Jump to content
Sign in to follow this  
911_H3LP3R

HiJackThis Log

Recommended Posts

Hi! SDFix turned up clean.

 

Please do the followng...

 

1. Follow these instructions

  • Download OTMoveIt by OldTimer from here
  • Double click on OTMoveIt to start OTMoveIt

    Posted Image

  • Untick the option to Unregister Dll's and Ocx's (1)
  • Select the contents of the below codebox, then press Ctrl+C to copy it to the clipboard

    C:\WINDOWS\system32\drivers\dump_wmimmc.sys
    C:\WINDOWS\system32\drivers\dump_wmimmc(2).sys
    C:\WINDOWS\system32\drivers\dump_wmimmc(3).sys
    C:\WINDOWS\system32\drivers\dump_wmimmc(4).sys
    C:\WINDOWS\system32\drivers\dump_wmimmc(5).sys
    C:\WINDOWS\system32\drivers\dump_wmimmc(6).sys
    C:\WINDOWS\system32\drivers\dump_wmimmc(7).sys
    C:\WINDOWS\system32\SVKP.sys
    C:\WINDOWS\iun6002.exe
    
  • In OTMoveIt Right click on the box labelled Paste List of Files/Folders to be Moved
  • Click Paste (2)
  • Click MoveIt! (3)
  • Copy and paste the contents of the results box (4) as a reply to this topic
2. I'd like a file to be scanned:
  • Go to VirusTotal
  • Copy and paste the following file path into the Search Box at the top of the page:
  • C:\WINDOWS\system32\Coltd.sys
  • Click on the Send button
  • Please post the results in your next reply.

Post the results from OTMoveIt, along with the VirusTotal scan results.

Share this post


Link to post
Share on other sites

All of these - they are in the white Code box above:

 

C:\WINDOWS\system32\drivers\dump_wmimmc.sys

C:\WINDOWS\system32\drivers\dump_wmimmc(2).sys

C:\WINDOWS\system32\drivers\dump_wmimmc(3).sys

C:\WINDOWS\system32\drivers\dump_wmimmc(4).sys

C:\WINDOWS\system32\drivers\dump_wmimmc(5).sys

C:\WINDOWS\system32\drivers\dump_wmimmc(6).sys

C:\WINDOWS\system32\drivers\dump_wmimmc(7).sys

C:\WINDOWS\system32\SVKP.sys

C:\WINDOWS\iun6002.exe

Share this post


Link to post
Share on other sites

Did I do this right?

 

File/Folder C:\WINDOWS\system32\drivers\dump_wmimmc.sys not found.

File/Folder C:\WINDOWS\system32\drivers\dump_wmimmc(2).sys not found.

File/Folder C:\WINDOWS\system32\drivers\dump_wmimmc(3).sys not found.

File/Folder C:\WINDOWS\system32\drivers\dump_wmimmc(4).sys not found.

File/Folder C:\WINDOWS\system32\drivers\dump_wmimmc(5).sys not found.

File/Folder C:\WINDOWS\system32\drivers\dump_wmimmc(6).sys not found.

File/Folder C:\WINDOWS\system32\drivers\dump_wmimmc(7).sys not found.

File/Folder C:\WINDOWS\system32\SVKP.sys not found.

File/Folder C:\WINDOWS\iun6002.exe not found.

 

Created on 06/15/2007 13:07:30

 

SCANNING:

 

