Viruses, Spyware and other Nasties RSS Viruses, Spyware and other Nasties RSS

search hijackers and slow loading

Reply
1 2

Join Date: Nov 2007
Posts: 22
Reputation: 73firebird is an unknown quantity at this point 
Solved Threads: 0
73firebird 73firebird is offline Offline
Newbie Poster

search hijackers and slow loading

 
0
  #1
Oct 8th, 2008
HI;
A year later and i'm back again! I've done everything up in the read me thread, had a problem getting esetonlinescanner to work initially, so i ended up running it last. Anyway, I've definitely got some junk in the system, here's the various logs.
TIA!

Malwarebytes' Anti-Malware 1.28
Database version: 1244
Windows 5.1.2600 Service Pack 2

10/8/2008 1:02:43 PM
mbam-log-2008-10-08 (13-00-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 71126
Time elapsed: 24 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\aldd (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> No action taken.

Files Infected:
C:\WINDOWS\SYSTEM32\cmgnfvgq.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\qgvfngmc.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\mcrh.tmp (Malware.Trace) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\syszzgi.exe (Trojan.Downloader) -> No action taken.


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3504 (20081008)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=5b1c0690855abd4b9160e7e4a825995f
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-10-08 06:21:21
# local_time=2008-10-08 02:21:21 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=168242
# found=11
# scan_time=2239
C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk.vir Win32/Adware.SecToolbar application 34B586CD8A90EB7C3FEB903536273453
C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application 709BD684517978153E9EE748AE59B597
C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application 2D00B720E1A9DB15AA8AB7A714B4B7CA
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10065.qit.vir Win32/Adware.SecToolbar application B10D673132E1C32BA8E10F40CC8CD69E
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10066.qit.vir Win32/Adware.SecToolbar application 3E88C51A0D79BA693B179819E1A54A99
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10067.qit.vir Win32/Adware.SecToolbar application E75648BD7393EBCA36F292DBD9B5EBD2
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10335.qit.vir Win32/Adware.SecToolbar application 0F6BE2ACDA0DDEBD6D4B4EF17BA9078D
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10336.qit.vir Win32/Adware.SecToolbar application 396EFAA8CE7535CEA4301709FED8BC00
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10337.qit.vir Win32/Adware.Virtumonde application 9A7EF09167A6F4433681B94351509043
C:\WINDOWS\trest.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\WINDOWS\SYSTEM32\winaux.drv probably a variant of Win32/TrojanDownloader.Agent trojan A166B3484FFD23371AD02BA0A8A0C3B5


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:15 PM, on 10/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\EloSrvce.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\EloDkMon.exe
C:\WINDOWS\system32\EloTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\e-Range\erange.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\TeeTime King\Desktop\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119297776359
O16 - DPF: {9F3B4DE4-AA29-11D1-A3D9-FDA4E35D1D25} (IO Control) - http://192.168.1.20/io.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDB07B57-C951-4728-B12C-1D83890FE591}: NameServer = 151.197.0.38,199.45.32.28
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EloSystemService - Elo Touchsystems, Inc. - C:\WINDOWS\system32\EloSrvce.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5182 bytes
Reply With Quote Quick reply to this message  
Join Date: Jul 2008
Posts: 2,815
Reputation: jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all 
Solved Threads: 161
Featured Poster
jholland1964 jholland1964 is offline Offline
Posting Maven

Re: search hijackers and slow loading

 
0
  #2
Oct 8th, 2008
Hi 73firebird,

AHEM....I do not see an active antivirus program running on the machine, where is it?
Also, your Java program is woefully way out of date. Current version is version 6 update 7.

You need to first UPDATE MBA-M and then run the MBA-M scan again and have it REMOVE everything found.
Reboot the computer and run the ESET Scanner again and have it fix or remove everything found.
Reboot the computer.
Then run a new HJT scan and post back here with all three logs.
Judy
Last edited by jholland1964; Oct 8th, 2008 at 3:57 pm.
Reply With Quote Quick reply to this message  
Join Date: Nov 2007
Posts: 22
Reputation: 73firebird is an unknown quantity at this point 
Solved Threads: 0
73firebird 73firebird is offline Offline
Newbie Poster

Re: search hijackers and slow loading

 
0
  #3
Oct 9th, 2008
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:32 PM, on 10/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\EloSrvce.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\EloDkMon.exe
C:\WINDOWS\system32\EloTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\e-Range\erange.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\TeeTime King\Desktop\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119297776359
O16 - DPF: {9F3B4DE4-AA29-11D1-A3D9-FDA4E35D1D25} (IO Control) - http://192.168.1.20/io.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDB07B57-C951-4728-B12C-1D83890FE591}: NameServer = 151.197.0.38,199.45.32.28
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EloSystemService - Elo Touchsystems, Inc. - C:\WINDOWS\system32\EloSrvce.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5079 bytes
Reply With Quote Quick reply to this message  
Join Date: Nov 2007
Posts: 22
Reputation: 73firebird is an unknown quantity at this point 
Solved Threads: 0
73firebird 73firebird is offline Offline
Newbie Poster

