Jump to content

Browser Hijack this morning


Shane

Recommended Posts

  • Staff

Hi,

Sorry for delay. I was offline all night.

Thanks for the logs.

Gmer looks OK. Entries there as part of Daemon Tools.

Can you try uninststalling your network adapter> reboot> let windows find it again and let it install it.

Likely need another reboot to complete.

Let me know what happens.

Thanks :D

Link to post
Share on other sites

Uninstalling the device did not seem to work. I have reinstalled and allowed windows to detect, also tried updating drivers etc. All I get is an "Acquiring Network Address" from the card...never connects, just sits there.

Doesn't seem like the card wants to talk to anything. Is there anything I can post to help you find the problem?

Link to post
Share on other sites

  • Staff

Hi,

Can you upload the following file:

c:\qoobox\quarantine\c\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dll.vir

To this site please:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Make sure to include a link to this topic.

I believe that file is a false positive that ComboFix took out. CF creator will want to the file to see why it was targeted.

Don't do anything with CF or the qoobox folder yet please. He may want more info.

What version of "ASUS Security Protect Manager" you have installed?

You should be able to restore full functionality of the program if you re-install it from the asus site if you use this program & don't have the installer onboard.

And don't worry about the stuff in system volume information folder yet. This is system restore & we'll clean that out when we are done.

In the mean-time -- let's do an online scan to double check things.

If you already have used Kaspersky online scanner, please uninstall it via add/remove programs because this is a new version I need you to download.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Graphics tutorial available here if needed:

http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

Thanks :)

Link to post
Share on other sites

Looks like my protocols, etc were messed up. Downloaded and ran winsockxpfix and it seemed to get everything back in order. AVG and Spybot updated. Ran a scan and found no additional bugs. Other websites etc worked fine, other programs able to get online etc.

ASUS folder uploaded per your request. I never use the thing, it came with my laptop and I never took the time to get it set up.

Kaspersky Scanner log did not find anything, no report to save.

Link to post
Share on other sites

  • Staff

Thanks for the info.

You scanned the entire computer in 1/2 hour? Takes me ~20 min on cable connection to get scanner installed & defs downloaded on my "barebones" before I even scan. :)

Before proceeding -- if you re-installed ASUS Security Protect Manager quit here & let me know.

If not --

Copy the following text inside code box to a new notepad file:

DeQuarantine::c:\qoobox\quarantine\c\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dll.virQuit::

Save file as cfscript.txt to the desktop.

Temporarily disable Active antimalware programs.

Drag CFScript on top of Combofix & drop it.

It will be a short run.

Log will pop up.

Post its contents please.

Don't forget to re-enable antimalware programs.

Thanks

Link to post
Share on other sites

ComboFix 08-12-02.02 - Owner 2008-12-04 17:32:02.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2557 [GMT -5:00]

Running from: c:\documents and settings\Owner\My Documents\Malware Backup stuff\Combo-Fix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt.txt

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\IE4 Error Log.txt

.

((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))

.

2008-12-04 10:33 . 2008-09-25 06:22 3,634,688 --a------ c:\windows\system32\drivers\NETw5x32.sys

2008-12-04 10:33 . 2008-06-20 09:33 2,756,608 --a------ c:\windows\system32\NETw5r32.dll

2008-12-04 10:33 . 2008-06-20 09:32 663,552 --a------ c:\windows\system32\NETw5c32.dll

2008-12-03 20:24 . 2008-12-03 20:24 250 --a------ c:\windows\gmer.ini

2008-12-02 20:08 . 2008-12-02 20:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Grisoft

2008-12-02 20:04 . 2008-12-02 21:40 <DIR> d-------- c:\documents and settings\Administrator

2008-12-02 18:19 . 2008-12-03 09:51 <DIR> d-------- c:\documents and settings\Owner\Application Data\U3

2008-11-25 17:07 . 2008-11-25 17:07 <DIR> d-------- c:\documents and settings\Owner\Application Data\Roxio