Antivirus Version Update Result

AhnLab-V3 2007.6.16.0 06.15.2007 no virus found

AntiVir 7.4.0.32 06.15.2007 no virus found

Authentium 4.93.8 06.16.2007 no virus found

Avast 4.7.997.0 06.15.2007 no virus found

AVG 7.5.0.467 06.15.2007 no virus found

BitDefender 7.2 06.16.2007 no virus found

CAT-QuickHeal 9.00 06.15.2007 no virus found

ClamAV devel-20070416 06.16.2007 no virus found

DrWeb 4.33 06.15.2007 no virus found

eSafe 7.0.15.0 06.14.2007 no virus found

eTrust-Vet 30.7.3721 06.15.2007 no virus found

Ewido 4.0 06.15.2007 no virus found

FileAdvisor 1 06.16.2007 No threat detected

Fortinet 2.85.0.0 06.16.2007 no virus found

F-Prot 4.3.2.48 06.15.2007 no virus found

F-Secure 6.70.13030.0 06.15.2007 no virus found

Ikarus T3.1.1.8 06.16.2007 no virus found

Kaspersky 4.0.2.24 06.16.2007 no virus found

McAfee 5054 06.15.2007 no virus found

Microsoft 1.2607 06.16.2007 no virus found

Norman 5.80.02 06.15.2007 no virus found

Panda 9.0.0.4 06.16.2007 no virus found

Prevx1 V2 06.16.2007 Polymorphic Trojans

Sophos 4.18.0 06.12.2007 no virus found

Sunbelt 2.2.907.0 06.16.2007 no virus found

Symantec 10 06.16.2007 no virus found

TheHacker 6.1.6.133 06.15.2007 no virus found

VBA32 3.12.0.2 06.15.2007 no virus found

Edited by DeliciousEgg89

Share this post


Link to post
Share on other sites

Hi, you did everything correctly. Bit surprised nothing was found.

 

I want you to go back into Safe Mode, so you might want to copy or print these instructions:

 

Please do the following...

 

1. Make sure you can view hidden files and folders:

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
2. Now go back into Safe Mode

 

3. Once in Safe Mode, check if the following files in RED are present. If they are, delete them.

 

C:\WINDOWS\system32\drivers\dump_wmimmc.sys

C:\WINDOWS\system32\drivers\dump_wmimmc(2).sys

C:\WINDOWS\system32\drivers\dump_wmimmc(3).sys

C:\WINDOWS\system32\drivers\dump_wmimmc(4).sys

C:\WINDOWS\system32\drivers\dump_wmimmc(5).sys

C:\WINDOWS\system32\drivers\dump_wmimmc(6).sys

C:\WINDOWS\system32\drivers\dump_wmimmc(7).sys

C:\WINDOWS\system32\SVKP.sys

C:\WINDOWS\iun6002.exe

 

Also, locate this file:

 

C:\WINDOWS\system32\Coltd.sys

 

If found, right-click on it and select Properties. Go to the Version tab and make a note of what is written, if anything. I especially want to know who the Company is.

 

4. Reboot back into Normal Mode, and give me feedback.

Share this post


Link to post
Share on other sites

Hi, you did everything correctly. Bit surprised nothing was found.

 

I want you to go back into Safe Mode, so you might want to copy or print these instructions:

 

Please do the following...

 

1. Make sure you can view hidden files and folders:

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
2. Now go back into Safe Mode

 

3. Once in Safe Mode, check if the following files in RED are present. If they are, delete them.

 

C:\WINDOWS\system32\drivers\dump_wmimmc.sys

C:\WINDOWS\system32\drivers\dump_wmimmc(2).sys

C:\WINDOWS\system32\drivers\dump_wmimmc(3).sys

C:\WINDOWS\system32\drivers\dump_wmimmc(4).sys

C:\WINDOWS\system32\drivers\dump_wmimmc(5).sys

C:\WINDOWS\system32\drivers\dump_wmimmc(6).sys

C:\WINDOWS\system32\drivers\dump_wmimmc(7).sys

C:\WINDOWS\system32\SVKP.sys

C:\WINDOWS\iun6002.exe

 

Also, locate this file:

 

C:\WINDOWS\system32\Coltd.sys

 

If found, right-click on it and select Properties. Go to the Version tab and make a note of what is written, if anything. I especially want to know who the Company is.

 

4. Reboot back into Normal Mode, and give me feedback.

 

Can I save that stuff in a wordpad and will it be there in safe mode? How do i search for those files? start, search?

Share this post


Link to post
Share on other sites

Would be better to save them in Microsoft Word, and yes they will be available in Safe Mode on the account you save on.

