HiJack This Log

  1. 22-03-2008  #1
    missbeenie
    missbeenie is offline Newbie

    HiJack This Log

    I have a page hijacker, wondering if someone can help.

    Logfile of HijackThis v1.99.1
    Scan saved at 15:26:28, on 22/03/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Kontiki\KService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
    C:\Program Files\VIA\RAID\raid_tool.exe
    C:\PROGRA~1\BROADB~1\SMARTB~1\BTHelpNotifier.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
    C:\Program Files\Zoom Telephonics, Inc\Zoom ADSL USB Modem\dslmon.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Last.fm\LastFMHelper.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
    C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: BrowserCmp - {1D8282E6-BC4F-469B-AAED-7E4FF077AD93} - C:\WINDOWS\system32\iebrowserc.dll
    O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
    O2 - BHO: dcads - {733716E1-76D2-4003-AC39-845281C0EF85} - C:\WINDOWS\system32\nsf35E.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: FoxyTunes Toolbar Helper - {784D8FBC-4165-4D88-90FB-62907ACDD045} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\ FoxyTunesForIE.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\toolbar.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\toolbar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O3 - Toolbar: FoxyTunes Toolbar - {1D1901C3-F72A-46f3-9DBB-0AAA0DEEF6DF} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\ FoxyTunesForIE.dll
    O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [Registry System16 Checkup Monitor] SystemReg16.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BROADB~1\SMARTB~1\BTHelpNotifier.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\RunServices: [Registry System16 Checkup Monitor] SystemReg16.exe
    O4 - HKCU\..\Run: [Registry System16 Checkup Monitor] SystemReg16.exe
    O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
    O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
    O4 - Global Startup: DSLMON.lnk = ?
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Elders\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://www.eversoft.co.kr/vmpinstall...le26r74bd.html
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104723831379
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175983852423
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
    O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab57213.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/pla.../installer.exe
    O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://upload.mediamax.com/Upload/XUpload.ocx
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1F48CBF9-6EB8-4440-B46D-F76507F1086C}: NameServer = 194.72.9.38 62.6.40.162
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6A374F84-2B5B-4B82-97D3-5191595DA75E}: NameServer = 217.44.69.228,192.168.0.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1F48CBF9-6EB8-4440-B46D-F76507F1086C}: NameServer = 194.72.9.38 62.6.40.162
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  2. 22-03-2008  #2
    Neal
    Neal is offline Dedicated Member
    Welcome,



    If you have previously downloaded ComboFix,please delete that version now.

    Now download ComboFix and save to your desktop:

    Note:

    It is IMPORTANT that it is saved directly to your desktop

    Close any open browsers.

    Disconnect from the Internet.

    Please do not re-connect your machine back to the Internet until Combofix has completely finished.

    Disable your antivirus program and any realtime malware scanners now


    How To Disable



    Double click on combofix.exe and follow the prompts.

    When it's finished it will produce a log.
    Post the entire contents of C:\ComboFix.txt into your next reply.

    Note:
    Do not mouseclick combofix's window while it's running.

    That may cause the program to freeze/hang.

    Do NOT post the ComboFix-quarantined-files.txt unless I ask.

    Re-enable your anti-virus and re-connect back to the internet and post the combofix log.



    *Note*
    In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
    Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

    ComboFix SHOULD NOT be used unless requested by a forum helper.



    New hijackthis log please.
  3. 22-03-2008  #3
    missbeenie
    missbeenie is offline Newbie
    ComboFix 08-03-22.1 - Elders 2008-03-22 22:10:43.1 - NTFSx86
    Running from: C:\Documents and Settings\Elders\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Elders\Application Data\SpamBlocker
    C:\Documents and Settings\Elders\Application Data\urlredir.cfg
    C:\WINDOWS\system32\dcads-remove.exe
    C:\WINDOWS\system32\DcadsSocial-uninstall.exe
    C:\WINDOWS\system32\iebrowserc.dll
    C:\WINDOWS\system32\nsf35E.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
    .

