MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: how do I attach a hijack this file?
June 06, 2020, 10:40:54 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 06, 2020, 10:40:54 AM

Login with username, password and session length
 Featured Sites:
News
New  New Poll on our main page!
"My experience with Vista..."
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: how do I attach a hijack this file?  (Read 1391 times)
wayne1721
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 212


Bookmark and Share

View Profile
« on: January 01, 2008, 08:32:05 PM »

tried all I know but cant attach the log
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: January 01, 2008, 10:44:21 PM »

Just click on Reply and then copy and paste your HJT log in there.
Logged

An Australian Member of

EDDY
wayne1721
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 212


Bookmark and Share

View Profile
« Reply #2 on: January 02, 2008, 01:47:20 AM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:34:12 PM, on 01/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-CA
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197923586046
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4767 bytes
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #3 on: January 02, 2008, 02:03:34 AM »

That all looks fine....
Logged

An Australian Member of

EDDY
wayne1721
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 212


Bookmark and Share

View Profile
« Reply #4 on: January 02, 2008, 02:46:44 AM »

That all looks fine....

very strange because I did a dumb thing and opened an email supposedly from ebay containg a link to a happy new year ecard,at that link,it downloaded something on to my PC and ever since,many times I click on something and the PC reboots itself,has happened a dozen times,,norton anti-virus check showed no virus.
Any idea what I should do?
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #5 on: January 02, 2008, 04:28:56 AM »

I can dig a bit deeper....

This will  help to identify  malware on your system.
Please download Combofix from  any of these locations:

 Here
 or
Here

Save ComboFix to the desktop and please ensure that you disable realtime security/virus programs that  monitors your PC while CF is running.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Caution...Never run and remove files using ComboFix without being supervised by a security analyst.

« Last Edit: January 02, 2008, 04:32:57 AM by Pancake » Logged

An Australian Member of

EDDY
wayne1721
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 212


Bookmark and Share

View Profile
« Reply #6 on: January 02, 2008, 02:31:49 PM »

I can dig a bit deeper....

This will  help to identify  malware on your system.
Please download Combofix from  any of these locations:

 Here
 or
Here

Save ComboFix to the desktop and please ensure that you disable realtime security/virus programs that  monitors your PC while CF is running.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Caution...Never run and remove files using ComboFix without being supervised by a security analyst.


Here are the logs you suggested I attachComboFix 07-12-31.4 - wayne 2008-01-02  9:22:41.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2678 [GMT -5:00]
Running from: C:\Documents and Settings\wayne\My Documents\combofix\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\wayne\Application Data\inst.exe

.
(((((((((((((((((((((((((   Files Created from 2007-12-02 to 2008-01-02  )))))))))))))))))))))))))))))))
.

