Hijacklog

koolkid12349 · 08-04-2008, 09:33 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:31, on 2008-08-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Corel\WordPerfect Office 2002\Programs\wpwin10.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/remote
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5625 bytes

well not sure what happened here, avg 8 is telling me something about trojan horse backdoor.vb.arm not sure whats been happening

koolkid12349 · 08-04-2008, 09:51 AM

ComboFix 08-08-03.03 - Owner 2008-08-04 3:44:11.28 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.659 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\VMD23ZLN\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\VMD23ZLN\interclick.com\ud.s ol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#int erclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#int erclick.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-08-02 00:46 . 2008-08-02 00:46 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-26 20:41 . 2008-07-26 20:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore
2008-07-26 19:12 . 2008-07-26 19:12 <DIR> d-------- C:\Program Files\Viewpoint
2008-07-26 19:12 . 2008-07-26 19:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-07-26 19:10 . 2008-07-26 19:12 <DIR> d-------- C:\Program Files\AIM6
2008-07-26 14:25 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-26 14:25 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-26 14:25 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-26 14:25 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-21 03:36 . 2008-07-21 03:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\skypePM
2008-07-21 03:36 . 2008-07-21 03:36 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-07-21 03:31 . 2008-08-01 04:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Skype
2008-07-21 03:29 . 2008-07-21 03:29 <DIR> d-------- C:\Program Files\Skype
2008-07-21 03:29 . 2008-07-21 03:29 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-07-21 03:29 . 2008-07-21 03:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-07-20 01:24 . 2008-07-20 01:24 <DIR> d-------- C:\Program Files\Zone Labs
2008-07-19 20:28 . 2008-07-19 20:28 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-07-19 02:25 . 2008-07-19 02:25 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(5).sys
2008-07-17 21:03 . 2008-07-17 21:03 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(6).sys
2008-07-17 13:21 . 2008-07-17 13:21 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(7).sys
2008-07-16 19:03 . 2008-07-16 19:03 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(8).sys
2008-07-16 15:20 . 2008-07-20 01:34 <DIR> d-------- C:\Program Files\Linksys EasyLink Advisor
2008-07-16 15:20 . 2008-07-16 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GTek
2008-07-16 12:19 . 2008-07-16 12:19 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(9).sys
2008-07-16 03:31 . 2008-07-16 03:31 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(10).sys
2008-07-15 12:36 . 2008-07-15 12:36 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(11).sys
2008-07-14 17:09 . 2008-07-14 17:09 434,819 --a------ C:\picture157.jpg
2008-07-14 12:20 . 2008-07-14 12:20 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(12).sys
2008-07-14 00:48 . 2008-07-14 00:48 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(13).sys
2008-07-13 22:19 . 2008-07-13 22:19 268 --ah----- C:\sqmdata19.sqm
2008-07-13 22:19 . 2008-07-13 22:19 244 --ah----- C:\sqmnoopt19.sqm
2008-07-13 18:30 . 2008-07-13 18:30 269,035 --a------ C:\picture156.jpg
2008-07-13 12:36 . 2008-07-13 12:36 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2008-07-13 03:09 . 2008-07-13 03:09 <DIR> d-------- C:\Nexon
2008-07-13 02:56 . 2008-07-13 02:56 268 --ah----- C:\sqmdata18.sqm
2008-07-13 02:56 . 2008-07-13 02:56 244 --ah----- C:\sqmnoopt18.sqm
2008-07-12 20:53 . 2008-07-12 20:53 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-12 20:49 . 2008-07-12 20:49 268 --ah----- C:\sqmdata17.sqm
2008-07-12 20:49 . 2008-07-12 20:49 244 --ah----- C:\sqmnoopt17.sqm
2008-07-12 20:41 . 2008-07-12 20:41 268 --ah----- C:\sqmdata16.sqm
2008-07-12 20:41 . 2008-07-12 20:41 244 --ah----- C:\sqmnoopt16.sqm
2008-07-12 13:55 . 2008-07-12 13:55 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(2).sys
2008-07-12 01:41 . 2008-07-12 01:41 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(3).sys
2008-07-12 01:37 . 2008-07-12 01:37 268 --ah----- C:\sqmdata15.sqm
2008-07-12 01:37 . 2008-07-12 01:37 244 --ah----- C:\sqmnoopt15.sqm
2008-07-11 23:57 . 2008-07-11 23:57 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(4).sys
2008-07-11 23:54 . 2008-07-23 19:56 268 --ah----- C:\sqmdata14.sqm
