Pop-ups! HJT inside. =]

Question

Milkshakes 0 Newbie Poster

17 Years Ago

Logfile of HijackThis v1.99.1
Scan saved at 3:42:17 AM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\techtools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ho_search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll (file missing)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\veheiewb.dll",forkonce
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)

One of the things I notice, is now, whenever I reboot I get an error on the file:
"O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\veheiewb.dll",forkonce"

It actually says the module is missing.

I'm leaning towards something having to do with that, but not too sure.

Pop-ups include "You have virii!" to "powered by Zedo!" advertisements.

System Restores are locked down, and error out, all of them(Yes, I've tried all of them.)

Done two scans with Spybot, and AVG, although it's a free AVG.

Any help as soon as possible would be great.

P.S.:

I know my computer blows, but I've never noticed I'm missing THAT many files to programs. I'm awefully tempted to just reinstall Windows. X.x

windows-virus

2 Contributors
7 Replies
176 Views
1 Day Discussion Span
Latest Post 17 Years Ago Latest Post by gerbil

gerbil 216 Industrious Poster

17 Years Ago

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzbb.dll (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing)

Go Start, run, type cmd -press Enter, paste into the window at the prompt the following line, press Enter and close the window:

sc delete maya70docserver

Okay, now for the real pest....
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply with a fresh hijackthis scan.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
And either:
==blacklight beta from http://www.f-secure.com/blacklight/ -download is at foot of page. Install it, start, accept the agreement and Scan. [this is quicker...]
or...
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through.... [this is slower..]
Post the kaspersky scan result, plus C:\Combofix.txt and a fresh hijackthis scan.

gerbil 216 Industrious Poster

17 Years Ago

svchost.exe handles processes called from dll's by services you are running - the number of svchost's showing in TM at any particular time varies according to the services you have running.
The actual file - yes, there should only be a copy in system32 and one in I386 [sometimes in the latter the files are compressed inside cab files]
Yep, the first part was just cleaning out idle reg keys.
Fix this one also:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Delete Combofix and C:\Qoobox, C:\combofix.txt. Because it found a vundo infection you could try a quick scan with Vundofix; change the name of hijackthis.exe to imabunny.exe:
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!
Post the contents of C:\vundofix.txt plus a new HijackThis log if Vundo fix finds anything, otherwise you are clean to go.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Milkshakes 0 Newbie Poster · Answer 1 · 2007-08-21T22:59:40+00:00

Milkshakes 0 Newbie Poster

17 Years Ago

I've done the combofix and the new HJT scan, and currently am using BlackLight, but that seems to be taking a drastically long time, but I can't blame it, I have way too much crap on this computer.

I've attached the ComboFix and HJT scans, simply to save some confusion and a mess of text. =]

Seems that ComboFix nuked a bunch of suspicious files in my SYSTEM32 Folder, and so far, no pop ups, but doing the BlackLight scan as said. ^^

Greatly appreciate the help Gerbil, you're the man. =]

But one question, what was the first part for? Just cleaning up unnecessary things?

Also, I've read in another thread, there should only be one svchost.exe running? HJT says there are 3, but in the actual Task Manager, it says I have 6. =/

I searched through my computer and deleted every one besides the one in I836, and in System32. The deleted are sitting in my recycle bin, safe to shred it?

ComboFix.txt (8.75 KB)

ComboFix 07-08-17.2 - "Owner" 2007-08-21 12:00:18.1 - NTFSx86 
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.239 [GMT -4:00]
 * Created a new restore point

[i] ADS removed - svchost.exe: deleted 196 bytes in 1 streams. [/i]

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\MYDOCU~1.\dobe~1
C:\WINDOWS\system32\o01PrEz
C:\WINDOWS\system32\pmnljjj.dll
C:\WINDOWS\SYSTEM32\rqtss.bak1
C:\WINDOWS\SYSTEM32\rqtss.bak2
C:\WINDOWS\SYSTEM32\rqtss.ini
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\stera.log


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


(((((((((((((((((((((((((   Files Created from 2007-07-21 to 2007-08-21  )))))))))))))))))))))))))))))))


2007-08-21 11:57	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-08-18 04:41	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Kaspersky Lab
2007-08-18 04:35	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Kaspersky Lab Setup Files
2007-08-15 18:05	<DIR>	d--------	C:\Program Files\Riva
2007-08-15 18:05	<DIR>	d--------	C:\Program Files\Common Files\SWF Studio
2007-08-12 19:04	<DIR>	d--------	C:\DOCUME~1\Owner\Contacts
2007-08-12 19:03	<DIR>	d----c---	C:\WINDOWS\SYSTEM32\DRVSTORE
2007-08-12 19:03	<DIR>	d--------	C:\Program Files\MSN Messenger
2007-07-23 03:25	<DIR>	d--------	C:\Program Files\WoW UI Designer


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-21 04:11	---------	d--------	C:\Program Files\AIM6
2007-08-21 03:31	---------	d--------	C:\Program Files\World of Warcraft
2007-08-21 03:30	---------	d--------	C:\Program Files\Winamp
2007-08-21 03:30	---------	d--------	C:\DOCUME~1\Owner\APPLIC~1\Azureus
2007-08-19 00:01	---------	d--------	C:\Program Files\IrfanView
2007-08-18 05:08	---------	d--------	C:\Program Files\Kaspersky Lab
2007-08-16 17:25	---------	d--------	C:\Program Files\Diablo II
2007-07-10 20:22	---------	d--------	C:\Program Files\Common Files\Blizzard Entertainment
2007-07-10 20:19	---------	d--h-----	C:\Program Files\InstallShield Installation Information
2007-06-26 02:08	1104896	--a------	C:\WINDOWS\system32\msxml3.dll
2007-06-25 17:18	---------	d--------	C:\Program Files\Starcraft
2007-06-22 20:58	---------	d--------	C:\Program Files\Morpheus
2007-06-19 09:31	282112	--a------	C:\WINDOWS\system32\gdi32.dll
2007-06-13 06:23	1033216	--a------	C:\WINDOWS\explorer.exe
2007-05-25 09:04	43520	--a------	C:\WINDOWS\system32\CmdLineExt03.dll
2007-05-20 22:14	286720	---------	C:\WINDOWS\Setup1.exe
2007-05-20 22:09	967	--a------	C:\WINDOWS\SCXEUnin.pif
2007-05-20 22:09	72704	--a------	C:\WINDOWS\SCXEUnin.exe
2007-05-20 20:45	967	--a------	C:\WINDOWS\ScUnin.pif
2007-05-20 20:45	70656	--a------	C:\WINDOWS\ScUnin.exe


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-18 16:43]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"C:\Program Files\D-Tools\daemon.exe"  -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EnigmaPopupStop]
C:\Program Files\Enigma Software Group\SpyHunter\PopupBlocker\EnigmaPopupStop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAVPersonal50]
"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)
"ewido security suite guard"=2 (0x2)
"ewido security suite control"=2 (0x2)
"AVWUpSrv"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"ATI Smart"=2 (0x2)
"x10nets"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"kavsvc"=2 (0x2)
"IDriverT"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"iPod Service"=3 (0x3)
"wwSecSvc"=2 (0x2)
"ose"=3 (0x3)

R1 ewido security suite driver;ewido security suite driver;\??\C:\Program Files\ewido anti-malware\guard.sys
R1 NPPTNT;NPPTNT;\??\C:\WINDOWS\System32\npptNT.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R2 DgivEcp;Team MFP Comm Driver;C:\WINDOWS\system32\Drivers\DgivEcp.Sys
R2 IOPort;IOPort;\??\C:\WINDOWS\System32\DRIVERS\IOPORT.SYS
R3 bcm4sbe5;Broadcom 440x 10/100 Integrated Controller Driver;C:\WINDOWS\system32\DRIVERS\bcm4sbe5.sys
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS
S3 avgntdw;avgntdw;\??\C:\Program Files\AVPersonal\AVGNTDW.SYS
S3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
S3 NetMate2;Belkin USB/Ethernet Adapter II device driver;C:\WINDOWS\system32\DRIVERS\netmate2.sys
S3 SaiHFF0C;SaiHFF0C;C:\WINDOWS\system32\DRIVERS\SaiHFF0C.sys
S3 SaiUFF0C;SaiUFF0C;C:\WINDOWS\system32\DRIVERS\SaiUFF0C.sys
S3 SANDRA;SANDRA;\??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Sandra.sys
S3 st3mp28;st3mp28;C:\WINDOWS\system32\DRIVERS\st3mp28.sys
S3 XTrapD12;XTrapD12;\??\C:\WINDOWS\system32\XTrapD12.sys
S3 zlportio;ZLPORTIO - Allow user access to I/O ports;\??\C:\WINDOWS\system32\zlportio.sys
S4 AVWUpSrv;AVWUpSrv;"C:\Program Files\AVPersonal\AVWUPSRV.EXE"


Contents of the 'Scheduled Tasks' folder
2007-08-21 14:12:22 C:\WINDOWS\Tasks\HP Usg Daily FY04.job 
2007-08-21 12:00:00 C:\WINDOWS\Tasks\Start Up_Morning.job - C:\Program Files\Diablo II\D2Hackit.exe
2007-08-21 12:01:00 C:\WINDOWS\Tasks\Start Up_Morning2.job - C:\Documents and Settings\Owner\Desktop\MH\d2maphack.exe
2007-08-20 04:00:04 C:\WINDOWS\Tasks\Windows Update.job - C:\WINDOWS\SYSTEM32\wupdmgr.exe

HJT.txt (4.16 KB)

Logfile of HijackThis v1.99.1
Scan saved at 12:56, on 2007-08-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\ComboFix\catchme.cfexe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\fsbl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\techtools\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

Milkshakes 0 Newbie Poster · Answer 2 · 2007-08-21T23:20:20+00:00

Milkshakes 0 Newbie Poster

17 Years Ago

BlackLight scan is added.

Found nothing. ^^

fsbl-20070821162723.txt (0.83 KB)

08/21/07 12:27:23 [Info]: BlackLight Engine 1.0.64 initialized

08/21/07 12:27:23 [Info]: OS: 5.1 build 2600 (Service Pack 2)

08/21/07 12:27:28 [Note]: 7019 4

08/21/07 12:27:28 [Note]: 7005 0

08/21/07 12:27:31 [Note]: 7006 0

08/21/07 12:27:32 [Note]: 7011 2504

08/21/07 12:27:32 [Note]: 7026 0

08/21/07 12:27:32 [Note]: 7026 0

08/21/07 12:27:40 [Note]: FSRAW library version 1.7.1022

08/21/07 13:17:36 [Note]: 7007 0

Milkshakes 0 Newbie Poster · Answer 3 · 2007-08-22T10:45:03+00:00

Actually did a VundoFix before, found nothing. ^^

The popups have stopped, I think I'm in the clear. :]

gerbil 216 Industrious Poster · Answer 4 · 2007-08-22T12:25:37+00:00

Great stuff, hit the solved button when you think it is..
Cheers.

gerbil 216 Industrious Poster · Answer 5 · 2007-08-22T19:24:59+00:00

Actually, I would like to see that vundofix log [C:\vundofix.txt] if you still have it cos I noticed that combofix picked up several vundo files.. just for my information..