Re: search hijackers and slow loading

 
0
  #4
Oct 9th, 2008
Malwarebytes' Anti-Malware 1.28
Database version: 1244
Windows 5.1.2600 Service Pack 2

10/9/2008 2:52:49 PM
mbam-log-2008-10-09 (14-52-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 72803
Time elapsed: 47 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3507 (20081009)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=5b1c0690855abd4b9160e7e4a825995f
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-10-09 07:05:46
# local_time=2008-10-09 03:05:46 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=188833
# found=11
# scan_time=3372
C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10065.qit.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10066.qit.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10067.qit.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10335.qit.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10336.qit.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10337.qit.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\trest.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\SYSTEM32\winaux.drv probably a variant of Win32/TrojanDownloader.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
Reply With Quote Quick reply to this message  
Join Date: Nov 2007
Posts: 22
Reputation: 73firebird is an unknown quantity at this point 
Solved Threads: 0
73firebird 73firebird is offline Offline
Newbie Poster

Re: search hijackers and slow loading

 
0
  #5
Oct 9th, 2008
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:57 PM, on 10/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\EloSrvce.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\EloDkMon.exe
C:\WINDOWS\system32\EloTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\TeeTime King\Desktop\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119297776359
O16 - DPF: {9F3B4DE4-AA29-11D1-A3D9-FDA4E35D1D25} (IO Control) - http://192.168.1.20/io.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDB07B57-C951-4728-B12C-1D83890FE591}: NameServer = 151.197.0.38,199.45.32.28
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EloSystemService - Elo Touchsystems, Inc. - C:\WINDOWS\system32\EloSrvce.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 4951 bytes
Reply With Quote Quick reply to this message  
Join Date: Jul 2008
Posts: 2,815
Reputation: jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all 
Solved Threads: 161
Featured Poster
jholland1964 jholland1964 is offline Offline
Posting Maven

Re: search hijackers and slow loading

 
0
  #6
Oct 10th, 2008
I STILL don't see an active anti-virus program or a firewall on the computer. Where is the ESET log?
Last edited by jholland1964; Oct 10th, 2008 at 8:15 pm.
Reply With Quote Quick reply to this message  
Join Date: Nov 2007
Posts: 22
Reputation: 73firebird is an unknown quantity at this point 
Solved Threads: 0
73firebird 73firebird is offline Offline
Newbie Poster

Re: search hijackers and slow loading

 
0
  #7
Oct 11th, 2008
Hi;
i am running windows firewall and antivirus (posting this from another computer) the only eset log i can post is 2 replys above, starts with "version=4". in the program files for eset, each time i run it it seems to overwrite the previous notepad log file. I can't use microsoft updates, they crash the teetime software, which is vital to me--software supplier specifically pointed out to turn off updates to avoid crashing the program. I did update the java.
Reply With Quote Quick reply to this message  
Join Date: Jul 2008
Posts: 2,815
Reputation: jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all 
Solved Threads: 161
Featured Poster
jholland1964 jholland1964 is offline Offline
Posting Maven