2008-11-25 17:07 . 2008-11-25 17:07 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Roxio

2008-11-25 17:04 . 2008-12-02 17:06 256 --a------ c:\windows\system32\pool.bin

2008-11-25 17:03 . 2008-11-25 17:03 <DIR> d-------- c:\documents and settings\Owner\Application Data\Research In Motion

2008-11-25 16:59 . 2008-11-25 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic

2008-11-25 16:59 . 2008-11-25 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield

2008-11-25 16:58 . 2008-11-25 16:58 <DIR> d-------- c:\program files\Roxio

2008-11-25 16:58 . 2008-11-25 16:58 <DIR> d-------- c:\program files\Common Files\Sonic Shared

2008-11-25 16:58 . 2008-11-25 16:58 <DIR> d-------- c:\program files\Common Files\Roxio Shared

2008-11-25 16:58 . 2008-11-25 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio

2008-11-25 16:55 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys

2008-11-25 16:54 . 2008-11-25 16:54 <DIR> d-------- c:\program files\Common Files\Research In Motion

2008-11-25 16:53 . 2008-11-25 16:53 <DIR> d-------- c:\program files\Research In Motion

2008-11-25 16:48 . 2008-11-25 16:49 18,468,336 --a------ c:\program files\RhapsodyVcast.EXE

2008-11-18 19:53 . 2008-11-18 19:54 <DIR> d-------- c:\program files\BitPim

2008-11-18 17:30 . 2008-11-18 17:30 <DIR> d-------- c:\program files\LG Electronics

2008-11-14 13:30 . 2008-11-25 16:55 <DIR> d-------- C:\temp

2008-11-11 17:40 . 2008-11-11 17:40 <DIR> d-------- c:\documents and settings\Owner\Application Data\Toshiba

2008-11-11 17:37 . 2008-11-11 17:43 98 --a------ c:\windows\WirelessFTP.INI

2008-11-11 17:33 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2008-11-11 17:33 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-04 22:26 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-04 18:26 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-12-03 01:02 --------- d-----w c:\documents and settings\Owner\Application Data\BitTorrent

2008-12-02 22:12 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-02 22:12 --------- d-----w c:\program files\Electronic Arts

2008-12-02 19:29 --------- d-----w c:\documents and settings\All Users\Application Data\avg8

2008-11-28 17:19 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire

2008-11-25 21:58 --------- d-----w c:\program files\Common Files\InstallShield

2008-11-14 18:12 --------- d-----w c:\program files\THQ

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

.

((((((((((((((((((((((((((((( snapshot@2008-12-03_10.04.24.98 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-12-04 01:24:02 884,736 ----a-w c:\windows\gmer.dll

+ 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe

+ 2008-12-04 01:24:02 85,969 ----a-w c:\windows\system32\drivers\gmer.sys

+ 2008-06-20 14:32:32 663,552 -c--a-w c:\windows\system32\DRVSTORE\netw5x32_74BACD4A361CF37186F7E967730975606AB2E1F8\NETw5c32.dll

+ 2008-06-20 14:33:34 2,756,608 -c--a-w c:\windows\system32\DRVSTORE\netw5x32_74BACD4A361CF37186F7E967730975606AB2E1F8\NETw5r32.dll

+ 2008-09-25 11:22:02 3,634,688 -c--a-w c:\windows\system32\DRVSTORE\netw5x32_74BACD4A361CF37186F7E967730975606AB2E1F8\NETw5x32.sys

+ 2007-02-12 16:40:44 557,056 -c--a-w c:\windows\system32\DRVSTORE\w29n51_AEF466EE116FDF742A02BFF75E6143DB4A91003C\Netw2c32.dll

+ 2007-02-12 16:41:44 2,732,032 -c--a-w c:\windows\system32\DRVSTORE\w29n51_AEF466EE116FDF742A02BFF75E6143DB4A91003C\Netw2r32.dll

