MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: help hijack this log
April 02, 2020, 08:59:33 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
April 02, 2020, 08:59:33 PM

Login with username, password and session length
 Featured Sites:
News
New  Looking for cheap hardware and/or software?
Visit our new Online Store where you will be able to purchase from a reputable vendor by country.
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: help hijack this log  (Read 1727 times)
royboy
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 14


Bookmark and Share

View Profile
« on: April 18, 2007, 10:14:23 PM »

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:10:45, on 18/04/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Navnt\navapw32.exe
C:\WINDOWS\System32\lxbucoms.exe
C:\Documents and Settings\Heather McHale\My Documents\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.supanet.com/search/iepanel/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Supanet Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - C:\WINDOWS\System32\urqoopo.dll
O2 - BHO: (no name) - {245630DF-9181-4269-AA4E-7F0FFCEDB805} - C:\WINDOWS\System32\mlljj.dll
O2 - BHO: (no name) - {2E7FADE8-EE7F-491E-8081-7179D93A29C4} - C:\WINDOWS\System32\jkhhe.dll (file missing)
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\ehucjcok.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SupaStatus] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173181342062
O20 - Winlogon Notify: hggdabx - hggdabx.dll (file missing)
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\System32\jkhhe.dll (file missing)
O20 - Winlogon Notify: mlljj - C:\WINDOWS\System32\mlljj.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll (file missing)
O20 - Winlogon Notify: urqoopo - C:\WINDOWS\SYSTEM32\urqoopo.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbucoms.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: wlmsngr - Unknown owner - C:\WINDOWS\wlmsngr.exe (file missing)

--
End of file - 5990 bytes
Logged

 
dahli
Global Moderator
Sr. Member
*****

Karma: +5/-0
Offline Offline

Gender: Male
Posts: 152


Bookmark and Share

View Profile
« Reply #1 on: April 19, 2007, 12:26:35 PM »

Hello,


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking   
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.   
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.   
 In the right pane, uncheck Enable Script Blocking (recommended).    
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
 
Logged

Steve
royboy
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 14


Bookmark and Share

View Profile
« Reply #2 on: April 22, 2007, 09:42:18 AM »

thanx for the help combo fix logfile





"Heather McHale" - 07-04-22 10:36:23    Service Pack 1 
ComboFix 07-04-21.2V - Running from: C:\Documents and Settings\Heather McHale\My Documents\


((((((((((((((((((((((((((((((((((((((((((((((((((   V Log   )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ehucjcok.dll
C:\WINDOWS\system32\ssqnmno.dll
C:\WINDOWS\system32\jjllm.tmp
C:\WINDOWS\system32\jjllm.bak1
C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini2
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\urqoopo.dll


* * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((   Files Created from 2007-03-22 to 2007-04-22  ))))))))))))))))))))))))))))))))))


2007-04-16 19:32   97,184   -ra------   C:\WINDOWS\system32\drivers\SE27mdm.sys
2007-04-16 19:32   9,360   -ra------   C:\WINDOWS\system32\drivers\SE27mdfl.sys
2007-04-16 19:32   6,240   -ra------   C:\WINDOWS\system32\drivers\SE27cmnt.sys
2007-04-16 19:32   6,240   -ra------   C:\WINDOWS\system32\drivers\SE27cm.sys
2007-04-16 19:30   61,600   -ra------   C:\WINDOWS\system32\drivers\SE27bus.sys
2007-04-16 19:30   5,872   -ra------   C:\WINDOWS\system32\drivers\SE27whnt.sys
2007-04-16 19:30   5,872   -ra------   C:\WINDOWS\system32\drivers\SE27wh.sys
2007-03-24 10:33   3,968   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-24 09:44   71,680   --a------   C:\WINDOWS\if2.exe
2007-03-24 09:40   <DIR>   d--------   C:\Program Files\Common Files\Scanner
2007-03-23 18:54   <DIR>   d--------   C:\DOCUME~1\OLIVIA~1\APPLIC~1\Help
2007-03-23 18:06   <DIR>   d--------   C:\DOCUME~1\ROYBAR~1\APPLIC~1\FaxCtr
2007-03-23 18:05   761,856   --a------   C:\DOCUME~1\ROYBAR~1\NTUSER.DAT
2007-03-23 18:05   <DIR>   d--------   C:\DOCUME~1\ROYBAR~1\WINDOWS
2007-03-23 18:03   <DIR>   d--------   C:\DOCUME~1\OLIVIA~1\APPLIC~1\FaxCtr
2007-03-23 18:02   778,240   --a------   C:\DOCUME~1\OLIVIA~1\NTUSER.DAT
2007-03-23 18:02   <DIR>   d--------   C:\DOCUME~1\OLIVIA~1\WINDOWS