    2008-03-19 00:24 . 2008-03-19 00:26 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-03-16 14:11 . 2008-03-16 14:21 <DIR> d-------- C:\Program Files\RogueRemover FREE
    2008-03-05 19:05 . 2008-03-05 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
    2008-02-23 20:47 . 2008-02-23 20:47 <DIR> d-------- C:\Documents and Settings\Elders\Application Data\Sports Interactive
    2008-02-23 20:06 . 2008-02-23 20:06 <DIR> d-------- C:\Documents and Settings\Elders\Application Data\Talkback
    2008-02-23 20:04 . 2008-02-23 20:04 <DIR> d-------- C:\Program Files\Common Files\xing shared

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2008-03-22 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
    2008-03-16 18:14 --------- d-----w C:\Program Files\MONOPOLY HERE & NOW EDITION
    2008-03-16 12:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
    2008-03-15 18:35 --------- d-----w C:\Program Files\Last.fm
    2008-03-15 18:32 --------- d-----w C:\Documents and Settings\Elders\Application Data\Winamp
    2008-03-15 15:50 --------- d-----w C:\Program Files\Winamp
    2008-03-14 16:47 --------- d-----w C:\Program Files\SpywareBlaster
    2008-03-05 19:29 --------- d-----w C:\Documents and Settings\Elders\Application Data\DataLayer
    2008-03-05 19:14 --------- d-----w C:\Program Files\Nokia
    2008-03-05 19:12 --------- d-----w C:\Program Files\DIFX
    2008-03-05 19:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
    2008-03-05 19:11 --------- d-----w C:\Program Files\Common Files\PCSuite
    2008-03-05 19:11 --------- d-----w C:\Program Files\Common Files\Nokia
    2008-02-23 20:04 --------- d-----w C:\Program Files\Common Files\Real
    2008-01-27 10:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-01-24 00:38 --------- d-----w C:\Program Files\Java
    2008-01-13 19:35 40,731 ----a-w C:\WINDOWS\system32\superiorads-uninst.exe
    2007-06-14 22:19 200,704 ----a-w C:\Program Files\slsk157test8.exe
    2007-03-19 12:59 71,911 ----a-w C:\Program Files\DivXWebPlayerUninstall.exe
    2007-03-19 12:59 71,911 ----a-w C:\Program Files\DivXContentUploaderUninstall.exe
    2007-01-25 01:02 29,926 ----a-w C:\Program Files\divxauthor.ico
    2006-12-12 16:24 29,926 ----a-w C:\Program Files\stage6divxdotcom.ico
    2006-12-12 16:24 29,926 ----a-w C:\Program Files\divxdotcom.ico
    2006-12-12 16:24 25,214 ----a-w C:\Program Files\divxFolder.ico
    2005-01-16 22:35 20,798,256 ----a-w C:\Program Files\AdbeRdr70_enu_full.exe
    2005-01-16 22:25 6,811,904 ----a-w C:\Program Files\psa2011se_us.exe
    2005-01-03 23:08 10,810,909 ----a-w C:\Program Files\avg70free_300a419.exe
    2005-01-03 22:46 8,665,200 ----a-w C:\Program Files\BTYahoo!HelpInstall.exe
    2003-07-31 17:53 147,456 ----a-w C:\WINDOWS\inf\EL2K_XP.sys
    2003-07-31 17:50 448,768 ----a-w C:\WINDOWS\inf\EL2K_N64.sys
    2003-07-31 17:43 147,456 ----a-w C:\WINDOWS\inf\EL2K_2K.sys
    2003-03-20 05:32 464,896 ----a-w C:\Program Files\FL Studio VSTi.dll
    2003-03-20 05:31 464,896 ----a-w C:\Program Files\FL Studio VSTi (Multi).dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
    2007-12-13 16:49 1185120 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-12-13 16:49 1185120]

    [HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
    [HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
    [HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
    [HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-12-13 16:49 1185120]

    [HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
    [HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
    [HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
    [HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "Registry System16 Checkup Monitor"="SystemReg16.exe" []
    "TridentTVIcon"="" []
    "kdx"="C:\Program Files\Kontiki\KHost.exe" [2006-11-08 16:32 1040832]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56 15360]
    "Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-12-03 13:21 3461120]
    "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 16:21 1449984]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2003-09-05 06:59 878080]
    "Registry System16 Checkup Monitor"="SystemReg16.exe" []
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 08:59 579072]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
    "YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.ex e" [2006-07-21 16:19 129536]
    "ABIT uGuru"="C:\Program Files\ABIT\ABIT uGuru\uGuru.exe" [2003-09-22 21:34 192512]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 03:06 7311360]
    "nwiz"="nwiz.exe" [2005-12-10 03:06 1519616 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray. dll" [2005-12-10 03:06 86016]
    "RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-06-20 18:53 1056768]
    "Motive SmartBridge"="C:\PROGRA~1\BROADB~1\SMARTB~1\BTHelp Notifier.exe" [2005-06-22 14:29 417792]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 17:15 81920]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-04-03 17:12 777424]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
    "4oD"="C:\Program Files\Kontiki\KHost.exe" [2006-11-08 16:32 1040832]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-14 23:43 286720]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
    "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 22:54 37376]
    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2005-02-16 17:15 221184]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-23 20:03 185896]
    "PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP ~2\LAUNCH~1.exe" [2006-06-15 12:36 229376]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices]
    "Registry System16 Checkup Monitor"="SystemReg16.exe" []

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]
    "Registry System16 Checkup Monitor"="SystemReg16.exe" []
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-30 22:55 219136]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2004-08-04 07:56 53760 C:\WINDOWS\system32\narrator.exe]

    C:\Documents and Settings\Elders\Start Menu\Programs\Startup\
    Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-07-02 09:01:44 106496]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    DSLMON.lnk - C:\Program Files\Zoom Telephonics, Inc.\Zoom ADSL USB Modem\dslmon.exe [2006-04-30 21:13:37 929889]
    Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-14 13:25:52 784912]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
    Notification Packages REG_MULTI_SZ :\WINDOWS\syste

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Broadband Desktop Help.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Broadband Desktop Help.lnk
    backup=C:\WINDOWS\pss\Broadband Desktop Help.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
    backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
    backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Elders^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
    path=C:\Documents and Settings\Elders\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
    backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
    --a------ 2006-06-15 12:36 229376 C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    --a------ 2005-08-31 17:11 2478080 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
    "C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "C:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
    "C:\\ventrilo\\ventrilo_srv.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YPAGER.EXE"=
    "C:\\Program Files\\ABIT\\ABIT uGuru\\FlashMenu.exe"=
    "C:\\StubInstaller.exe"=
    "C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "C:\\Program Files\\Azureus\\Azureus.exe"=
    "C:\\Program Files\\MSN Messenger\\msncall.exe"=
    "C:\\Program Files\\Internet Explorer\\iexplore.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
    "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
    "C:\\Program Files\\Kontiki\\KService.exe"=
    "C:\\WINDOWS\\system32\\sessmgr.exe"=
    "C:\\Program Files\\SoulSeek\\slsk.exe"=
    "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
    "C:\\Program Files\\Last.fm\\LastFM.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
    "5739:UDP"= 5739:UDP:*isabledes4
    "8767:UDP"= 8767:UDP:teamspeak server

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R0 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.s ys [2003-11-26 10:40]
    R3 psa906;PSA2 Ultimate Edge (WDM);C:\WINDOWS\system32\drivers\psa906.sys [2004-05-19 11:06]
    R3 PSC1906S;PHILIPS Ultimate Edge Audio Controller WDM;C:\WINDOWS\system32\drivers\PSC1906.sys [2004-05-17 10:38]
    R3 QsndEnum;QSound Virtual Audio Devices Bus Enumerator;C:\WINDOWS\system32\DRIVERS\QsndEnum.sy s [2003-08-02 14:00]
    S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 22:31]
    S3 IntelS51;Intel(R) 536EP Modem;C:\WINDOWS\system32\DRIVERS\IntelS51.sys [2004-12-10 22:30]
    S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-03-04 18:08]
    S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-03-04 18:11]
    S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-03-04 18:11]
    S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-03-04 18:13]
    S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-03-04 18:15]
    S3 Memctl;Memctl;C:\Program Files\ABIT\ABIT uGuru\Memctl.sys [2001-11-29 19:49]
    S3 trid3d;trid3d;C:\WINDOWS\system32\DRIVERS\trid3dm. sys [2001-08-17 12:51]

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{14978f02-da9b-11dc-a70c-4d6564696130}]
    \Shell\AutoRun\command - H:\RavMon.exe
    \Shell\explore\Command - H:\RavMon.exe -e
    \Shell\open\Command - H:\RavMon.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-03-19 23:50:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-03-22 01:58:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    "2005-01-20 01:01:24 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
    - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    .
    ************************************************** ************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-03-22 22:22:35
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    TridentTVIcon = ????\???????H??

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    ************************************************** ************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\tsd32.dll
    -> C:\WINDOWS\system32\atrac3.acm
    .
    Completion time: 2008-03-22 22:36:02
    ComboFix-quarantined-files.txt 2008-03-22 22:35:55
    .
    2008-03-20 18:08:47 --- E O F ---
  4. 22-03-2008  #4
    Neal
    Neal is offline Dedicated Member
    Save 20% on AVG Internet Security 2012 Suite!
    Download SDFIX and save it to your Desktop.

    Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
    • Open the extracted folder and double click RunThis.bat to start the script.
    • Type Y to begin the script.
    • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • Your system will take longer that normal to restart as the fixtool will be running and removing files.
    • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
    • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
+ Reply to Thread
« Popups and slow internet | Hijack this log file »