+ 2008-01-09 10:20:28 2,212,352 -c--a-w c:\windows\system32\DRVSTORE\w29n51_AEF466EE116FDF742A02BFF75E6143DB4A91003C\w29n50.sys

+ 2008-01-09 10:19:16 2,216,064 -c--a-w c:\windows\system32\DRVSTORE\w29n51_AEF466EE116FDF742A02BFF75E6143DB4A91003C\w29n51.sys

- 2008-11-14 18:12:30 62,746 ----a-w c:\windows\system32\perfc009.dat

+ 2008-12-04 18:20:07 60,514 ----a-w c:\windows\system32\perfc009.dat

- 2008-11-14 18:12:30 401,632 ----a-w c:\windows\system32\perfh009.dat

+ 2008-12-04 18:20:07 395,346 ----a-w c:\windows\system32\perfh009.dat

+ 2008-06-20 14:32:32 663,552 ----a-w c:\windows\system32\ReinstallBackups\0023\DriverFiles\NETw5c32.dll

+ 2008-06-20 14:33:34 2,756,608 ----a-w c:\windows\system32\ReinstallBackups\0023\DriverFiles\NETw5r32.dll

+ 2008-09-25 11:22:02 3,634,688 ----a-w c:\windows\system32\ReinstallBackups\0023\DriverFiles\NETw5x32.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Secure Disks]

@="{666C7836-A9B6-4AB4-94ED-DC238C81E925}"

[HKEY_CLASSES_ROOT\CLSID\{666C7836-A9B6-4AB4-94ED-DC238C81E925}]

2006-10-26 11:35 391168 -ra------ c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\SFSShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"ATKHOTKEY"="c:\program files\ATK Hotkey\Hcontrol.exe" [2007-11-28 229376]

"MsgTranAgt"="c:\program files\ATK Hotkey\MsgTranAgt.exe" [2007-11-04 106496]

"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]

"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2007-10-17 7737344]

"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-21 36864]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-16 1029416]

"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 86016]

"CognizanceTS"="c:\progra~1\ASUSSE~1\ASUSSE~1\Bin\ASTSVCC.dll" [2003-12-21 17920]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]

"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]

"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-06-19 91432]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-25 185896]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-09-19 615696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-21 13508608]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-29 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=APSHook.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk

backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

"SMSERIAL"=c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=

"c:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=

"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-16 97928]

R1 ItSDisk;ItSDisk;c:\windows\system32\Drivers\ItSDisk.sys [2006-05-16 23496]

R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\CyberLink\PowerDVD8\000.fcl [2008-02-01 16:24:04 41456]

R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2006-02-28 14336]

R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2006-02-28 14336]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-04 875288]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 231704]

R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-05-16 76040]

R3 NETw5x32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\DRIVERS\NETw5x32.sys [2008-12-04 3634688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Cognizance REG_MULTI_SZ ASBroker ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c9d0b04-b5c0-11dd-9712-001f3b4d9d19}]

\Shell\AutoRun\command - F:\USBAutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f19cca68-c0c6-11dd-972d-001f3b4d9d19}]

\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-04 17:35:59

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)

c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dll

c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\ItMsg.dll

- - - - - - - > 'lsass.exe'(612)

c:\program files\ASUS Security Center\ASUS Security Protect Manager\bin\ASWLNPkg.dll

c:\program files\ASUS Security Center\ASUS Security Protect Manager\bin\ItMsg.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\asghost.exe

c:\program files\Synaptics\SynTP\SynAsus.exe

c:\program files\ATK Hotkey\ATKOSD.exe

c:\program files\ATK Hotkey\WDC.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\scardsvr.exe

.

**************************************************************************

.