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-06 21:18   --------   d--------   C:\Program Files\yahoo!
2007-03-06 12:23   --------   d--------   C:\DOCUME~1\HEATHE~1\APPLIC~1\officeupdate12
2007-03-06 12:12   --------   d--------   C:\DOCUME~1\HEATHE~1\APPLIC~1\microsoft web folders
2007-03-06 11:30   --------   d--------   C:\Program Files\thomson
2007-03-04 19:03   --------   d--------   C:\Program Files\symantec
2007-03-04 19:03   --------   d--------   C:\Program Files\navnt
2007-03-04 18:20   --------   d--------   C:\Program Files\abbyy finereader 6.0 sprint
2007-03-04 18:19   --------   d--------   C:\Program Files\lexmark_6200 series
2007-03-04 18:19   --------   d--------   C:\Program Files\lexmark fax solutions
2007-03-04 18:17   --------   d--------   C:\Program Files\lx_cats
2007-01-23 15:15   676224   --a------   C:\WINDOWS\system32\ogacheckcontrol.dll


((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}   C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{2E7FADE8-EE7F-491E-8081-7179D93A29C4}   C:\WINDOWS\System32\jkhhe.dll
{F79887FD-2A59-4937-91E4-35D1B09FA26F}   C:\WINDOWS\System32\mlljj.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VTTimer"="VTTimer.exe"
"SoundMan"="SOUNDMAN.EXE"
"SupaStatus"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\Status.exe"
"LXBUCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXBUtime.dll,_RunDLLEntry@16"
"lxbumon.exe"="\"C:\\Program Files\\Lexmark 6200 Series\\lxbumon.exe\""
"FaxCenterServer"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
@=""
"EzPrint"="\"C:\\Program Files\\Lexmark 6200 Series\\ezprint.exe\""
"NPS Event Checker"="C:\\PROGRA~1\\Navnt\\npscheck.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"Norton eMail Protect"="C:\\Program Files\\Navnt\\POPROXY.EXE"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{74FF9A4C-C77A-493C-8EDA-3C6B64AC86BA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggdabx
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhhe

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
   Authentication Packages   REG_MULTI_SZ      msv1_0\0\0
   Security Packages   REG_MULTI_SZ      kerberos\0msv1_0\0schannel\0wdigest\0\0
   Notification Packages   REG_MULTI_SZ      scecli\0\0

 
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService   REG_MULTI_SZ      Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService   REG_MULTI_SZ      DnsCache\0\0
rpcss   REG_MULTI_SZ      RpcSs\0\0
imgsvc   REG_MULTI_SZ      StiSvc\0\0
termsvcs   REG_MULTI_SZ      TermService\0\0


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-22 10:38:26
Windows 5.1.2600 Service Pack 1 FAT

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-22 10:38:34 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-22 10:38
Logged

 
dahli
Global Moderator
Sr. Member
*****

Karma: +5/-0
Offline Offline

Gender: Male
Posts: 152


Bookmark and Share

View Profile
« Reply #3 on: April 23, 2007, 09:46:02 PM »

