locke2005
asked on
my HijackThis log file
Logfile of HijackThis v1.99.1
Scan saved at 11:37:02, on 20/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools v.exe
C:\ARQUIV~1\ALWILS~1\Avast 4\ashDisp. exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\real sched.exe
C:\Arquivos de programas\Java\jre1.6.0_01 \bin\jusch ed.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.e xe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.ex e
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.e xe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.e xe
C:\WINDOWS\Driver Cache\explorer.exe
C:\Arquivos de programas\eMule\eMule.exe
C:\Arquivos de programas\HijackThis\Hijac kThis.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-B BB69598904 6} - C:\Arquivos de programas\ICQToolbar\toolb aru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-D C8493744B1 D} - C:\Arquivos de programas\ICQToolbar\toolb aru.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\Activ eX\AcroIEH elper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Arquivos de programas\Java\jre1.6.0_01 \bin\ssv.d ll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8 377850BF20 5} - C:\Arquivos de programas\Free Download Manager\iefdmcks.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-B BB69598904 6} - C:\Arquivos de programas\ICQToolbar\toolb aru.dll
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast 4\ashDisp. exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh eck.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\real sched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_01 \bin\jusch ed.exe"
O4 - HKCU\..\Run: [WhenUSave] "C:\Arquivos de programas\Save\Save.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync .exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Arquivos de programas\Java\jre1.6.0_01 \bin\ssv.d ll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Arquivos de programas\Java\jre1.6.0_01 \bin\ssv.d ll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\ARQUIV~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A 2CD196348E 9} - C:\Arquivos de programas\ICQLite\ICQLite. exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A 2CD196348E 9} - C:\Arquivos de programas\ICQLite\ICQLite. exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Arquivos de programas\Messenger\msmsgs .exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Arquivos de programas\Messenger\msmsgs .exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8 E305202313 F} - C:\ARQUIV~1\MSNMES~1\MSGRA P~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8 E305202313 F} - C:\ARQUIV~1\MSNMES~1\MSGRA P~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.e xe
O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.ex e
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.e xe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.e xe" /service (file missing)
O23 - Service: DirectX Service (Rixyw) - Unknown owner - C:\WINDOWS\system32\direct x.exe
Scan saved at 11:37:02, on 20/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\ARQUIV~1\ALWILS~1\Avast
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\real
C:\Arquivos de programas\Java\jre1.6.0_01
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.e
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.ex
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.e
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.e
C:\WINDOWS\Driver Cache\explorer.exe
C:\Arquivos de programas\eMule\eMule.exe
C:\Arquivos de programas\HijackThis\Hijac
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-B
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-D
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-B
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\real
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_01
O4 - HKCU\..\Run: [WhenUSave] "C:\Arquivos de programas\Save\Save.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.e
O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.ex
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.e
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.e
O23 - Service: DirectX Service (Rixyw) - Unknown owner - C:\WINDOWS\system32\direct
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How do I block everything that I allowed on Mcafee Anti-virus?
I don't know mcafee enough, but I guess you could completely uninstall it, then reinstall mcafee.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"Instead of Windows loading as normal, a menu with options should appear;"
The options that appear are something like:
Floopy Disk
IDE 0
IDE 1
Network
The options that appear are something like:
Floopy Disk
IDE 0
IDE 1
Network
ASKER
I used msconfig to go to safe mode. In safe mode, I started the script and, after 100% checked, "Acess Denied" appeared about 5 times. My anti-virus (Mcafee VirusScan) did not give me the alternative to "Grant Access".
ASKER
***SDFix report removed by rpggamergirl, Zone Advisor***
ASKER
I think the problem was the 5 accesses denied...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
***Combofix log removed by rpggamergirl, Zone Advisor***
ASKER
The message saying wpptrvnn.dll is not loading is gone (that's good). My computer is not poping up IE windows of anti-virus and anti-spywaresites (that's good). When Windows finishes loading, an error message says: "Explorer.EXE - No Disk", "There is no disk in unit. Insert a disk in unit A:.", "Cancel/Try again/Continue" (that's bad). What now?
ASKER
oh-oh
the site br.errorsafe.com has just poped-up
the site br.errorsafe.com has just poped-up
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"and for the error-safe infection:
http://www.error-safe-removal.com.removal-instructions.com/removeError_Safe.html"
In order to use the removal feature of Spyhunter, you must purchase a full version.
http://www.error-safe-removal.com.removal-instructions.com/removeError_Safe.html"
In order to use the removal feature of Spyhunter, you must purchase a full version.
