HJT Log

D

Daniel184

New Member
Just this morning, I visited a site and avast gave me a warning that a virus was detected. After this incident, my computer started to freeze whenever I play games. This hasn't occurred in the past. I have done a full malwarebytes scan and nothing was detected, but the problem still persists!

HJT LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:09 AM, on 12/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Du Nguyen\Desktop\Core Temp.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashSimp2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Du Nguyen\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Core Temp] "C:\Documents and Settings\Du Nguyen\Desktop\Core Temp.exe"
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/5.0_(Windows;_U;_Windows_NT_5.1;_en-US;_rv:1.9.1.5)_Gecko/20091102_Firefox/3.5.5_(.NET_CLR_3.5.30729)" -"http://www.explorelearning.com/index.cfm?method=cResource.dspView&ResourceID=466&ClassID=1593960"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249349762306
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249604881171
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9449 bytes
 
There is nothing in that log that would cause that problem, however there is some minor cleanup that could be done to the log. Do you remember what file was detected by avast? Can you post a log from it?

To cleanup your hijackthis log do the following.

Rerun hijackthis and place a check next to these entries.

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

Then click on fix checked at the bottom.

Also you need to go into add/remove programs and uninstall any entry that has viewpoint in it.
 
It was the shield alert thing. Whenever a virus is detected, a pop up appeared and asks you whether or not you want to delete the infected file. I got panic by this alert and clicked delete without looking at the name of the file since I thought the file is infected and could cause further damage to my computer. I'm doing a full scan with avast right now.
 
If nothing is detected, you may want to think about doing a system restore back to yesterday before this happened.
 
12/31/2009 6:47:27 AM SYSTEM 1428 Sign of "HTML:Iframe-inf" has been found in "C:\Documents and Settings\Du Nguyen\Local Settings\Application Data\Mozilla\Firefox\Profiles\lzswexlc.default\Cache\_CACHE_002_" file.
12/31/2009 6:47:11 AM SYSTEM 1428 Sign of "JS:Pdfka-TW [Expl]" has been found in "http://sdgytsgspnf.com/nte/AVORP1TREST11.php/oH8baacaefV03006f35002R6aba994c102Tc09657b1Q000002fd901801F0020000aJ0f000601l0409K11284e23317" file.
12/31/2009 6:47:08 AM SYSTEM 1428 Sign of "HTML:Iframe-inf" has been found in "http://adserv.getyourglamtone.com/clicksor_300x250.html?clickTag=http://getyourglamtone.com" file.
12/27/2009 3:11:54 AM SYSTEM 1436 Sign of "JS:Redirector-AQ [Trj]" has been found in "http://pastyono.info/cgi-bin/gjj/jHdfeb8eefV03006f35002R00000000102T94dcaa0aQ000002fd901801F0020000aJ0f000601L656e2d55530000000000" file.
12/13/2009 11:50:53 PM SYSTEM 1492 Sign of "HTML:Iframe-inf" has been found in "http://media.trafficjunky.net/cdn_custom_ads/rich34/rich34.html" file.
12/4/2009 8:23:27 PM SYSTEM 1504 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
12/2/2009 10:25:03 PM Du Nguyen 3632 Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\Documents and Settings\Du Nguyen\My Documents\Softwares\kav8.0.0.506en.exe\$INSTDIR\kav.en.msi\KAV8.cab\avzkrnl.dll" file.
12/2/2009 10:23:02 PM Du Nguyen 4036 Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\Documents and Settings\Du Nguyen\My Documents\Softwares\kav8.0.0.506en.exe\$INSTDIR\kav.en.msi\KAV8.cab\avzkrnl.dll" file.
12/2/2009 10:22:25 PM SYSTEM 1500 Sign of "Win32:Delf-MZG [Trj]" has been found in "http://download.yimg.com/ycs/antispy/installer/2.1.1.0/en/ca_yahooantispy_211_setup_en.exe\$_OUTDIR\CAYahooAntispy.exe" file.
12/2/2009 10:19:56 PM SYSTEM 1500 Sign of "Win32:Delf-MZG [Trj]" has been found in "C:\Program Files\CA Yahoo! Anti-Spy\CAYahooAntispy.exe" file.
12/2/2009 10:14:57 PM SYSTEM 1500 Sign of "Win32:Zbot-MKK [Trj]" has been found in "C:\Documents and Settings\Du Nguyen\My Documents\sm_dm.exe" file.
11/28/2009 9:37:05 PM SYSTEM 1160 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Du Nguyen\Application Data\Microsoft\Office\Recent\Belgian Congo.LNK (C:\Documents and Settings\Du Nguyen\Application Data\Microsoft\Office\Recent\Belgian Congo.LNK) returning error, 00000005.
11/28/2009 9:14:24 PM SYSTEM 1160 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Du Nguyen\Application Data\Microsoft\Office\Recent\English 4.LNK (C:\Documents and Settings\Du Nguyen\Application Data\Microsoft\Office\Recent\English 4.LNK) returning error, 00000005.
11/17/2009 1:43:07 AM SYSTEM 1160 Sign of "HTML:Iframe-inf" has been found in "http://www.3xfrees.com/" file.
11/17/2009 1:43:03 AM SYSTEM 1160 Sign of "HTML:Iframe-inf" has been found in "http://3xfrees.com/" file.
11/12/2009 5:15:49 AM SYSTEM 1496 Sign of "VBS:Obfuscated-gen [Trj]" has been found in "http://hosvoyt.com/php5/p35.php\{gzip}" file.
11/12/2009 1:32:10 AM SYSTEM 1496 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
11/12/2009 1:32:10 AM SYSTEM 1496 An error has occured while attempting to update. Please check the logs.
11/9/2009 11:03:49 PM SYSTEM 1504 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://orbitzaway.tt.omtrdc.net/m2/...257807829438&mboxURL=http://www.trip.com/&mbo (C:\WINDOWS\TEMP\_avast4_\unp97443337.tmp) returning error, 0000A413.
11/7/2009 7:27:32 PM SYSTEM 1156 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://clients1.google.com/complete...agon age uldred&q=dragon age uldred hel&cp=21 (C:\WINDOWS\TEMP\_avast4_\unp170196291.tmp) returning error, 0000A413.
11/4/2009 7:27:01 PM SYSTEM 1504 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
11/4/2009 7:27:01 PM SYSTEM 1504 An error has occured while attempting to update. Please check the logs.
11/4/2009 5:26:08 AM SYSTEM 1496 Sign of "JS:Pdfka-SB [Expl]" has been found in "http://www2.admirato.net/auoawvquo/xd/pdf.pdf" file.
10/30/2009 11:29:29 PM SYSTEM 1508 Sign of "JS:Pdfka-SB [Expl]" has been found in "http://web.maikongs.net/erwprquoz/xd/pdf.pdf" file.
 
You must log in or register to reply here.
Back
Top