2008-07-11 23:54 . 2008-07-23 19:56 244 --ah----- C:\sqmnoopt14.sqm
2008-07-11 00:55 . 2008-07-20 13:28 268 --ah----- C:\sqmdata13.sqm
2008-07-11 00:55 . 2008-07-20 13:28 244 --ah----- C:\sqmnoopt13.sqm
2008-07-10 01:56 . 2008-07-10 01:56 70,177 --a------ C:\watermellons.jpg
2008-07-09 16:25 . 2008-07-20 01:55 268 --ah----- C:\sqmdata12.sqm
2008-07-09 16:25 . 2008-07-20 01:55 244 --ah----- C:\sqmnoopt12.sqm
2008-07-09 16:13 . 2008-07-20 01:05 268 --ah----- C:\sqmdata11.sqm
2008-07-09 16:13 . 2008-07-20 01:05 244 --ah----- C:\sqmnoopt11.sqm
2008-07-09 13:55 . 2008-07-20 00:59 268 --ah----- C:\sqmdata10.sqm
2008-07-09 13:55 . 2008-07-20 00:59 244 --ah----- C:\sqmnoopt10.sqm
2008-07-09 13:43 . 2008-07-09 13:43 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-09 13:43 . 2008-07-09 13:43 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-09 13:14 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\005344_.tmp
2008-07-08 02:11 . 2008-07-20 00:53 268 --ah----- C:\sqmdata09.sqm
2008-07-08 02:11 . 2008-07-20 00:53 244 --ah----- C:\sqmnoopt09.sqm
2008-07-07 23:36 . 2008-07-07 23:36 301,986 --a------ C:\ninja.jpg
2008-07-07 22:19 . 2008-07-07 23:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Hamachi
2008-07-07 22:18 . 2008-07-07 22:19 <DIR> d-------- C:\Program Files\Hamachi
2008-07-07 22:18 . 2008-07-07 22:18 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-07-07 16:51 . 2008-07-08 13:05 <DIR> d-------- C:\Program Files\Jnes 0.6
2008-07-07 11:54 . 2008-07-07 11:54 318,998 --a------ C:\picture155.jpg
2008-07-05 13:53 . 2008-07-20 00:19 268 --ah----- C:\sqmdata08.sqm
2008-07-05 13:53 . 2008-07-20 00:19 244 --ah----- C:\sqmnoopt08.sqm
2008-07-05 00:21 . 2008-07-19 23:45 268 --ah----- C:\sqmdata07.sqm
2008-07-05 00:21 . 2008-07-19 23:45 244 --ah----- C:\sqmnoopt07.sqm
2008-07-04 23:26 . 2008-07-19 21:21 268 --ah----- C:\sqmdata06.sqm
2008-07-04 23:26 . 2008-07-19 21:21 244 --ah----- C:\sqmnoopt06.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-08-04 07:31 --------- d-----w C:\Program Files\mIRC
2008-08-04 03:30 23 ----a-w C:\Documents and Settings\Owner\jagex_runescape_preferences.dat
2008-07-29 18:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\teamspeak2
2008-07-26 23:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-26 23:11 --------- d-----w C:\Program Files\Common Files\AOL
2008-07-16 19:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\GTek
2008-07-13 00:52 --------- d-----w C:\Program Files\MSN Messenger
2008-07-04 16:55 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-04 16:50 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-04 16:50 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-06-30 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-30 01:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-30 01:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 06:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\scar5
2008-06-20 06:42 --------- d-----w C:\Program Files\scar5
2008-06-20 06:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\scar5
2008-06-19 16:02 --------- d-----w C:\Program Files\AVG
2008-06-19 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-04 01:02 --------- d-----w C:\Documents and Settings\Nick\Application Data\teamspeak2
2008-05-08 03:23 36 ----a-w C:\New Text Document.bat
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-09-03 23:03 1,217,264 ----a-w C:\Program Files\Win32OpenSSL_Light-0_9_8e.exe
2007-08-13 23:16 1,008,360 ----a-w C:\Program Files\MzBot no patcher.rar
2007-08-11 03:21 27,728 ----a-w C:\Program Files\file1.jpg
2007-08-09 15:26 664,572,433 ----a-w C:\Program Files\MSSetup.exe
2007-08-01 21:22 5,914,648 ----a-w C:\Program Files\SUPERAntiSpyware.exe
2007-08-01 20:28 212,849 ----a-w C:\Program Files\scanner.exe.zip
2007-08-01 07:45 921,654 ----a-w C:\Program Files\file.BMP
2007-08-01 07:44 28,272 ----a-w C:\Program Files\file.bin
2007-07-31 19:56 50,375 ----a-w C:\Program Files\SAtrainerFinalv3.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-01-13 13:53 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-04 12:56 1232152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"C:\\Nexon\\MapleStory\\MapleStory.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 12:50]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-04 12:52]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 12:50]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-04 12:55]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
S3 MzBot;MzBot;C:\MzBot.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{31eb884b-c43b-11dc-9a32-000874c39918}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-07-28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\haf3bgo8.default\

************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 03:46:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-08-04 3:48:28
ComboFix-quarantined-files.txt 2008-08-04 07:48:23
ComboFix2.txt 2008-07-20 05:15:50
ComboFix3.txt 2008-07-13 07:23:12
ComboFix4.txt 2008-06-29 17:22:58
ComboFix5.txt 2008-08-04 07:43:23

Pre-Run: 35,293,593,600 bytes free
Post-Run: 35,335,512,064 bytes free

205 --- E O F --- 2008-07-23 23:59:31
theres the combofix

hjt was preformed before combofix

cohen · 08-04-2008, 10:06 AM

1. - Pls remove Viewpoint Manager: Control Panel > Add/Remove Programs > Remove Viewpoint Manager, and reboot.

2. - Can you pls foloow #1 and post a fresh hijackthis log.

3. - What problems are you having???

Thankyou.

koolkid12349 · 08-04-2008, 10:31 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:29, on 2008-08-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/remote
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 5323 bytes

and the problem was is ive been having some odd avg popups mentioning trojan backdoors and such, just wanted to check everything and be on the safe side

koolkid12349 · 08-04-2008, 10:33 PM

oh, and a few pop-ups about things trying to run as svchost.exe

cohen · 08-04-2008, 10:41 PM

OK,

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
In the drop down box labeled Files of type change the type to Text file.
Save the file to your desktop.
Copy and paste that information in your next post.

koolkid12349 · 08-05-2008, 04:11 AM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 4, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 04, 2008 16:07:43
Records in database: 1053458
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 45993
Threat name: 3
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 01:15:07

File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\SwiftSwitch\2.46_11.27.05_swiftswitch(update) .exe Infected: not-a-virus:AdWare.Win32.EShoper.bg 1
C:\Documents and Settings\All Users\Application Data\SwiftSwitch\2.47_00.52.17_swiftswitch(update) .exe Infected: not-a-virus:AdWare.Win32.EShoper.bg 1
C:\Documents and Settings\All Users\Application Data\SwiftSwitch\2.47_14.08.24_swiftswitch(update) .exe Infected: not-a-virus:AdWare.Win32.EShoper.bg 1
C:\Documents and Settings\All Users\Application Data\SwiftSwitch\2.48_15.12.58_swiftswitch(update) .exe Infected: not-a-virus:AdWare.Win32.EShoper.bg 1
C:\mirc621.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\WINDOWS\system32\IEDFix.exe Infected: Hoax.Win32.Renos.vawl 1

The selected area was scanned.

GameMaster · 08-05-2008, 01:45 PM

Hello! This is badly infected but I'm sure your computer should feel better after this fix

Download Avenger, and unzip it to your desktop or somewhere you can find it.Â (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

Open a Notepad file by clicking Start > RunÂ and typing Notepad.exe in the box, click OK.
Click Format, and ensure Word Wrap is unchecked.
Copy and Paste the text in the box below into Notepad.
Now save the file as RemoveFiles.txt in a location where you can find it.

Quote:

Files to delete:
C:\WINDOWS\imsins.BAK
C:\sqmdata19.sqm
C:\sqmnoopt19.sqm
C:\sqmdata18.sqm
C:\sqmnoopt18.sqm
C:\sqmdata17.sqm
C:\sqmnoopt17.sqm
C:\sqmdata16.sqm
C:\sqmnoopt16.sqm
C:\sqmdata15.sqm
C:\sqmnoopt15.sqm
C:\sqmdata14.sqm
C:\sqmnoopt14.sqm
C:\sqmdata13.sqm
C:\sqmnoopt13.sqm
C:\sqmdata12.sqm
C:\sqmnoopt12.sqm
C:\sqmdata11.sqm
C:\sqmnoopt11.sqm
C:\sqmdata10.sqm
C:\sqmnoopt10.sqm
C:\sqmdata08.sqm
C:\sqmnoopt08.sqm
C:\sqmdata07.sqm
C:\sqmnoopt07.sqm
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm
C:\WINDOWS\005344_.tmp
C:\sqmdata09.sqm
C:\sqmnoopt09.sqm
C:\WINDOWS\system32\IEDFix.exe

Drivers to unload:
dump_wmimmc(5).sys
dump_wmimmc(6).sys
dump_wmimmc(7).sys
dump_wmimmc(8).sys
dump_wmimmc(9).sys
dump_wmimmc(10).sys
dump_wmimmc(11).sys
dump_wmimmc(12).sys
dump_wmimmc(13).sys
dump_wmimmc.sys
dump_wmimmc(2).sys
dump_wmimmc(3).sys
dump_wmimmc(4).sys

Folders to delete:
C:\WINDOWS\l2schemas
C:\WINDOWS\system32\CatRoot_bak
C:\Program Files\Viewpoint

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.

Check Load script from file:
Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
Double click it to enter it into Avenger.
Click the green traffic light symbol.
You will be asked if you want to execute the script, answer Yes.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer Yes, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created C:\avenger.txt.
Copy and Paste it into your next post please.

koolkid12349 · 08-05-2008, 08:28 PM

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\imsins.BAK" deleted successfully.
File "C:\sqmdata19.sqm" deleted successfully.
File "C:\sqmnoopt19.sqm" deleted successfully.
File "C:\sqmdata18.sqm" deleted successfully.
File "C:\sqmnoopt18.sqm" deleted successfully.
File "C:\sqmdata17.sqm" deleted successfully.
File "C:\sqmnoopt17.sqm" deleted successfully.
File "C:\sqmdata16.sqm" deleted successfully.
File "C:\sqmnoopt16.sqm" deleted successfully.
File "C:\sqmdata15.sqm" deleted successfully.
File "C:\sqmnoopt15.sqm" deleted successfully.
File "C:\sqmdata14.sqm" deleted successfully.
File "C:\sqmnoopt14.sqm" deleted successfully.
File "C:\sqmdata13.sqm" deleted successfully.
File "C:\sqmnoopt13.sqm" deleted successfully.
File "C:\sqmdata12.sqm" deleted successfully.
File "C:\sqmnoopt12.sqm" deleted successfully.
File "C:\sqmdata11.sqm" deleted successfully.
File "C:\sqmnoopt11.sqm" deleted successfully.
File "C:\sqmdata10.sqm" deleted successfully.
File "C:\sqmnoopt10.sqm" deleted successfully.
File "C:\sqmdata08.sqm" deleted successfully.
File "C:\sqmnoopt08.sqm" deleted successfully.
File "C:\sqmdata07.sqm" deleted successfully.
File "C:\sqmnoopt07.sqm" deleted successfully.
File "C:\sqmdata06.sqm" deleted successfully.
File "C:\sqmnoopt06.sqm" deleted successfully.
File "C:\WINDOWS\005344_.tmp" deleted successfully.
File "C:\sqmdata09.sqm" deleted successfully.
File "C:\sqmnoopt09.sqm" deleted successfully.
File "C:\WINDOWS\system32\IEDFix.exe" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(5).sys" not found!
Deletion of driver "dump_wmimmc(5).sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(6).sys" not found!
Deletion of driver "dump_wmimmc(6).sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(7).sys" not found!
Deletion of driver "dump_wmimmc(7).sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(8).sys" not found!
Deletion of driver "dump_wmimmc(8).sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(9).sys" not found!
Deletion of driver "dump_wmimmc(9).sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(10).sys" not found!
Deletion of driver "dump_wmimmc(10).sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(11).sys" not found!
Deletion of driver "dump_wmimmc(11).sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(12).sys" not found!
Deletion of driver "dump_wmimmc(12).sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(13).sys" not found!
Deletion of driver "dump_wmimmc(13).sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc.sys" not found!
Deletion of driver "dump_wmimmc.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(2).sys" not found!
Deletion of driver "dump_wmimmc(2).sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(3).sys" not found!
Deletion of driver "dump_wmimmc(3).sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(4).sys" not found!
Deletion of driver "dump_wmimmc(4).sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\WINDOWS\l2schemas" deleted successfully.
Folder "C:\WINDOWS\system32\CatRoot_bak" deleted successfully.

Error: folder "C:\Program Files\Viewpoint" not found!
Deletion of folder "C:\Program Files\Viewpoint" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

what was the infection doing?

GameMaster · 08-06-2008, 12:53 PM

Ah well you had multiple infections slowing your computer and stealing your data ( trojan backdoors ).

I want to make those are all gone, so please stick with me.

Please download F-Secure BlackLight

Save BlackLight to your desktop.
Double-click blbeta.exe then accept the agreement.
Click > Scan then > Next
After the scan you'll see a list of all items found. Please click Next and exit. Don't choose to rename anything yet! I want to see the log first, because legitimate items can also be present there.
There will be a log on your desktop with the name fsbl.xxxxxxx.log (where the xxxxxxx are numbers)
Please post the contents of this log in your next reply.

08-04-2008, 09:33 AM	#1 (permalink)
koolkid12349 Bronze Member Join Date: Oct 2007 Posts: 95	Hijacklog Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 03:31, on 2008-08-04 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe C:\Program Files\Corel\WordPerfect Office 2002\Programs\wpwin10.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/remote R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 5625 bytes well not sure what happened here, avg 8 is telling me something about trojan horse backdoor.vb.arm not sure whats been happening

08-04-2008, 10:06 AM	#3 (permalink)
cohen Diamond Member Join Date: Jan 2008 Location: Melbourne, Australia Age: 15 Posts: 8,361	1. - Pls remove Viewpoint Manager: Control Panel > Add/Remove Programs > Remove Viewpoint Manager, and reboot. 2. - Can you pls foloow #1 and post a fresh hijackthis log. 3. - What problems are you having??? Thankyou. __________________ Cohen

08-04-2008, 10:41 PM	#6 (permalink)
cohen Diamond Member Join Date: Jan 2008 Location: Melbourne, Australia Age: 15 Posts: 8,361	OK, Please do a scan with Kaspersky Online Scanner Click on the Accept button and install any components it needs. The program will install and then begin downloading the latest definition files. After the files have been downloaded on the left side of the page in the Scan section select My Computer. This will start the program and scan your system. The scan will take a while, so be patient and let it run. Once the scan is complete, click on View scan report Now, click on the Save Report as button. In the drop down box labeled Files of type change the type to Text file. Save the file to your desktop. Copy and paste that information in your next post. __________________ Cohen

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Checkup Please (Hijacklog)	G25r8cer	Computer Security	3	03-29-2008 05:32 PM
Virus Identified	alyoob	Computer Security	13	03-17-2008 08:22 PM
Spyware Problems, Spyfalcon, hijacklog	bigsaucybob	Computer Security	6	03-07-2006 10:51 PM
My hijacklog	age123	Computer Security	4	11-01-2005 07:04 PM