Re: search hijackers and slow loading

 
0
  #8
Oct 11th, 2008
Originally Posted by 73firebird View Post
Hi;
i am running windows firewall and antivirus (posting this from another computer) the only eset log i can post is 2 replys above, starts with "version=4". in the program files for eset, each time i run it it seems to overwrite the previous notepad log file. I can't use microsoft updates, they crash the teetime software, which is vital to me--software supplier specifically pointed out to turn off updates to avoid crashing the program. I did update the java.
Do you mean you are using Windows Live OneCare?
Honestly, I am a bit confused here. Turning off Windows Auto update is ok, but that doesn't mean you shouldn't update, it should be done manually which is very easy to do. Many people do this. If you are not doing ANY Microsoft Updates then this would mean that the Windows Live OneCare, if that is what you are using, is not up to date either I would think, so your antivirus protection is out of date and therefore you would not be protected against new viruses that turn up nearly every day. One key to each and every security program is keeping it updated if you don't do that then why even have it on the computer?
I have no clue was to what this TeeTime software is you are talking about but really have never heard of being told NOT to do the Microsoft Updates. In fact I have not heard of a program which prohibits Microsoft Updates. Windows is your operating system, that is what runs the computer and it is vital to all other software running on the computer. But if it is out of date then eventually other programs will probably not run correctly either because they would not be able to update either sooner or later because the old Windows files would be incompatible with possible new updates for other software.
Take a look at the infected files removed....many of them first were located in this Teetime folder to begin with, what does that tell you?
As far as the ESET scanner overwriting the previous notepad file, it WOULD overwrite it because it is a new scan so the information would be new.
The other thing, many of these were located in C:\qoobox\Quarantine
Telling me that sometime combofix was run on the machine WHEN? You have made no mention of running combofix.
Also you state that
am running windows firewall and antivirus (posting this from another computer)
I don't understand why and then it also makes me wonder, is the HJT scan actually a scan done ON the infected computer OR do you mean you are having these problems but they prohibit you from posting from the infected computer OR is the HJT scan a scan done not on the infected computer but one which was done on the computer you are posting from? If the later is the case then that HJT scan means nothing because it would only show the computer where the scan was done, not the computer where the infection is located.
You said in your original post you are back again after a year, I was not here a year ago so that wouldn't give me information plus what happened a year ago wouldn't apply, generally, to what is happening now, unless the problem was not fixed a year ago.
Can you please clarify all this for me? I really hesitate offering any possible solutions since I don't feel I have all the needed information.
Judy
Reply With Quote Quick reply to this message  
Join Date: Nov 2007
Posts: 22
Reputation: 73firebird is an unknown quantity at this point 
Solved Threads: 0
73firebird 73firebird is offline Offline
Newbie Poster

Re: search hijackers and slow loading

 
0
  #9
Oct 11th, 2008
Hi Judy;
sorry to confuse you. only the previous post was from home computer--like now. All the logs are from the infected one. the teetime is point of sale and online reservation software that runs off of internet exploder browser. it utilizes pop-ups. if i could, i'd use firefox on that particular machine like i do on everything else. the software will not run on updated versions of windows xp. they've never resolved this issue after three years. if I update windows, the whole kit and kaboodle goes kablooey. (Can you tell i'm not a tecchie? lolorz .) Last year, crunchie iirc helped me out when i got the security 7.1 toolbar nasty in it. that was a heck of a job to get rid of, which is why you see combofix installed. this machine only is used for the teetime, and also the erange program you see plus some limited printshop and note pad use. no one is supposed to use it for internet access, however, i have teenagers helping me out and sure enough, i look at the history and they're been on it.
Reply With Quote Quick reply to this message  
Join Date: Jul 2008
Posts: 2,815
Reputation: jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all jholland1964 is a name known to all 
Solved Threads: 161
Featured Poster
jholland1964 jholland1964 is offline Offline
Posting Maven

Re: search hijackers and slow loading

 
1
  #10
Oct 12th, 2008
no one is supposed to use it for internet access, however, i have teenagers helping me out and sure enough, i look at the history and they're been on it.
Then you should call them on it. Since this is a business machine this could very well damage your business. When you are going to other, NECESSARY sites for the business on an infected computer there is a possibility of spreading these infections to others. This would definitely damage your business because there is a chance others could trace these infections back to your machine.
One free program can offer some help to you, and I would never run a computer without it, that is SpywareBlaster. It is FREE, it DOES NOT run in the background but it DOES protect the computer against the following;
ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.
All you need to do is download it, install it and update it and then enable all the protection. Update it at least weekly and then enable the new items on the update.

You also should set you Internet Explorer security settings higher, you will have to experiment with that to be certain that your business necessities are not blocked but that shouldn't take you long to figure out the proper higher setting. Also you need to Internet Explorer to accept 1st party cookies and block all 3rd party cookies.
http://support.microsoft.com/kb/283185

One thing you can also do, you say you can tell by the history what sites these kids are surfing to...check daily and block each one they have visited each day. Sooner or later the only ones left which can be viewed will only be those you need for your business. It may be tedious but it is a way to make their surfing very difficult.
http://www.microsoft.com/windows/ie/.../settings.mspx

Now you also said
internet exploder browser. it utilizes pop-ups.
You can also block pop-ups with IE and also set which sites will allow pop-ups and which site will block pop ups.
http://www.microsoft.com/WindowsXP/u...upblocker.mspx

Also, you say you would prefer to use firefox, as do I...is the reason you cannot is because this Teetime software MUST be used with IE? Because Firefox can also be set to allow pop-ups from specific sites and block them from others.
Reply With Quote Quick reply to this message  
Reply
1 2

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-malware anti-virussitesaccessissue antivirus apple audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare domains e-mafia education email europe exam facebook fancheckvirus gaming gtaiv halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses war warning windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC