Jules Posted August 13, 2009 ID:109687 Share Posted August 13, 2009 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:46:46 AM, on 8/13/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\Program Files\Alwil Software\Avast4\setup\avast.setupC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Spyware Doctor\sdhelp.exeC:\Program Files\Dell Support Center\bin\sprtsvc.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wdfmgr.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\WINDOWS\System32\DLA\DLACTRLW.EXEC:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exeC:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exeC:\Program Files\Java\jre1.6.0_06\bin\jusched.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\iTunes\iTunesHelper.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\WINDOWS\system32\winupdate.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\DellSupport\DSAgnt.exeC:\Program Files\Dell Support Center\bin\sprtcmd.exeC:\Program Files\DNA\btdna.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\AdvancedVirusRemover\PAVRM.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.netR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.netR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=usR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)F2 - REG:system.ini: Shell=Explorer.exe logon.exeF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,O1 - Hosts: ::1 localhostO1 - Hosts: 209.44.111.57 antivirwin2009.comO1 - Hosts: 209.44.111.57 www.antivirwin2009.comO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLLO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO2 - BHO: GrandBar IE Helper - {84BA8988-33E1-4c89-A150-BF428E8D3213} - C:\Program Files\GrandPack\GrandPack.dll (file missing)O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO2 - BHO: (no name) - {A7D3FDBE-6FDE-4C73-994F-B8764075C159} - (no file)O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dllO3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXEO4 - HKLM\..\Run: [iPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -lO4 - HKLM\..\Run: [iPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstallO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startupO4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenterO4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exeO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Family\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [Advanced Virus Remover] C:\Program Files\AdvancedVirusRemover\PAVRM.exeO4 - HKCU\..\RunOnce: [shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; YPC 3.2.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; yie8)" -"http://www.gaiaonline.com/games/housing/?mode=editor&cachebust=20"O4 - HKUS\S-1-5-18\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dllO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cabO16 - DPF: {20B845BF-450F-4C1E-AF60-3CC380CDE328} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager/plugi...PluginNOSSO.ocxO16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.ifungames.com/gamefiles/dinerda...h2.1.0.0.48.cabO16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...houseplayer.cabO16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.freeworldgroup.com/games6/diner...tg.1.0.0.33.cabO16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.llnwd.net/o1/NBCUniversal...eck_1_0_0_5.cabO16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://entriq.vo.llnwd.net/o1/NBCUniversal..._2_2_Silent.cabO16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cabO16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - http://aolsvc.aol.com/onlinegames/free-tri...eb.1.0.0.14.cabO16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://games.bigfishgames.com/en_cinematyc...inematycoon.cabO16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://aolsvc.aol.com/onlinegames/dinerdas...sh.1.0.0.72.cabO16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.llnwd.net/o1/NBCUniversal...sal_1_0_0_7.cabO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - AppInit_DLLs: mzwkul.dll,C:\WINDOWS\system32\larihisu.dllO20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dllO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeO23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exeO23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exeO23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe--End of file - 12269 bytes Link to post Share on other sites More sharing options...
sjpritch25 Posted August 14, 2009 ID:110082 Share Posted August 14, 2009 Welcome to Malwarebytes!!!! Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix**Note: It is important that it is saved directly to your desktop**--------------------------------------------------------------------1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.--------------------------------------------------------------------Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall Link to post Share on other sites More sharing options...
Jules Posted August 14, 2009 Author ID:110115 Share Posted August 14, 2009 Hi, thanks for responding. I tried running combofix. But the malware on my computer's disabled my internet so I wasn't able to create a restore point. I attached the ComboFix and HJT logs.combofix_log.txthijackthis_log.txt Link to post Share on other sites More sharing options...
sjpritch25 Posted August 14, 2009 ID:110170 Share Posted August 14, 2009 Are you still unable to get online on the infected computer? Link to post Share on other sites More sharing options...