08-04-2008, 09:51 AM	#2 (permalink)
koolkid12349 Bronze Member Join Date: Oct 2007 Posts: 95	ComboFix 08-08-03.03 - Owner 2008-08-04 3:44:11.28 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.659 [GMT -4:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\VMD23ZLN\interclick.com C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\VMD23ZLN\interclick.com\ud.s ol C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#int erclick.com C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#int erclick.com\settings.sol . ((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 ))))))))))))))))))))))))))))))) . 2008-08-02 00:46 . 2008-08-02 00:46 <DIR> d--h----- C:\WINDOWS\PIF 2008-07-26 20:41 . 2008-07-26 20:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore 2008-07-26 19:12 . 2008-07-26 19:12 <DIR> d-------- C:\Program Files\Viewpoint 2008-07-26 19:12 . 2008-07-26 19:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore 2008-07-26 19:10 . 2008-07-26 19:12 <DIR> d-------- C:\Program Files\AIM6 2008-07-26 14:25 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2008-07-26 14:25 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys 2008-07-26 14:25 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2008-07-26 14:25 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys 2008-07-21 03:36 . 2008-07-21 03:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\skypePM 2008-07-21 03:36 . 2008-07-21 03:36 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat 2008-07-21 03:31 . 2008-08-01 04:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Skype 2008-07-21 03:29 . 2008-07-21 03:29 <DIR> d-------- C:\Program Files\Skype 2008-07-21 03:29 . 2008-07-21 03:29 <DIR> d-------- C:\Program Files\Common Files\Skype 2008-07-21 03:29 . 2008-07-21 03:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype 2008-07-20 01:24 . 2008-07-20 01:24 <DIR> d-------- C:\Program Files\Zone Labs 2008-07-19 20:28 . 2008-07-19 20:28 1,374 --a------ C:\WINDOWS\imsins.BAK 2008-07-19 02:25 . 2008-07-19 02:25 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(5).sys 2008-07-17 21:03 . 2008-07-17 21:03 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(6).sys 2008-07-17 13:21 . 2008-07-17 13:21 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(7).sys 2008-07-16 19:03 . 2008-07-16 19:03 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(8).sys 2008-07-16 15:20 . 2008-07-20 01:34 <DIR> d-------- C:\Program Files\Linksys EasyLink Advisor 2008-07-16 15:20 . 2008-07-16 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GTek 2008-07-16 12:19 . 2008-07-16 12:19 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(9).sys 2008-07-16 03:31 . 2008-07-16 03:31 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(10).sys 2008-07-15 12:36 . 2008-07-15 12:36 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(11).sys 2008-07-14 17:09 . 2008-07-14 17:09 434,819 --a------ C:\picture157.jpg 2008-07-14 12:20 . 2008-07-14 12:20 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(12).sys 2008-07-14 00:48 . 2008-07-14 00:48 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(13).sys 2008-07-13 22:19 . 2008-07-13 22:19 268 --ah----- C:\sqmdata19.sqm 2008-07-13 22:19 . 2008-07-13 22:19 244 --ah----- C:\sqmnoopt19.sqm 2008-07-13 18:30 . 2008-07-13 18:30 269,035 --a------ C:\picture156.jpg 2008-07-13 12:36 . 2008-07-13 12:36 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys 2008-07-13 03:09 . 2008-07-13 03:09 <DIR> d-------- C:\Nexon 2008-07-13 02:56 . 2008-07-13 02:56 268 --ah----- C:\sqmdata18.sqm 2008-07-13 02:56 . 2008-07-13 02:56 244 --ah----- C:\sqmnoopt18.sqm 2008-07-12 20:53 . 2008-07-12 20:53 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-07-12 20:49 . 2008-07-12 20:49 268 --ah----- C:\sqmdata17.sqm 2008-07-12 20:49 . 2008-07-12 20:49 244 --ah----- C:\sqmnoopt17.sqm 2008-07-12 20:41 . 2008-07-12 20:41 268 --ah----- C:\sqmdata16.sqm 2008-07-12 20:41 . 2008-07-12 20:41 244 --ah----- C:\sqmnoopt16.sqm 2008-07-12 13:55 . 2008-07-12 13:55 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(2).sys 2008-07-12 01:41 . 2008-07-12 01:41 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(3).sys 2008-07-12 01:37 . 2008-07-12 01:37 268 --ah----- C:\sqmdata15.sqm 2008-07-12 01:37 . 2008-07-12 01:37 244 --ah----- C:\sqmnoopt15.sqm 2008-07-11 23:57 . 2008-07-11 23:57 0 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc(4).sys 2008-07-11 23:54 . 2008-07-23 19:56 268 --ah----- C:\sqmdata14.sqm 2008-07-11 23:54 . 2008-07-23 19:56 244 --ah----- C:\sqmnoopt14.sqm 2008-07-11 00:55 . 2008-07-20 13:28 268 --ah----- C:\sqmdata13.sqm 2008-07-11 00:55 . 2008-07-20 13:28 244 --ah----- C:\sqmnoopt13.sqm 2008-07-10 01:56 . 2008-07-10 01:56 70,177 --a------ C:\watermellons.jpg 2008-07-09 16:25 . 2008-07-20 01:55 268 --ah----- C:\sqmdata12.sqm 2008-07-09 16:25 . 2008-07-20 01:55 244 --ah----- C:\sqmnoopt12.sqm 2008-07-09 16:13 . 2008-07-20 01:05 268 --ah----- C:\sqmdata11.sqm 2008-07-09 16:13 . 2008-07-20 01:05 244 --ah----- C:\sqmnoopt11.sqm 2008-07-09 13:55 . 2008-07-20 00:59 268 --ah----- C:\sqmdata10.sqm 2008-07-09 13:55 . 