Completion time: 2008-12-04 17:39:33 - machine was rebooted [Owner]

ComboFix-quarantined-files.txt 2008-12-04 22:39:30

ComboFix2.txt 2008-12-03 17:31:27

ComboFix3.txt 2008-12-03 15:04:43

Pre-Run: 178,175,483,904 bytes free

Post-Run: 178,213,232,640 bytes free

216 --- E O F --- 2008-11-13 19:10:28

Link to post
Share on other sites

  • Staff

Hi,

Thanks. I see that dll running. :)

Disable TeaTimer again.

Couple leftovers from old AVG A/S to remove & repair to the OneCard key that was taken out belonging to the fingerprint software.

Since you never use it -- the one from my machine default install & never configured will work.

Download the attached file and save it to your desktop.

Unzip it.

Right click "onecard-notify.reg" & choose merge

Answer Yes.

You should get success message.

Reboot

RE-enable TeaTimer & allow changes it sees.

Post fresh Hijackthis log please.

Let me know how machine is running.

Thanks

onecard_notify.zip

onecard_notify.zip

Link to post
Share on other sites

New log posted below. System is running pretty fast, not quite as fast as it was when new, but certainly faster than the last few weeks.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:38:49 PM, on 12/4/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATK Hotkey\Hcontrol.exe

C:\Program Files\ATK Hotkey\MsgTranAgt.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ASUS\ATK Media\DMEDIA.EXE

C:\Program Files\ATKOSD2\ATKOSD2.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe

C:\Program Files\Synaptics\SynTP\SynAsus.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Cyberlink\Shared Files\brs.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\ATK Hotkey\ATKOSD.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\ATK Hotkey\WDC.exe

C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Owner\My Documents\Malware Backup stuff\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: ASUS Security Protect Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ItIEAddIn.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [ATKHOTKEY] "C:\Program Files\ATK Hotkey\Hcontrol.exe"

O4 - HKLM\..\Run: [MsgTranAgt] "C:\Program Files\ATK Hotkey\MsgTranAgt.exe"

O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE

O4 - HKLM\..\Run: [ATKOSD2] "C:\Program Files\ATKOSD2\ATKOSD2.exe"

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1

O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\ASUSSE~1\ASUSSE~1\Bin\ASTSVCC.dll,RegisterModule

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"

O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"

O4 - HKLM\..\Run: [bDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [blackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: APSHook.dll,avgrsstx.dll

O20 - Winlogon Notify: OneCard - C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--

End of file - 7733 bytes

Link to post
Share on other sites

  • Staff

Hi,

Creator of ComboFix I think want's the files it quarantined to have a better look at why it couldn't repair LSP stack. (which is basically what you fixed with WinsockXPFix)

Can you zip up C:\qoobox\quarantine folder & upload to this site please:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Include URL from this thread so he knows where it all came from.

Would be helpful to also include a comment regarding broken internet connection as well to remind him. (he gets lots of uploads there)

Once you have uploaded that please do the following:

Click start> run> type:

c:\windows\gmer_uninstall.cmd then hit OK.

Press "enter" when told to press any key.

The cmd window will exit.

Delete DDS.exe if still present.

Click start> run> & type: Combo-Fix /u then hit OK.

Combofix will remove the files/folders it dropped on the system including itself.

It will re-hide system files & folders if applicable.

It will dump old system restore points & create a new one.

Since the HJT log appears clean, here is some great information to help you stay clean and safe online:

http://users.telenet.be/bluepatchy/miekiem...prevention.html

If you want to help speed up your system Miekiemoes has some great information here:

http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

Make sure you keep your security programs up to date.

Keep Windows itself up to date.

Make sure to keep other programs up to date as well. Keep in mind some programs like Java do not uninstall the old versions so one should check for & uninstall old versions to avoid getting infected via exploits.

I see too that you use P2P programs.

Using these programs puts your system at risk for infection because you download stuff from unknown sources.

Even MP3s are not totally safe.

P2P networks are one of the primary sources of malware.

There are privacy risks too:

http://spywarewarrior.com/viewtopic.php?t=...157cee792b31b7f

I recommend you avoid using such programs for the sake of safety.

Keep well & surf safe!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.