 

How to delete a file:

Example: C:\WINDOWS\system32\drivers\dump_wmimmc.sys

 

Open My Computer to open it

Double-Click the C: to open it

Double-Click the Windows folder to open it

Double-Click the System32 folder to open it

Double-Click the Drivers folder to open it

Find dump_wmimmc.sys

Right-click and select Delete

 

Same procedure for all the files.

Share this post


Link to post
Share on other sites

Would be better to save them in Microsoft Word, and yes they will be available in Safe Mode on the account you save on.

 

How to delete a file:

Example: C:\WINDOWS\system32\drivers\dump_wmimmc.sys

 

Open My Computer to open it

Double-Click the C: to open it

Double-Click the Windows folder to open it

Double-Click the System32 folder to open it

Double-Click the Drivers folder to open it

Find dump_wmimmc.sys

Right-click and select Delete

 

Same procedure for all the files.

 

The dump files I did not find.

 

Coltd.sys : Created Sunday June 10th. I found it myself, but I found see a version of anything when I click Properties. Type of File: System File.

 

All dump_wmimmc.sys I did not find. I do see a discdump.sys though.

Edited by DeliciousEgg89

Share this post


Link to post
Share on other sites

Did you find and delete these two?

 

C:\WINDOWS\system32\SVKP.sys

C:\WINDOWS\iun6002.exe

 

Oh, sorry about that. No didnt find those. What I should do is "search" for them My Computer ; Search. I couldnt find coltd at first. Want me to go do that real quick for the files?

Share this post


Link to post
Share on other sites

I just searched for SVKP.sys in regular mode. It says the file is in C:\_OTMoveIt\MovedFiles\Windows\System32.

 

Can I delete this file and the rest through regular mode??

Edited by DeliciousEgg89

Share this post


Link to post
Share on other sites

Leave SVKP.sys where it is.

 

Can you now tell me what else is in C:\_OTMoveIt.

 

Has the three text documents where I did what you told me to do with program OTMoveIt. And has a folder called Documents and Settings and folder called Windows. "iun6002.exe" program is in Windows folder. Program hasnt been installed yet, I dont think. SVKP.sys is in Windows folder;system32.

 

WOAH WOAH. I just found the dump_wmimmc files. ALL of them. Delete them all?

Edited by DeliciousEgg89

Share this post


Link to post
Share on other sites

Whoa! I'm slightly lost...slow down a little please.

 

Yes, delete all the dump_wmimmc files. Also, where did you find them?

 

Once that is done, run ComboFix again and it will produce a new log. Post that back here. Remember to close everything.

Share this post


Link to post
Share on other sites

Whoa! I'm slightly lost...slow down a little please.

 

Yes, delete all the dump_wmimmc files. Also, where did you find them?

 

Once that is done, run ComboFix again and it will produce a new log. Post that back here. Remember to close everything.

 

Basically all the files you wanted me to find are in the _OTMoveIt folder. I deleted all of the dump files. Can I delete the folder they were in called "drivers"?

Edited by DeliciousEgg89

Share this post


Link to post
Share on other sites

OK, that's fine...leave them there. The OTMoveIt log you first posted said "Not found" for each file, do you know why that is?

 

Now, using OTMoveIt again, remove this file:

 

C:\WINDOWS\system32\Coltd.sys

 

Post the results from OTMoveIt, and check to see if the file is in C:\_OTMoveIt.

 

EDIT: Do NOT delete the Drivers folder - that is legit!

Edited by Trogan

Share this post


Link to post
Share on other sites

OK, that's fine...leave them there. The OTMoveIt log you first posted said "Not found" for each file, do you know why that is?

 

Now, using OTMoveIt again, remove this file:

 

C:\WINDOWS\system32\Coltd.sys

 

Post the results from OTMoveIt, and check to see if the file is in C:\_OTMoveIt.

 

Im lost. Lets back it up a step. Heres results from the ComboFix.