2008-07-20 00:59 244 --ah----- C:\sqmnoopt10.sqm 2008-07-09 13:43 . 2008-07-09 13:43 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-07-09 13:43 . 2008-07-09 13:43 <DIR> d-------- C:\WINDOWS\l2schemas 2008-07-09 13:14 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\005344_.tmp 2008-07-08 02:11 . 2008-07-20 00:53 268 --ah----- C:\sqmdata09.sqm 2008-07-08 02:11 . 2008-07-20 00:53 244 --ah----- C:\sqmnoopt09.sqm 2008-07-07 23:36 . 2008-07-07 23:36 301,986 --a------ C:\ninja.jpg 2008-07-07 22:19 . 2008-07-07 23:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Hamachi 2008-07-07 22:18 . 2008-07-07 22:19 <DIR> d-------- C:\Program Files\Hamachi 2008-07-07 22:18 . 2008-07-07 22:18 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys 2008-07-07 16:51 . 2008-07-08 13:05 <DIR> d-------- C:\Program Files\Jnes 0.6 2008-07-07 11:54 . 2008-07-07 11:54 318,998 --a------ C:\picture155.jpg 2008-07-05 13:53 . 2008-07-20 00:19 268 --ah----- C:\sqmdata08.sqm 2008-07-05 13:53 . 2008-07-20 00:19 244 --ah----- C:\sqmnoopt08.sqm 2008-07-05 00:21 . 2008-07-19 23:45 268 --ah----- C:\sqmdata07.sqm 2008-07-05 00:21 . 2008-07-19 23:45 244 --ah----- C:\sqmnoopt07.sqm 2008-07-04 23:26 . 2008-07-19 21:21 268 --ah----- C:\sqmdata06.sqm 2008-07-04 23:26 . 2008-07-19 21:21 244 --ah----- C:\sqmnoopt06.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-08-04 07:31 --------- d-----w C:\Program Files\mIRC 2008-08-04 03:30 23 ----a-w C:\Documents and Settings\Owner\jagex_runescape_preferences.dat 2008-07-29 18:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\teamspeak2 2008-07-26 23:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-07-26 23:11 --------- d-----w C:\Program Files\Common Files\AOL 2008-07-16 19:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\GTek 2008-07-13 00:52 --------- d-----w C:\Program Files\MSN Messenger 2008-07-04 16:55 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys 2008-07-04 16:50 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys 2008-07-04 16:50 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll 2008-06-30 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg8 2008-06-30 01:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-06-30 01:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-20 06:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\scar5 2008-06-20 06:42 --------- d-----w C:\Program Files\scar5 2008-06-20 06:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\scar5 2008-06-19 16:02 --------- d-----w C:\Program Files\AVG 2008-06-19 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft 2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-04 01:02 --------- d-----w C:\Documents and Settings\Nick\Application Data\teamspeak2 2008-05-08 03:23 36 ----a-w C:\New Text Document.bat 2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-09-03 23:03 1,217,264 ----a-w C:\Program Files\Win32OpenSSL_Light-0_9_8e.exe 2007-08-13 23:16 1,008,360 ----a-w C:\Program Files\MzBot no patcher.rar 2007-08-11 03:21 27,728 ----a-w C:\Program Files\file1.jpg 2007-08-09 15:26 664,572,433 ----a-w C:\Program Files\MSSetup.exe 2007-08-01 21:22 5,914,648 ----a-w C:\Program Files\SUPERAntiSpyware.exe 2007-08-01 20:28 212,849 ----a-w C:\Program Files\scanner.exe.zip 2007-08-01 07:45 921,654 ----a-w C:\Program Files\file.BMP 2007-08-01 07:44 28,272 ----a-w C:\Program Files\file.bin 2007-07-31 19:56 50,375 ----a-w C:\Program Files\SAtrainerFinalv3.zip . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-01-13 13:53 114688] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-04 12:56 1232152] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624] [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 14:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "C:\\Nexon\\MapleStory\\MapleStory.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "C:\\Program Files\\mIRC\\mirc.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 12:50] R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-04 12:52] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 12:50] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-04 12:55] R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38] S3 MzBot;MzBot;C:\MzBot.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{31eb884b-c43b-11dc-9a32-000874c39918}] \Shell\AutoRun\command - E:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2008-07-28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Aim6 - (no file) . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\haf3bgo8.default\ ************************************************ ******************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-04 03:46:23 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************** ********************** . Completion time: 2008-08-04 3:48:28 ComboFix-quarantined-files.txt 2008-08-04 07:48:23 ComboFix2.txt 2008-07-20 05:15:50 ComboFix3.txt 2008-07-13 07:23:12 ComboFix4.txt 2008-06-29 17:22:58 ComboFix5.txt 2008-08-04 07:43:23 Pre-Run: 35,293,593,600 bytes free Post-Run: 35,335,512,064 bytes free 205 --- E O F --- 2008-07-23 23:59:31 theres the combofix hjt was preformed before combofix