2008-01-02 09:21 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-01 22:11 . 2008-01-01 22:11   <DIR>   d--------   C:\Program Files\NoAdware5.0
2008-01-01 15:59 . 2008-01-01 16:30   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-01 13:19 . 2008-01-01 20:09   <DIR>   d--------   C:\Program Files\WolfQuest
2007-12-31 18:41 . 2007-12-31 18:41   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\vsosdk
2007-12-31 09:03 . 2007-12-31 09:03   <DIR>   d--------   C:\Program Files\K-Lite Codec Pack
2007-12-31 08:49 . 2007-12-31 08:49   <DIR>   d--------   C:\Program Files\Windows Media Connect 2
2007-12-31 08:49 . 2004-08-03 20:07   221,184   --a------   C:\WINDOWS\system32\wmpns.dll
2007-12-31 08:48 . 2007-12-31 08:48   <DIR>   d--------   C:\WINDOWS\system32\drivers\UMDF
2007-12-30 21:11 . 2007-12-30 21:11   <DIR>   d--------   C:\Program Files\VSO
2007-12-30 21:11 . 2007-12-31 19:07   <DIR>   d--------   C:\Documents and Settings\wayne\Application Data\Vso
2007-12-30 21:11 . 2006-09-29 11:24   217,127   --a------   C:\WINDOWS\system32\drv43260.dll
2007-12-30 21:11 . 2006-09-29 11:25   208,935   --a------   C:\WINDOWS\system32\drv33260.dll
2007-12-30 21:11 . 2006-09-29 11:26   176,165   --a------   C:\WINDOWS\system32\drv23260.dll
2007-12-30 21:11 . 2007-12-30 21:11   47,360   --a------   C:\WINDOWS\system32\drivers\pcouffin.sys
2007-12-30 21:11 . 2007-12-30 21:11   47,360   --a------   C:\Documents and Settings\wayne\Application Data\pcouffin.sys
2007-12-28 15:40 . 2007-12-28 15:40   <DIR>   d--------   C:\Program Files\DVD Decrypter
2007-12-28 13:01 . 2007-12-28 13:01   0   --a------   C:\WINDOWS\Path.idx
2007-12-28 12:58 . 2007-12-28 12:58   13,421   --a------   C:\WINDOWS\Ascd_tmp.ini
2007-12-28 09:22 . 2007-12-28 09:22   <DIR>   d--------   C:\Program Files\Common Files\EasyInfo
2007-12-24 15:18 . 2007-12-24 15:19   <DIR>   d--------   C:\WINDOWS\nview
2007-12-24 15:18 . 2006-10-22 12:22   208,896   --a------   C:\WINDOWS\system32\nvudisp.exe
2007-12-24 15:18 . 2008-01-02 09:20   88,566   --a------   C:\WINDOWS\system32\nvapps.xml
2007-12-24 15:18 . 2006-10-22 12:22   17,056   --a------   C:\WINDOWS\system32\nvdisp.nvu
2007-12-24 15:17 . 2006-10-22 15:06   208,896   --a------   C:\WINDOWS\system32\NVUNINST.EXE
2007-12-24 09:15 . 2007-12-24 09:15   <DIR>   d--h-----   C:\WINDOWS\PIF
2007-12-22 16:04 . 2007-12-22 16:04   22,328   --a------   C:\Documents and Settings\wayne\Application Data\PnkBstrK.sys
2007-12-22 16:01 . 2008-01-01 16:30   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2007-12-22 14:13 . 2007-12-22 14:13   <DIR>   d--------   C:\Program Files\Alcohol Soft
2007-12-22 14:13 . 2004-04-30 09:37   160,640   --a------   C:\WINDOWS\system32\drivers\a347bus.sys
2007-12-22 14:13 . 2004-04-30 09:33   5,248   --a------   C:\WINDOWS\system32\drivers\a347scsi.sys
2007-12-22 09:03 . 2007-12-22 09:03   <DIR>   d--------   C:\Program Files\Trend Micro
2007-12-21 21:16 . 2007-12-21 21:16   <DIR>   d--------   C:\Documents and Settings\wayne\Application Data\ArcSoft
2007-12-21 21:12 . 1995-07-31 13:44   212,480   --a------   C:\WINDOWS\PCDLIB32.DLL
2007-12-21 21:12 . 2001-10-16 10:23   163,840   --a------   C:\WINDOWS\system32\PhotoImpression Screen Saver.scr
2007-12-21 21:11 . 2007-12-21 21:11   <DIR>   d--------   C:\Program Files\ArcSoft
2007-12-21 21:10 . 2007-12-21 21:11   <DIR>   d--------   C:\Program Files\MyDSC2
2007-12-21 21:10 . 2007-12-21 21:10   <DIR>   d--------   C:\Documents and Settings\wayne\Application Data\InstallShield
2007-12-21 21:10 . 2007-08-24 11:30   38,656   --a------   C:\WINDOWS\system32\drivers\Capt905c.sys
2007-12-21 21:10 . 2007-08-24 11:10   25,216   --a------   C:\WINDOWS\system32\drivers\Camd905c.sys
2007-12-19 19:08 . 2007-12-19 19:09   <DIR>   d--------   C:\Program Files\Common Files\Adobe
2007-12-19 17:13 . 2007-07-19 18:14   3,727,720   --a------   C:\WINDOWS\system32\d3dx9_35.dll
2007-12-19 17:13 . 2007-07-19 18:14   1,358,192   --a------   C:\WINDOWS\system32\D3DCompiler_35.dll
2007-12-19 17:13 . 2007-07-19 18:14   444,776   --a------   C:\WINDOWS\system32\d3dx10_35.dll
2007-12-19 17:12 . 2007-12-19 17:12   <DIR>   d--------   C:\Program Files\Electronic Arts
2007-12-18 16:31 . 2007-12-18 16:31   29   --a------   C:\WINDOWS\CDMKR32.INI
2007-12-18 16:27 . 2007-12-18 16:27   1,024   -r-h-----   C:\WINDOWS\system32\ntiembed.dll
2007-12-18 16:26 . 2007-12-18 16:26   <DIR>   d--------   C:\WINDOWS\Vbox
2007-12-18 16:26 . 2007-12-18 16:26   <DIR>   d--------   C:\WINDOWS\system32\Iosubsys
2007-12-18 16:26 . 2002-04-26 14:39   226,816   ---------   C:\WINDOWS\system32\htvcdsvcd.ax