 

ComboFix 07-06-13.3 - C:\Documents and Settings\Owner\My Documents\ComboFix.exe

"Owner" - 2007-06-15 14:07:34 - Service Pack 2 NTFS

 

 

((((((((((((((((((((((((( Files Created from 2007-05-15 to 2007-06-15 )))))))))))))))))))))))))))))))

 

 

2007-06-15 23:05 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-12 00:16 <DIR> d-------- C:\WINDOWS\Program Files

2007-06-12 00:16 <DIR> d-------- C:\VirtualEditProjects

2007-06-12 00:16 <DIR> d-------- C:\VirtualEditCapture

2007-06-11 22:14 <DIR> d-------- C:\DOCUME~1\Owner\.SunDownloadManager

2007-06-10 14:28 2 --a------ C:\WINDOWS\system32\Coltd.sys

2007-06-08 13:56 <DIR> d-------- C:\Program Files\DrWeb

2007-06-08 13:31 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\DivX

2007-06-07 03:10 <DIR> d-------- C:\Fraps

2007-06-06 12:04 3,407,872 --a------ C:\DOCUME~1\Owner\ntuser.dat

2007-06-04 18:42 <DIR> d-------- C:\ijji

2007-06-03 14:55 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\MySpace

2007-06-02 20:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC

2007-06-01 23:18 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Sandbox

2007-06-01 20:44 <DIR> d-------- C:\DOCUME~1\Owner\Contacts

2007-05-30 22:51 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\iolo

2007-05-30 22:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iolo

2007-05-30 18:37 <DIR> d-------- C:\Program Files\iTunes

2007-05-28 22:29 <DIR> d-------- C:\DOCUME~1\Owner\DoctorWeb

2007-05-24 21:16 <DIR> d-------- C:\Program Files\Viewpoint

2007-05-22 20:46 <DIR> d-------- C:\Program Files\Trillian

2007-05-20 15:32 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\WinRAR

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-16 00:55:56 -------- d-----w C:\Program Files\Windows Defender

2007-06-16 00:53:48 -------- d-----w C:\Program Files\QuickTime Alternative

2007-06-15 18:30:22 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\OpenOffice.org2

2007-06-08 18:56:54 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-06-08 18:56:20 -------- d-----w C:\Program Files\Common Files\InstallShield

2007-06-04 17:31:18 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Uniblue

2007-05-30 23:38:09 -------- d-----w C:\Program Files\iPod

2007-05-25 02:20:05 -------- d-----w C:\Program Files\Common Files\AOL

2007-05-23 00:34:55 -------- d--h--w C:\Program Files\WindowsUpdate

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-06 18:18:32 -------- d-----w C:\Program Files\MSXML 4.0

2007-05-05 22:58:39 -------- d-----w C:\Program Files\Common Files\Ahead

2007-05-05 08:34:53 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Ahead

2007-05-05 07:02:45 -------- d-----w C:\Program Files\Yahoo!

2007-05-05 06:43:09 -------- d-----w C:\Program Files\Common Files\SureThing Shared

2007-04-30 00:11:08 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-18 05:47:08 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-17 03:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll

2007-04-17 03:43:44 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 03:43:40 208,248 ----a-w C:\WINDOWS\system32\muweb.dll

2007-04-17 00:02:48 4,212 ---ha-w C:\WINDOWS\system32\zllictbl.dat

2007-04-16 22:38:45 -------- d-----w C:\Program Files\OpenOffice.org 2.2

2007-04-16 22:37:49 -------- d-----w C:\Program Files\OpenOffice.org 2.1

2007-04-11 01:45:01 3,564 ----a-w C:\WINDOWS\mozver.dat

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-16 05:27:14 40,960 ----a-w C:\WINDOWS\system32\frapsvid.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{724d43a9-0d85-11d4-9908-00400523e39a}=C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2007-05-27 12:33]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 02:02]

"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2007-04-27 11:41]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-05-27 12:33]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ClearRecentDocsOnExit"=00000000

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

ALCXMNTR.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

C:\WINDOWS\System32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

c:\windows\system\hpsysdrv.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

C:\WINDOWS\SMINST\RECGUARD.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]

"C:\Windows\Creator\Remind_XP.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