08-04-2008, 10:31 PM	#4 (permalink)
koolkid12349 Bronze Member Join Date: Oct 2007 Posts: 95	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:29, on 2008-08-04 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/remote R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe -- End of file - 5323 bytes and the problem was is ive been having some odd avg popups mentioning trojan backdoors and such, just wanted to check everything and be on the safe side

08-04-2008, 10:33 PM	#5 (permalink)
koolkid12349 Bronze Member Join Date: Oct 2007 Posts: 95	oh, and a few pop-ups about things trying to run as svchost.exe

08-05-2008, 04:11 AM	#7 (permalink)
koolkid12349 Bronze Member Join Date: Oct 2007 Posts: 95	-------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Monday, August 4, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Monday, August 04, 2008 16:07:43 Records in database: 1053458 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ Scan statistics: Files scanned: 45993 Threat name: 3 Infected objects: 7 Suspicious objects: 0 Duration of the scan: 01:15:07 File name / Threat name / Threats count C:\Documents and Settings\All Users\Application Data\SwiftSwitch\2.46_11.27.05_swiftswitch(update) .exe Infected: not-a-virus:AdWare.Win32.EShoper.bg 1 C:\Documents and Settings\All Users\Application Data\SwiftSwitch\2.47_00.52.17_swiftswitch(update) .exe Infected: not-a-virus:AdWare.Win32.EShoper.bg 1 C:\Documents and Settings\All Users\Application Data\SwiftSwitch\2.47_14.08.24_swiftswitch(update) .exe Infected: not-a-virus:AdWare.Win32.EShoper.bg 1 C:\Documents and Settings\All Users\Application Data\SwiftSwitch\2.48_15.12.58_swiftswitch(update) .exe Infected: not-a-virus:AdWare.Win32.EShoper.bg 1 C:\mirc621.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1 C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1 C:\WINDOWS\system32\IEDFix.exe Infected: Hoax.Win32.Renos.vawl 1 The selected area was scanned.

08-05-2008, 08:28 PM	#9 (permalink)
koolkid12349 Bronze Member Join Date: Oct 2007 Posts: 95	Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ***************** Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: Rootkit scan active. No rootkits found! File "C:\WINDOWS\imsins.BAK" deleted successfully. File "C:\sqmdata19.sqm" deleted successfully. File "C:\sqmnoopt19.sqm" deleted successfully. File "C:\sqmdata18.sqm" deleted successfully. File "C:\sqmnoopt18.sqm" deleted successfully. File "C:\sqmdata17.sqm" deleted successfully. File "C:\sqmnoopt17.sqm" deleted successfully. File "C:\sqmdata16.sqm" deleted successfully. File "C:\sqmnoopt16.sqm" deleted successfully. File "C:\sqmdata15.sqm" deleted successfully. File "C:\sqmnoopt15.sqm" deleted successfully. File "C:\sqmdata14.sqm" deleted successfully. File "C:\sqmnoopt14.sqm" deleted successfully. File "C:\sqmdata13.sqm" deleted successfully. File "C:\sqmnoopt13.sqm" deleted successfully. File "C:\sqmdata12.sqm" deleted successfully. File "C:\sqmnoopt12.sqm" deleted successfully. File "C:\sqmdata11.sqm" deleted successfully. File "C:\sqmnoopt11.sqm" deleted successfully. File "C:\sqmdata10.sqm" deleted successfully. File "C:\sqmnoopt10.sqm" deleted successfully. File "C:\sqmdata08.sqm" deleted successfully. File "C:\sqmnoopt08.sqm" deleted successfully. File "C:\sqmdata07.sqm" deleted successfully. File "C:\sqmnoopt07.sqm" deleted successfully. File "C:\sqmdata06.sqm" deleted successfully. File "C:\sqmnoopt06.sqm" deleted successfully. File "C:\WINDOWS\005344_.tmp" deleted successfully. File "C:\sqmdata09.sqm" deleted successfully. File "C:\sqmnoopt09.sqm" deleted successfully. File "C:\WINDOWS\system32\IEDFix.exe" deleted successfully. Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(5).sys" not found! Deletion of driver "dump_wmimmc(5).sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(6).sys" not found! Deletion of driver "dump_wmimmc(6).sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(7).sys" not found! Deletion of driver "dump_wmimmc(7).sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(8).sys" not found! Deletion of driver "dump_wmimmc(8).sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(9).sys" not found! Deletion of driver "dump_wmimmc(9).sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(10).sys" not found! Deletion of driver "dump_wmimmc(10).sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(11).sys" not found! Deletion of driver "dump_wmimmc(11).sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(12).sys" not found! Deletion of driver "dump_wmimmc(12).sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(13).sys" not found! Deletion of driver "dump_wmimmc(13).sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc.sys" not found! Deletion of driver "dump_wmimmc.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(2).sys" not found! Deletion of driver "dump_wmimmc(2).sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(3).sys" not found! Deletion of driver "dump_wmimmc(3).sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\dump_wmimmc(4).sys" not found! Deletion of driver "dump_wmimmc(4).sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Folder "C:\WINDOWS\l2schemas" deleted successfully. Folder "C:\WINDOWS\system32\CatRoot_bak" deleted successfully. Error: folder "C:\Program Files\Viewpoint" not found! Deletion of folder "C:\Program Files\Viewpoint" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ***************** Finished! Terminate. what was the infection doing?