288,417   --a------   C:\WINDOWS\system32\SrchSTS.exe
2008-01-03 19:22 . 2007-12-20 23:11   81,920   --a------   C:\WINDOWS\system32\IEDFix.exe
2008-01-03 19:22 . 2003-06-05 20:13   53,248   --a------   C:\WINDOWS\system32\Process.exe
2008-01-03 19:22 . 2004-07-31 17:50   51,200   --a------   C:\WINDOWS\system32\dumphive.exe
2008-01-03 19:22 . 2007-10-03 23:36   25,600   --a------   C:\WINDOWS\system32\WS2Fix.exe
2008-01-03 19:22 . 2008-01-03 19:24   2,654   --a------   C:\WINDOWS\system32\tmp.reg
2008-01-03 19:20 . 2008-01-06 03:19   <DIR>   d--------   C:\Program Files\RogueRemover FREE
2008-01-03 17:43 . 2008-01-03 19:28   1,038,424   --ahs----   C:\WINDOWS\system32\wqupvamw.ini
2008-01-03 17:39 . 2008-01-03 17:39   1,038,364   --ahs----   C:\WINDOWS\system32\kywfdvxy.ini
2008-01-02 16:22 . 2008-01-06 03:52   <DIR>   d--------   C:\VundoFix Backups
2008-01-02 01:35 . 2008-01-02 01:35   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-01-01 17:21 . 2008-01-01 20:19   <DIR>   d--------   C:\Documents and Settings\Dan\.housecall6.6
2008-01-01 15:11 . 2008-01-05 20:19   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-01 14:58 . 2008-01-01 14:58   <DIR>   d--------   C:\Documents and Settings\LocalService\Application Data\PIE Service
2007-12-31 07:04 . 2007-12-31 15:32   1,031,259   --ahs----   C:\WINDOWS\system32\xjsrmhgo.ini
2007-12-31 06:56 . 2007-12-31 06:56   1,031,139   --ahs----   C:\WINDOWS\system32\rhctrvsr.ini
2007-12-30 07:56 . 2008-01-06 03:33   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2007-12-30 07:56 . 2008-01-03 20:16   <DIR>   d--------   C:\Documents and Settings\Dan\Application Data\SUPERAntiSpyware.com
2007-12-30 07:56 . 2007-12-30 07:56   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-30 07:15 . 2007-12-30 07:15   <DIR>   d--------   C:\Documents and Settings\Dan\Application Data\AdwareAlert
2007-12-30 07:11 . 2007-12-30 07:11   0   --ahs----   C:\Documents and Settings\Dan\Application Data\a455753f42bd9f9b59cd549609fa5bdde966ef01.dat
2007-12-30 07:04 . 2005-09-23 08:29   626,688   --a------   C:\WINDOWS\system32\msvcr80.dll
2007-12-18 16:34 . 2007-12-18 16:34   <DIR>   d--------   C:\Documents and Settings\Dan\Application Data\vlc
2007-12-10 16:02 . 2007-12-10 16:02   0   --a------   C:\WINDOWS\oodcnt.INI
2007-12-10 00:51 . 2007-12-15 11:50   <DIR>   d--------   C:\WINDOWS\system32\oodag
2007-12-09 17:58 . 2007-12-09 18:02   <DIR>   d--------   C:\Program Files\Common Files\Blizzard Entertainment

ltdanman44 · « **Reply #12 on:** January 06, 2008, 10:05:47 AM »

rest of combo fix...wouldn't fit in above post

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 01:23   ---------   d-----w   C:\Program Files\QuickTime
2008-01-06 01:10   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-04 02:36   22,328   ----a-w   C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-04 02:34   107,832   ----a-w   C:\WINDOWS\system32\PnkBstrB.exe
2008-01-02 00:38   ---------   d-----w   C:\Program Files\UOAM
2008-01-01 20:13   ---------   d-----w   C:\Program Files\Google
2007-12-30 20:03   ---------   d-----w   C:\Program Files\Kontiki
2007-12-30 12:00   ---------   d-----w   C:\Program Files\Invoice by Click
2007-12-23 10:08   ---------   d-----w   C:\Documents and Settings\Dan\Application Data\MailWasherPro
2007-12-18 02:23   ---------   d-----w   C:\Documents and Settings\Dan\Application Data\SopCast
2007-12-15 16:27   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-12-09 01:03   ---------   d-----w   C:\Program Files\Razor
2007-12-03 23:18   ---------   d-----w   C:\Program Files\SopCast
2007-11-10 03:01   ---------   d-----w   C:\Program Files\EmpirePokerMaster
2003-12-31 23:56   271   --sh--w   C:\Program Files\desktop.ini
2003-12-31 23:56   23,357   ---ha-w   C:\Program Files\folder.htt
.

Code: [Select]

<pre>
----a-w           132,496 2008-01-04 00:27:59  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w           131,072 2008-01-04 00:27:56  C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2007-04-19 12:26 1626112 C:\WINDOWS\system32\nwiz.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2008-01-05 18:59 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-10 23:00:00]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys [2003-09-02 05:22]
S2 KYAKCCND;KYAKCCND;C:\WINDOWS\system32\kyakccnd.ncq []
S3 adxapie;adxapie;C:\DOCUME~1\Dan\LOCALS~1\Temp\adxapie.sys []
S3 Memctl;Memctl;C:\Program Files\ABIT\FlashMenu\Memctl.sys []

*Newly Created Service* - ASWUPDSV
*Newly Created Service* - AVAST!_MAIL_SCANNER
*Newly Created Service* - AVAST!_WEB_SCANNER
.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 08:00:02 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 04:00:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-06 4:01:42
ComboFix-quarantined-files.txt 2008-01-06 09:01:21

oldman · « **Reply #13 on:** January 06, 2008, 10:18:17 AM »

Yes there is a bit more to do. Do not reboot your computer or open any new programs. In the fix that will follow, combofix may ask for a reboot, that's ok, let it, Be back soon,

ltdanman44 · « **Reply #14 on:** January 06, 2008, 10:21:38 AM »

what? i don't understand

Author Topic: can someone look over my hijack this log for anything bad? (Read 13574 times)

ltdanman44

can someone look over my hijack this log for anything bad?

ltdanman44

Re: can someone look over my hijack this log for anything bad?

FreewheelinFrank

Re: can someone look over my hijack this log for anything bad?

TedNelly

Re: can someone look over my hijack this log for anything bad?

Lisandro

Re: can someone look over my hijack this log for anything bad?

polonus

Re: can someone look over my hijack this log for anything bad?

ltdanman44

Re: can someone look over my hijack this log for anything bad?

essexboy

Re: can someone look over my hijack this log for anything bad?

ltdanman44

Re: can someone look over my hijack this log for anything bad?

oldman

Re: can someone look over my hijack this log for anything bad?

ltdanman44

Re: can someone look over my hijack this log for anything bad?

ltdanman44

Re: can someone look over my hijack this log for anything bad?

ltdanman44

Re: can someone look over my hijack this log for anything bad?

oldman

Re: can someone look over my hijack this log for anything bad?

ltdanman44

Re: can someone look over my hijack this log for anything bad?