2007-12-18 16:26 . 2002-12-11 14:08   81,920   ---------   C:\WINDOWS\system32\ezrgb24.ax
2007-12-18 16:26 . 2001-08-23 15:00   9,728   ---------   C:\WINDOWS\system\regsvr32.exe
2007-12-18 16:25 . 2007-12-18 16:25   <DIR>   d--------   C:\Program Files\NewTech Infosystems
2007-12-18 16:25 . 2007-12-18 16:25   6,912   --a------   C:\WINDOWS\system32\drivers\NTIDrvr.sys
2007-12-18 16:25 . 2007-12-18 16:25   1,024   -r-h-----   C:\WINDOWS\system32\NTIMPEG2.dll
2007-12-18 16:25 . 2007-12-18 16:25   1,024   -r-h-----   C:\WINDOWS\system32\NTICDMK32.dll
2007-12-18 16:04 . 2007-12-18 16:04   <DIR>   d--hs----   C:\WINDOWS\ftpcache
2007-12-18 16:00 . 2007-12-18 16:00   <DIR>   d--------   C:\Program Files\DAEMON Tools Lite
2007-12-18 16:00 . 2007-12-29 18:59   <DIR>   d--------   C:\Documents and Settings\wayne\Application Data\DAEMON Tools
2007-12-18 15:58 . 2007-12-18 15:58   715,248   --a------   C:\WINDOWS\system32\drivers\sptd.sys
2007-12-18 14:33 . 2008-01-01 16:30   <DIR>   d--------   C:\Program Files\uTorrent
2007-12-18 14:33 . 2008-01-01 16:30   <DIR>   d--------   C:\Documents and Settings\wayne\Application Data\uTorrent
2007-12-17 21:40 . 2007-12-17 21:40   <DIR>   d--------   C:\WINDOWS\Sun
2007-12-17 21:39 . 2007-09-24 23:31   69,632   --a------   C:\WINDOWS\system32\javacpl.cpl
2007-12-17 21:38 . 2007-12-17 21:39   <DIR>   d--------   C:\Program Files\Java
2007-12-17 21:37 . 2007-12-17 21:37   <DIR>   d--------   C:\Program Files\Common Files\Java
2007-12-17 21:14 . 2007-12-31 08:05   69   --a------   C:\WINDOWS\NeroDigital.ini
2007-12-17 20:55 . 2007-12-17 20:55   <DIR>   d--------   C:\Documents and Settings\wayne\Application Data\Ahead
2007-12-17 20:46 . 2007-07-30 19:19   271,224   --a------   C:\WINDOWS\system32\mucltui.dll
2007-12-17 20:46 . 2007-07-30 19:19   207,736   --a------   C:\WINDOWS\system32\muweb.dll
2007-12-17 20:46 . 2007-07-30 19:19   30,072   --a------   C:\WINDOWS\system32\mucltui.dll.mui
2007-12-17 20:22 . 2007-12-17 20:22   <DIR>   d--------   C:\Program Files\Nero
2007-12-17 20:22 . 2007-12-17 20:23   <DIR>   d--------   C:\Program Files\Common Files\Ahead
2007-12-17 20:22 . 2007-12-17 20:22   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Nero
2007-12-17 20:13 . 2007-12-17 20:13   <DIR>   d--------   C:\Program Files\MSXML 6.0
2007-12-17 17:41 . 2007-12-31 22:03   <DIR>   d--------   C:\Documents and Settings\wayne\Contacts
2007-12-17 17:38 . 2007-12-17 17:40   <DIR>   d--------   C:\Program Files\Windows Live
2007-12-17 17:38 . 2007-12-17 17:40   <DIR>   d--hsc---   C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-17 17:38 . 2007-12-17 17:38   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-17 17:31 . 2007-12-17 17:31   <DIR>   d--------   C:\Program Files\ExtractNow
2007-12-17 17:14 . 2004-08-03 23:08   26,496   --a--c---   C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-17 17:04 . 2007-12-17 17:04   <DIR>   d--------   C:\Program Files\MSBuild
2007-12-17 17:02 . 2007-12-17 17:02   <DIR>   d--------   C:\WINDOWS\system32\XPSViewer
2007-12-17 17:01 . 2007-12-17 17:01   <DIR>   d--------   C:\Program Files\Reference Assemblies
2007-12-17 17:00 . 2006-06-29 13:07   14,048   ---------   C:\WINDOWS\system32\spmsg2.dll
2007-12-17 16:56 . 2004-08-04 00:56   21,504   --a------   C:\WINDOWS\system32\drivers\hidserv.dll
2007-12-17 16:38 . 2007-12-17 16:38   <DIR>   d--------   C:\WINDOWS\system32\URTTemp
2007-12-17 15:51 . 2007-12-17 15:51   <DIR>   d--------   C:\Program Files\Execulink
2007-12-17 15:35 . 2007-12-23 09:57   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2007-12-17 15:33 . 2007-07-30 19:19   43,352   --a------   C:\WINDOWS\system32\wups2.dll
2007-12-17 15:33 . 2007-07-30 19:18   34,136   --a------   C:\WINDOWS\system32\wucltui.dll.mui
2007-12-17 15:33 . 2007-07-30 19:19   25,944   --a------   C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-17 15:33 . 2007-07-30 19:19   25,944   --a------   C:\WINDOWS\system32\wuapi.dll.mui
2007-12-17 15:33 . 2007-07-30 19:18   20,312   --a------   C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-17 13:04 . 2008-01-01 21:26   5,890,080   --ahs----   C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-17 13:04 . 2008-01-01 21:26   67,868   --ahs----   C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-17 13:01 . 2007-12-17 13:01   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-12-17 13:00 . 2008-01-02 09:21   <DIR>   d--------   C:\WINDOWS\Internet Logs
2007-12-17 12:50 . 2007-12-17 12:50   <DIR>   d---s----   C:\Documents and Settings\wayne\UserData
2007-12-17 12:36 . 2007-12-17 12:36   <DIR>   d--------   C:\Documents and Settings\wayne\WINDOWS