Jules Posted August 15, 2009 Author ID:110253 Share Posted August 15, 2009 No, I can't go online. I'm currently using a USB to transfer the program files I download. Link to post Share on other sites More sharing options...
sjpritch25 Posted August 15, 2009 ID:110449 Share Posted August 15, 2009 Copy and paste the following script into Notepad@echo offclsif exist log.txt del log.txtecho... Searching computer for proquota.exe.......dir "%systemroot%\proquota.exe" /s > log.txtnotepad log.txtdel %0Save it as find.bat and save type as Alldouble-click on find.bat.In your next reply, please post the log. Thanks Link to post Share on other sites More sharing options...
Jules Posted August 15, 2009 Author ID:110459 Share Posted August 15, 2009 Volume in drive C has no label. Volume Serial Number is 2C58-7837 Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e04/13/2008 05:12 PM 50,176 proquota.exe 1 File(s) 50,176 bytes Total Files Listed: 1 File(s) 50,176 bytes 0 Dir(s) 13,559,922,688 bytes free Link to post Share on other sites More sharing options...
sjpritch25 Posted August 15, 2009 ID:110466 Share Posted August 15, 2009 Download the attached file CFScript.txt to your DesktopRefering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log. Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stallNote:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!CFScript.txt Link to post Share on other sites More sharing options...
Jules Posted August 15, 2009 Author ID:110477 Share Posted August 15, 2009 Here is the ComboFix log. While CF was running, some prompts popped up. They're still there even though CF is finished. I'm not sure which to pick:Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of the files. (Then it asked me to insert my Windows XP CD, which I don't have. I have no other choice but to click cancel, but I'm worried it might damage my system or something)You chose not to restore the original versions of the files. This may affect Windows stability. Are you sure you want to keep these unrecognized file versions? (Again, I don't know whether to choose yes or no.)Thank you for all your help so far. CF_log_2ndrun.txt Link to post Share on other sites More sharing options...
sjpritch25 Posted August 15, 2009 ID:110526 Share Posted August 15, 2009 Reboot your computer again. Let me know if you still receive that message. Are you able to get online now? Link to post Share on other sites More sharing options...
Jules Posted August 16, 2009 Author ID:110618 Share Posted August 16, 2009 The prompts didn't show up, but I still can't connect to the internet. Link to post Share on other sites More sharing options...
sjpritch25 Posted August 16, 2009 ID:110859 Share Posted August 16, 2009 Please post a fresh HIjackthis log. Thanks Link to post Share on other sites More sharing options...
Jules Posted August 16, 2009 Author ID:110936 Share Posted August 16, 2009 Here is the HJT log.hijackthis_log.txt Link to post Share on other sites More sharing options...
sjpritch25 Posted August 17, 2009 ID:110999 Share Posted August 17, 2009 Place a check mark next to the following item in HijackthisR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localClick Fix and reboot your computer. What happens when you try to go online? Link to post Share on other sites More sharing options...
Jules Posted August 17, 2009 Author ID:111024 Share Posted August 17, 2009 Nothing comes up; it tells me "The Page Cannot Be Displayed".However under Network Connections my LAN says I am connected. Link to post Share on other sites More sharing options...
sjpritch25 Posted August 17, 2009 ID:111310 Share Posted August 17, 2009 What browser are you using? Firefox or IE? Link to post Share on other sites More sharing options...
Jules Posted August 18, 2009 Author ID:111346 Share Posted August 18, 2009 I tried both IE and Firefox. Link to post Share on other sites More sharing options...
sjpritch25 Posted August 21, 2009 ID:113015 Share Posted August 21, 2009 go to Start ----> Run ---> Type cmd and the enter key. Windows command prompt will appear. Type each command one at a time.ipconfig /flushdns followed by the enter key.ipconfig /releaseipconfig /renewLet me know if your still unable to get online. Thanks Link to post Share on other sites More sharing options...
Jules Posted August 21, 2009 Author ID:113063 Share Posted August 21, 2009 The codes above didn't change anything, but I found that my firewall settings had been messed up and therefore it wouldn't let me online. I've fixed those settings and now I can go online. Link to post Share on other sites More sharing options...
sjpritch25 Posted August 24, 2009 ID:114150 Share Posted August 24, 2009 CoolGo to Start ---> Run ---> Type ComboFix /u and press Enter. Link to post Share on other sites More sharing options...
Recommended Posts