Please post a new HijackThis log.
Logged

Steve
royboy
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 14


Bookmark and Share

View Profile
« Reply #4 on: April 24, 2007, 06:37:21 PM »

seems to be running a lot better since you helped last thax again here is the new hi jack this log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:34:56, on 24/04/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\thomson\SpeedTouch USB\stdialup.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\System32\lxbucoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Heather McHale\My Documents\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {2E7FADE8-EE7F-491E-8081-7179D93A29C4} - C:\WINDOWS\System32\jkhhe.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
O2 - BHO: (no name) - {F79887FD-2A59-4937-91E4-35D1B09FA26F} - C:\WINDOWS\System32\mlljj.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SupaStatus] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/223683fd3e88fe3cc905/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173181342062
O17 - HKLM\System\CCS\Services\Tcpip\..\{1139BFCA-3386-4FD3-BC8D-29E5D02D9710}: NameServer = 212.139.132.4 212.139.132.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{1139BFCA-3386-4FD3-BC8D-29E5D02D9710}: NameServer = 212.139.132.4 212.139.132.5
O20 - Winlogon Notify: hggdabx - hggdabx.dll (file missing)
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\System32\jkhhe.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbucoms.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: wlmsngr - Unknown owner - C:\WINDOWS\wlmsngr.exe (file missing)

--
End of file - 6129 bytes
Logged

 
dahli
Global Moderator
Sr. Member
*****

Karma: +5/-0
Offline Offline

Gender: Male
Posts: 152


Bookmark and Share

View Profile
« Reply #5 on: April 24, 2007, 08:29:16 PM »

Run HijackThis and check the following:

O2 - BHO: (no name) - {2E7FADE8-EE7F-491E-8081-7179D93A29C4} - C:\WINDOWS\System32\jkhhe.dll (file missing)
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
O2 - BHO: (no name) - {F79887FD-2A59-4937-91E4-35D1B09FA26F} - C:\WINDOWS\System32\mlljj.dll (file missing)
O20 - Winlogon Notify: hggdabx - hggdabx.dll (file missing)
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\System32\jkhhe.dll (file missing)
O23 - Service: wlmsngr - Unknown owner - C:\WINDOWS\wlmsngr.exe (file missing)

Click FIX CHECKED

You should disable/uninstall one of your Anti-virus programs - running multiple programs of that nature can cause conflicts between them.

Go here and run a Bitdefender online scan.
Copy/paste the log here.
Logged

Steve
royboy
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 14


Bookmark and Share

View Profile
« Reply #6 on: April 28, 2007, 08:19:07 PM »

thanks again i tried to delete norton antivirus but it says i cant run it uless i restart my computer and still says the same after i restart it i think some of the files may have been deleted from it already anyway these are the scans from hjt and bitdefender






Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:08:15, on 28/04/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\thomson\SpeedTouch USB\stdialup.exe
C:\WINDOWS\System32\lxbucoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Heather McHale\My Documents\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SupaStatus] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/223683fd3e88fe3cc905/netzip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.co.uk/scan_uk/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173181342062
O17 - HKLM\System\CCS\Services\Tcpip\..\{1139BFCA-3386-4FD3-BC8D-29E5D02D9710}: NameServer = 212.139.132.41 212.139.132.42
O17 - HKLM\System\CS1\Services\Tcpip\..\{1139BFCA-3386-4FD3-BC8D-29E5D02D9710}: NameServer = 212.139.132.41 212.139.132.42
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbucoms.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe

--
End of file - 5982 bytes



BitDefender Online Scanner
 
 
 
Scan report generated at: Sat, Apr 28, 2007 - 21:02:35
 
 
 
 
 
Scan path: A:\;C:\Grin:\;E:\;F:\;G:\;H:\;I:\;
 
 
 
 
 
 
 
Statistics
 
Time
 00:28:51
 
Files
 182094
 
Folders
 1217
 
Boot Sectors
 2
 
Archives
 6343
 
Packed Files
 23304
 
 
 
 
Results
 
Identified Viruses
 4
 
Infected Files
 6
 
Suspect Files
 0
 
Warnings
 0
 
Disinfected
 0
 
Deleted Files
 6
 
 
 