"C:\Program Files\Java\jre1.6.0\bin\jusched.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

"C:\Program Files\Windows Defender\MSASCui.exe" -hide

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WinDefend"=2 (0x2)

 

 

Contents of the 'Scheduled Tasks' folder

2007-06-14 17:57:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

2007-06-15 18:45:29 C:\WINDOWS\tasks\MP Scheduled Scan.job

2006-12-25 06:38:50 C:\WINDOWS\tasks\Symantec NetDetect.job

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-15 14:09:21

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

 

Completion time: 2007-06-15 14:10:04

C:\ComboFix-quarantined-files.txt ... 2007-06-15 14:09

C:\ComboFix2.txt ... 2007-06-15 11:21

 

--- E O F ---

Share this post


Link to post
Share on other sites

I'm honestly cunfused with the MoveIt program.

 

Now it says File/Folder C:\WINDOWS\system32\Coltd.sys not found.

 

Created on 06/15/2007 14:14:29

 

I "search" for coltd, it says file is in C:\_OTMoveIt\MovedFiles\WINDOWS\System32 ... delete?

Edited by DeliciousEgg89

Share this post


Link to post
Share on other sites

OK, that is fine for now! Phew! :D

 

Now, I want you to run another scan:

 

1. Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open. Do not run a scan yet.

 

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:

  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).
Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
  • Under How to act? - make sure that Quarantine is selected.
  • Under How to scan? - All checkboxes should be ticked.
  • Under Possibly unwanted software - All checkboxes should be ticked.
  • Under Reports - Select Do not automatically generate reports.
  • Under What to scan? - Select Scan every file.
Close all open windows.
  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
2. Now, run a new scan with ComboFix please.

 

3. Post the following...

 

AVG Anti-Spyware log

New ComboFix log

New HijackThis log

Share this post


Link to post
Share on other sites

Wow... Ok, forget all the first parts you posted. I have AVG on PC already, I use it periodically. Is it nessessary to scan with it again? It always comes up with nothing, normally. Shouldnt be any different today. I scanned with it I think yesterday.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 2:24:22 PM, on 6/15/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\QuickTime Alternative\qttask.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Grisoft\AVG7\avgcc.exe

C:\Documents and Settings\Owner\My Documents\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179880817609

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179880808359

O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://runvirusscan.com/ols3/fscax.cab

O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

ComboFix 07-06-13.3 - C:\Documents and Settings\Owner\My Documents\ComboFix.exe

"Owner" - 2007-06-15 14:25:06 - Service Pack 2 NTFS

 

 

((((((((((((((((((((((((( Files Created from 2007-05-15 to 2007-06-15 )))))))))))))))))))))))))))))))

 

 

2007-06-15 23:05 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-12 00:16 <DIR> d-------- C:\WINDOWS\Program Files

2007-06-12 00:16 <DIR> d-------- C:\VirtualEditProjects

2007-06-12 00:16 <DIR> d-------- C:\VirtualEditCapture

2007-06-11 22:14 <DIR> d-------- C:\DOCUME~1\Owner\.SunDownloadManager

2007-06-08 13:56 <DIR> d-------- C:\Program Files\DrWeb

2007-06-08 13:31 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\DivX

2007-06-07 03:10 <DIR> d-------- C:\Fraps

2007-06-06 12:04 3,407,872 --a------ C:\DOCUME~1\Owner\ntuser.dat

2007-06-04 18:42 <DIR> d-------- C:\ijji

2007-06-03 14:55 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\MySpace

2007-06-02 20:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC

2007-06-01 23:18 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Sandbox

2007-06-01 20:44 <DIR> d-------- C:\DOCUME~1\Owner\Contacts

2007-05-30 22:51 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\iolo

2007-05-30 22:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\iolo

2007-05-30 18:37 <DIR> d-------- C:\Program Files\iTunes

2007-05-28 22:29 <DIR> d-------- C:\DOCUME~1\Owner\DoctorWeb

2007-05-24 21:16 <DIR> d-------- C:\Program Files\Viewpoint

2007-05-22 20:46 <DIR> d-------- C:\Program Files\Trillian

2007-05-20 15:32 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\WinRAR

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-16 00:55:56 -------- d-----w C:\Program Files\Windows Defender

