| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 96302 | 2009-01-06 03:44:00 | HJT | NZHawk (4093) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 735368 | 2009-01-06 03:44:00 | Could someone review this HJT Log for nasty or unneeded: Thanks a million!! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:41:59 p.m., on 6/01/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CDBurnerXP\NMSAccessU.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\mHotkey.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\User\Desktop\2 Cleaning Tools\Hijack This\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = search.bearshare.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt.dll F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\twex.exe, O2 - BHO: & Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareIEHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\sw g.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn\yt.dll O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll O3 - Toolbar: Mirar - {3E12F0B2-407F-474F-9C74-10189722F8AE} - (no file) O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare Applications\BearShare MediaBar\BearShareMediaBar.dll O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll O4 - HKLM\..\Run: [CHotkey] mHotkey.exe O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" O4 - HKLM\..\Run: [EPSON Stylus CX5900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIB IP.EXE /FU "C:\WINDOWS\TEMP\E_S171.tmp" /EF "HKLM" O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe" O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe" O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [vajuvudiju] Rundll32.exe "C:\WINDOWS\system32\vijogojo.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [vajuvudiju] Rundll32.exe "C:\WINDOWS\system32\vijogojo.dll",s (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-nz\msntabres.dll.mui/229?b16db46dc03e4fe89c0157d5a01712c8 O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-nz\msntabres.dll.mui/230?b16db46dc03e4fe89c0157d5a01712c8 O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - www.bebo.com O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - messenger.zone.msn.com O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - download.divx.com O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Sandra Service (SandraTheSrv) - Unknown owner - C:\Bench Marks\SiSoftware Sandra Pro Business 2007\RpcSandraSrv.exe (file missing) O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe -- End of file - 9088 bytes |
NZHawk (4093) | ||
| 735369 | 2009-01-06 04:01:00 | Looks like youve got a Vundo infection Disable system restore tick these then tick fix checked Close browsers O4 - HKUS\S-1-5-19\..\Run: [vajuvudiju] Rundll32.exe "C:\WINDOWS\system32\vijogojo.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [vajuvudiju] Rundll32.exe "C:\WINDOWS\system32\vijogojo.dll",s (User 'NETWORK SERVICE') Do a scan with malwarebytes |
Speedy Gonzales (78) | ||
| 735370 | 2009-01-06 04:20:00 | Thank you. Once done do you need another HJT Log posted? |
NZHawk (4093) | ||
| 735371 | 2009-01-06 04:24:00 | Nup should be OK. See if malwarebytes finds anything and removes it | Speedy Gonzales (78) | ||
| 735372 | 2009-01-06 04:26:00 | Thank you! and oh --- top of the season to you & Happy New Year! |
NZHawk (4093) | ||
| 735373 | 2009-01-06 04:39:00 | Same to you :) | Speedy Gonzales (78) | ||
| 735374 | 2009-01-06 22:28:00 | You will have to get this nasty one fixed as it works from the registry . . . Download The Avenger by Swandog46 from here ( . geekstogo . com/avenger2/download . php" target="_blank">swandog46 . geekstogo . com) . Unzip/extract it to a folder on your desktop . Double click on avenger . exe to run The Avenger . Click OK . Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it . Copy all of the text in the below textbox to the clipboard by highlighting it and then pressing Ctrl+C . Files to delete: C:\WINDOWS\system32\twex . exe In the avenger window, click the Paste Script from Clipboard, . imageshack . us/img220/8923/pastets4 . png" target="_blank">img220 . imageshack . us button . Click the Execute button . You will be asked Are you sure you want to execute the current script? . Click Yes . You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot . Reboot now? . Click Yes . Your PC will now be rebooted . Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation . If that is the case, it will force a shutdown . This is normal & expected behaviour . After your PC has completed the necessary reboots, a log should automatically open . If it does not automatically open, then the log can be found at %systemdrive%\avenger . txt (typically C:\avenger . txt) . Please post this log, along with a new HijackThis log in your next reply . ============================================= Copy the text the in the code box to notepad . Save it as fixreg . reg to your desktop . Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry . REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"=- After reboot post a new HJT log . |
Pancake (6359) | ||
| 735375 | 2009-01-07 01:23:00 | Help: after I applied the above instructions ============================================= Copy the text the in the code box to notepad. Save it as fixreg.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry. After reboot post a new HJT log.[/QUOTE] ============================================== the notebook won't login, even in safe mode |
NZHawk (4093) | ||
| 735376 | 2009-01-07 01:45:00 | Cancel request. Use the Ultimate Boot Disk & restored the registry to an earlier version. |
NZHawk (4093) | ||
| 735377 | 2009-01-07 01:47:00 | Ok . Lets do it this way . . . . Download The Avenger by Swandog46 from here ( . geekstogo . com/avenger2/download . php" target="_blank">swandog46 . geekstogo . com) . Unzip/extract it to a folder on your desktop . Double click on avenger . exe to run The Avenger . Click OK . Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it . Copy all of the text in the below textbox to the clipboard by highlighting it and then pressing Ctrl+C . Files to delete: C:\WINDOWS\system32\twex . exe Registry values to delete: [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] In the avenger window, click the Paste Script from Clipboard, . imageshack . us/img220/8923/pastets4 . png" target="_blank">img220 . imageshack . us button . Click the Execute button . You will be asked Are you sure you want to execute the current script? . Click Yes . You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot . Reboot now? . Click Yes . Your PC will now be rebooted . Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation . If that is the case, it will force a shutdown . This is normal & expected behaviour . After your PC has completed the necessary reboots, a log should automatically open . If it does not automatically open, then the log can be found at %systemdrive%\avenger . txt (typically C:\avenger . txt) . Please post this log, along with a new HijackThis log in your next reply . |
Pancake (6359) | ||
| 1 2 | |||||