 
Engines Info
 
Virus Definitions
 503009
 
Engine build
 AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)
 
Scan plugins
 14
 
Archive plugins
 38
 
Unpack plugins
 6
 
E-mail plugins
 6
 
System plugins
 1
 
 
 
 
Scan Settings
 
First Action
 Disinfect
 
Second Action
 Delete
 
Heuristics
 Yes
 
Enable Warnings
 Yes
 
Scanned Extensions
 *;
 
Exclude Extensions
 
 
Scan Emails
 Yes
 
Scan Archives
 Yes
 
Scan Packed
 Yes
 
Scan Files
 Yes
 
Scan Boot
 Yes
 
 
 
 
  Scanned File
  Status
 
C:\WINDOWS\system32\i
 Infected with: Generic.Botget.1991CCCC
 
C:\WINDOWS\system32\i
 Deleted
 
C:\Documents and Settings\Heather McHale\Local Settings\Temporary Internet Files\Content.IE5\PZIJBUD5\popup[1].htm
 Infected with: Trojan.Clicker.CM
 
C:\Documents and Settings\Heather McHale\Local Settings\Temporary Internet Files\Content.IE5\PZIJBUD5\popup[1].htm
 Disinfection failed
 
C:\Documents and Settings\Heather McHale\Local Settings\Temporary Internet Files\Content.IE5\PZIJBUD5\popup[1].htm
 Deleted
 
C:\System Volume Information\_restore{08BF50FB-1736-4DE9-A8AB-13BB3462D7AC}\RP6\A0005381.dll
 Infected with: MemScan:Trojan.BHO.AU
 
C:\System Volume Information\_restore{08BF50FB-1736-4DE9-A8AB-13BB3462D7AC}\RP6\A0005381.dll
 Disinfection failed
 
C:\System Volume Information\_restore{08BF50FB-1736-4DE9-A8AB-13BB3462D7AC}\RP6\A0005381.dll
 Deleted
 
C:\System Volume Information\_restore{08BF50FB-1736-4DE9-A8AB-13BB3462D7AC}\RP6\A0005384.DLL
 Infected with: MemScan:Trojan.Vundo.AP
 
C:\System Volume Information\_restore{08BF50FB-1736-4DE9-A8AB-13BB3462D7AC}\RP6\A0005384.DLL
 Disinfection failed
 
C:\System Volume Information\_restore{08BF50FB-1736-4DE9-A8AB-13BB3462D7AC}\RP6\A0005384.DLL
 Deleted
 
C:\QooBox\Quarantine\C\WINDOWS\system32\ehucjcok.dll.vir
 Infected with: MemScan:Trojan.BHO.AU
 
C:\QooBox\Quarantine\C\WINDOWS\system32\ehucjcok.dll.vir
 Disinfection failed
 
C:\QooBox\Quarantine\C\WINDOWS\system32\ehucjcok.dll.vir
 Deleted
 
C:\QooBox\Quarantine\C\WINDOWS\system32\mlljj.dll.vir
 Infected with: MemScan:Trojan.Vundo.AP
 
C:\QooBox\Quarantine\C\WINDOWS\system32\mlljj.dll.vir
 Disinfection failed
 
C:\QooBox\Quarantine\C\WINDOWS\system32\mlljj.dll.vir
 Deleted
 
 
 
 
 
 
 
 
 
 
 

 
Logged

 
dahli
Global Moderator
Sr. Member
*****

Karma: +5/-0
Offline Offline

Gender: Male
Posts: 152


Bookmark and Share

View Profile
« Reply #7 on: April 28, 2007, 08:47:55 PM »

Reboot in SAFE MODE (Tap F8 during startup)

Run HijackThis and check the following:

O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe

Click FIX CHECKED

Delete the following folder:
c:\Program Files\navnt

Reboot and post a new HijackThis log.  Also let me know if you are having any other problems.
Logged

Steve
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page April 04, 2018, 12:48:03 AM