2007-06-16 00:53:48 -------- d-----w C:\Program Files\QuickTime Alternative

2007-06-15 18:30:22 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\OpenOffice.org2

2007-06-08 18:56:54 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-06-08 18:56:20 -------- d-----w C:\Program Files\Common Files\InstallShield

2007-06-04 17:31:18 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Uniblue

2007-05-30 23:38:09 -------- d-----w C:\Program Files\iPod

2007-05-25 02:20:05 -------- d-----w C:\Program Files\Common Files\AOL

2007-05-23 00:34:55 -------- d--h--w C:\Program Files\WindowsUpdate

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-06 18:18:32 -------- d-----w C:\Program Files\MSXML 4.0

2007-05-05 22:58:39 -------- d-----w C:\Program Files\Common Files\Ahead

2007-05-05 08:34:53 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Ahead

2007-05-05 07:02:45 -------- d-----w C:\Program Files\Yahoo!

2007-05-05 06:43:09 -------- d-----w C:\Program Files\Common Files\SureThing Shared

2007-04-30 00:11:08 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-18 05:47:08 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-17 03:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll

2007-04-17 03:43:44 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 03:43:40 208,248 ----a-w C:\WINDOWS\system32\muweb.dll

2007-04-17 00:02:48 4,212 ---ha-w C:\WINDOWS\system32\zllictbl.dat

2007-04-16 22:38:45 -------- d-----w C:\Program Files\OpenOffice.org 2.2

2007-04-16 22:37:49 -------- d-----w C:\Program Files\OpenOffice.org 2.1

2007-04-11 01:45:01 3,564 ----a-w C:\WINDOWS\mozver.dat

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-16 05:27:14 40,960 ----a-w C:\WINDOWS\system32\frapsvid.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{724d43a9-0d85-11d4-9908-00400523e39a}=C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2007-05-27 12:33]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 02:02]

"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2007-04-27 11:41]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-05-27 12:33]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ClearRecentDocsOnExit"=00000000

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]

ALCXMNTR.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

C:\WINDOWS\System32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

c:\windows\system\hpsysdrv.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

nwiz.exe /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

C:\WINDOWS\SMINST\RECGUARD.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]

"C:\Windows\Creator\Remind_XP.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

"C:\Program Files\Java\jre1.6.0\bin\jusched.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

"C:\Program Files\Windows Defender\MSASCui.exe" -hide

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WinDefend"=2 (0x2)

 

 

Contents of the 'Scheduled Tasks' folder

2007-06-14 17:57:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

2007-06-15 18:45:29 C:\WINDOWS\tasks\MP Scheduled Scan.job

2006-12-25 06:38:50 C:\WINDOWS\tasks\Symantec NetDetect.job

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-15 14:25:40

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

 

Completion time: 2007-06-15 14:26:22

C:\ComboFix-quarantined-files.txt ... 2007-06-15 14:26

C:\ComboFix2.txt ... 2007-06-15 14:10

C:\ComboFix3.txt ... 2007-06-15 11:21

 

--- E O F ---

Share this post


Link to post
Share on other sites

You have AVG Anti-Virus. I want you to download AVG Anti-Spyware, which is a totally different program.

 

Please download and follow my previous instructions.

Share this post


Link to post
Share on other sites

You have AVG Anti-Virus. I want you to download AVG Anti-Spyware, which is a totally different program.

 

Please download and follow my previous instructions.

 

Ok, while AVG A.S. is scanning, can you take a look at the logfiles I posted above? How long will scan take do you think??

 

While its scanning, can i tell you what it comes up with? You know, under result-preview?

Edited by DeliciousEgg89

Share this post


Link to post
Share on other sites

The scan may take an hour, maybe more. I'll check everything over once I received the log.

 

I do not need you tell me what is found; that is what the log will do.

 

No need to post back, until the scan has finished.

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...