Jump to content

Recommended Posts

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:42:00 PM, on 6/23/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\mqsvc.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Garmin\gStart.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Kam Coach\Kam200.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Jason\Desktop\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirec...p;gc=1&q=%s

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll

O1 - Hosts: 89.149.206.68 www.google.com

O1 - Hosts: 89.149.206.68 www.google.de

O1 - Hosts: 89.149.206.68 www.google.fr

O1 - Hosts: 89.149.206.68 www.google.co.uk

O1 - Hosts: 89.149.206.68 www.google.com.br

O1 - Hosts: 89.149.206.68 www.google.it

O1 - Hosts: 89.149.206.68 www.google.es

O1 - Hosts: 89.149.206.68 www.google.co.jp

O1 - Hosts: 89.149.206.68 www.google.com.mx

O1 - Hosts: 89.149.206.68 www.google.ca

O1 - Hosts: 89.149.206.68 www.google.com.au

O1 - Hosts: 89.149.206.68 www.google.nl

O1 - Hosts: 89.149.206.68 www.google.co.za

O1 - Hosts: 89.149.206.68 www.google.be

O1 - Hosts: 89.149.206.68 www.google.gr

O1 - Hosts: 89.149.206.68 www.google.at

O1 - Hosts: 89.149.206.68 www.google.se

O1 - Hosts: 89.149.206.68 www.google.ch

O1 - Hosts: 89.149.206.68 www.google.pt

O1 - Hosts: 89.149.206.68 www.google.dk

O1 - Hosts: 89.149.206.68 www.google.fi

O1 - Hosts: 89.149.206.68 www.google.ie

O1 - Hosts: 89.149.206.68 www.google.no

O1 - Hosts: 89.149.206.68 search.yahoo.com

O1 - Hosts: 89.149.206.68 us.search.yahoo.com

O1 - Hosts: 89.149.206.68 uk.search.yahoo.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')

O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')

O4 - Startup: Kam Coach.lnk = C:\Program Files\Kam Coach\Kam200.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204834457984

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O24 - Desktop Component 0: (no name) - http://images.weddingpaperdivas.com/person...00/shadow/1.jpg

--

End of file - 10517 bytes

Malwarebytes' Anti-Malware 1.34

Database version: 1826

Windows 5.1.2600 Service Pack 2

6/23/2009 6:15:16 PM

mbam-log-2009-06-23 (18-15-16).txt

Scan type: Quick Scan

Objects scanned: 103402

Time elapsed: 14 minute(s), 16 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 3

Registry Keys Infected: 15

Registry Values Infected: 4

Registry Data Items Infected: 1

Folders Infected: 6

Files Infected: 19

Memory Processes Infected:

C:\Program Files\Gamevance\gamevance32.exe (Adware.Gamevance) -> Unloaded process successfully.

C:\WINDOWS\system\rundll32.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:

C:\Program Files\Gamevance\gamevancelib32.dll (Adware.Gamevance) -> Delete on reboot.

C:\Program Files\Gamevance\gvtl.dll (Adware.Gamevance) -> Delete on reboot.

C:\WINDOWS\system32\__c0039FAD.dat (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b035573a-5f43-4862-a194-87d027c63012} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{b035573a-5f43-4862-a194-87d027c63012} (Trojan.BHO.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{014c4232-6904-47b9-9144-7e0fb7277444} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{0ab02d6c-f605-425f-b7cb-b9e96c9faf1e} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{32864a05-9d09-472c-abd0-081818ec713b} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{beac7dc8-e106-4c6a-931e-5a42e7362883} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{beac7dc8-e106-4c6a-931e-5a42e7362883} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beac7dc8-e106-4c6a-931e-5a42e7362883} (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0039fad (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\gvtl (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f2213a.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\shell (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.

C:\Program Files\SpywareBot\HOSTS Backups (Rogue.SpywareBot) -> Quarantined and deleted successfully.

C:\Program Files\Gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

C:\Program Files\VSAdd-in (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus Plus (Rogue.AntivirusPlus) -> Quarantined and deleted successfully.

C:\Program Files\Antivirus Plus (Rogue.AntivirusPlus) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\InternetExplorer.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.

C:\Program Files\Gamevance\gamevancelib32.dll (Adware.Gamevance) -> Quarantined and deleted successfully.

C:\Program Files\SpywareBot\HOSTS Backups\2006-11-26-1164589529_hosts (Rogue.SpywareBot) -> Quarantined and deleted successfully.

C:\Program Files\Gamevance\ars.cfg (Adware.Gamevance) -> Quarantined and deleted successfully.

C:\Program Files\Gamevance\gamevance32.exe (Adware.Gamevance) -> Quarantined and deleted successfully.

C:\Program Files\Gamevance\gvtl.dll (Adware.Gamevance) -> Quarantined and deleted successfully.

C:\Program Files\Gamevance\gvun.exe (Adware.Gamevance) -> Quarantined and deleted successfully.

C:\Program Files\Gamevance\icon.ico (Adware.Gamevance) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus Plus\Antivirus Plus.lnk (Rogue.AntivirusPlus) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus Plus\EULA.lnk (Rogue.AntivirusPlus) -> Quarantined and deleted successfully.

C:\Program Files\Antivirus Plus\AntivirusPlus.exe (Rogue.AntivirusPlus) -> Quarantined and deleted successfully.

C:\Program Files\Antivirus Plus\AntivirusPlus.grn (Rogue.AntivirusPlus) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jason\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus Plus.lnk (Rogue.AntivirusPlus) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Desktop\Antivirus Plus.lnk (Rogue.AntivirusPlus) -> Quarantined and deleted successfully.

C:\WINDOWS\system\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Jason\Local Settings\Temp\_A00F2213A.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c0039FAD.dat (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system\rundll32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.