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-17 21:57   0   ---ha-w   C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-17 21:57   0   ---ha-w   C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2007-12-07 23:28   7,680   ----a-w   C:\WINDOWS\system32\ff_vfw.dll
2007-12-04 07:33   682,496   ----a-w   C:\WINDOWS\system32\divx.dll
2007-11-30 04:30   3,596,288   ----a-w   C:\WINDOWS\system32\qt-dx331.dll
2007-11-30 04:28   81,920   ----a-w   C:\WINDOWS\system32\dpl100.dll
2007-11-14 21:05   75,248   ----a-w   C:\WINDOWS\zllsputility.exe
2007-11-14 21:05   1,086,952   ----a-w   C:\WINDOWS\system32\zpeng24.dll
2007-11-13 10:25   20,480   ----a-w   C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43   1,287,680   ----a-w   C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40   222,720   ----a-w   C:\WINDOWS\system32\wmasf.dll
2007-10-18 16:31   51,224   ----a-w   C:\WINDOWS\system32\sirenacm.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 20:07 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-20 05:04 2879488 C:\WINDOWS\SkyTel.exe]
"NAV Agent"="C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe" [2001-08-16 17:52 74832]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 20:07 15360]

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-22 07:22]
R3 CIF USB CAMERA Service;CIF USB CAMERA;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2003-10-16 00:58]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2001-08-10 06:00]
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-09-21 11:24]
S3 TAPBIND;TAPBIND;C:\PROGRA~1\EXECUL~1\Turbo\app\TAPBIND1.SYS []

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 17:45:11 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2007-12-17 17:44:48 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Common Files\Symantec Shared\NMAIN.EXEK /dat:C:\Program Files\Norton SystemWorks\swplugin.nsi /NSWCMD:OBCSchedule
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-02 09:24:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\oirijshr.ini 20340 bytes
C:\WINDOWS\system32\oirijshr43191ae6.sys 130816 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\oirijshr43191ae6]
"ImagePath"="\??\C:\WINDOWS\system32\oirijshr43191ae6.sys"
.
Completion time: 2008-01-02  9:24:33
C:\qoobox\ComboFix-quarantined-files.txt  2008-01-02 14:24:29
.
2007-12-31 18:30:36   --- E O F --- 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:10 AM, on 02/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-CA
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197923586046
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4494 bytes
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #7 on: January 02, 2008, 10:58:17 PM »

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote

KillAll::

File::
C:\WINDOWS\system32\oirijshr.ini
C:\WINDOWS\system32\oirijshr43191ae6.sys

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\oirijshr43191ae6]

 

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe

Restart your computer.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply  please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Logged

An Australian Member of

EDDY
wayne1721
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 212


Bookmark and Share

View Profile
« Reply #8 on: January 02, 2008, 11:21:19 PM »

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe

Restart your computer.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply  please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*


  I hav formatted my hard drive and put a fresh install of winxp pro on it.I figured that was the best thing to do at this time.
 I thank you all very much for the support and advice as I will probably need it somewhere down the road.
Thanks again.
Wayne
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #9 on: January 02, 2008, 11:30:47 PM »

Ok...
Logged

An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page April 30, 2018, 05:35:01 PM