ASKER
***Combofix log removed by rpggamergirl, Zone Advisor***
07/30/2007
07/30/2007
ASKER
07/30/07 06:58:40 [Info]: BlackLight Engine 1.0.64 initialized
07/30/07 06:58:40 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/30/07 06:58:40 [Note]: 7019 4
07/30/07 06:58:40 [Note]: 7005 0
07/30/07 06:58:44 [Note]: 7006 0
07/30/07 06:58:44 [Note]: 7011 1424
07/30/07 06:58:44 [Note]: 7026 0
07/30/07 06:58:44 [Note]: 7026 0
07/30/07 06:58:51 [Note]: FSRAW library version 1.7.1022
07/30/07 07:00:47 [Note]: 2000 1012
07/30/07 07:00:57 [Note]: 7007 0
07/30/07 06:58:40 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/30/07 06:58:40 [Note]: 7019 4
07/30/07 06:58:40 [Note]: 7005 0
07/30/07 06:58:44 [Note]: 7006 0
07/30/07 06:58:44 [Note]: 7011 1424
07/30/07 06:58:44 [Note]: 7026 0
07/30/07 06:58:44 [Note]: 7026 0
07/30/07 06:58:51 [Note]: FSRAW library version 1.7.1022
07/30/07 07:00:47 [Note]: 2000 1012
07/30/07 07:00:57 [Note]: 7007 0
ASKER
PS 1: when I was running ComboFix with CFScript (I saved it as .txt), Mcafee asked me about 5 times to block or allow changes and about 4 times I was fast enough to select allow before Windows shutted down.
PS 2: after I finished running ComboFix, there was a ComboFix (without space) and a Combo Fix (with space) in the folder where I saved ComboFix.
PS 2: after I finished running ComboFix, there was a ComboFix (without space) and a Combo Fix (with space) in the folder where I saved ComboFix.
That is the old combofix log,
can we look at the latest combofix log please.
Also run vundofix, these are actually vundo/conhook infection.
can we look at the latest combofix log please.
Also run vundofix, these are actually vundo/conhook infection.
ASKER
***Combofix log removed by rpggamergirl, Zone Advisor***
ASKER
In order to remove *the selected objects*, you need to register your XoftSpySe now.
http://www.imagehosting.com/show.php/974936_1.jpg.html
http://www.imagehosting.com/show.php/974947_2.jpg.html
PS 3 it is really .jpg.html
http://www.imagehosting.com/show.php/974936_1.jpg.html
http://www.imagehosting.com/show.php/974947_2.jpg.html
PS 3 it is really .jpg.html
ASKER
By the way, when I was scanning with SpyScanner or XoftSpy, it scanned files of sites that I did not visit! The virus or spyware or trojan horse (what is it?), just created or even downloaded files. That was really scary...
ASKER
I am runned VundoFix.
"Done searching for files."
"No infected files were found."
"Done searching for files."
"No infected files were found."
ASKER
I *runned* VundoFix. By the way, 1st and 2nd time I runned it, no infected files were found!
ASKER
My computer is behaving as if there is no infection. What is going on??? I am totally confused!!!
These could've been the vundo files that showing in your image link. When the infection is no longer active vundofix won't find anything eventhough some bad reg entries are still present. Combofix deleted a lot ot vundo files.
These two bad registry entries that combofix reported below are harmless:
this one below is a disabled startup entry in msconfig and the bad file is already gone.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ MemoryMana ger]
rundll32.exe "C:\WINDOWS\system32\jqhtx gyf.dll",f orkonce
this one below is an 02 line in Hijackthis which you can fix, the file is already missing.
[HKEY_LOCAL_MACHINE\~\Brow ser Helper Objects\{033A4CF7-5AFC-401 D-9502-46D 567E9CF27} ]
C:\WINDOWS\system32\ssttr. dll
>>By the way, when I was scanning with SpyScanner or XoftSpy, it scanned files of sites that I did not visit!<<
You mean bad sites showing in your status bar while it is scanning? like how Spybot S&D checks for bots.
could just be checking if those threats are present in your system.
Not really sure about SpyHunter, it used to be listed as a rogue program.
>>My computer is behaving as if there is no infection. What is going on??? I am totally confused!!!<<
You mean pc seems normal, no problems?
You have deleted a lot bad files remember? What is confusing?
These two bad registry entries that combofix reported below are harmless:
this one below is a disabled startup entry in msconfig and the bad file is already gone.
[HKEY_LOCAL_MACHINE\softwa
rundll32.exe "C:\WINDOWS\system32\jqhtx
this one below is an 02 line in Hijackthis which you can fix, the file is already missing.
[HKEY_LOCAL_MACHINE\~\Brow
C:\WINDOWS\system32\ssttr.
>>By the way, when I was scanning with SpyScanner or XoftSpy, it scanned files of sites that I did not visit!<<
You mean bad sites showing in your status bar while it is scanning? like how Spybot S&D checks for bots.
could just be checking if those threats are present in your system.
Not really sure about SpyHunter, it used to be listed as a rogue program.
>>My computer is behaving as if there is no infection. What is going on??? I am totally confused!!!<<
You mean pc seems normal, no problems?
You have deleted a lot bad files remember? What is confusing?
XoftSpySE would have removed error safe
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Increased points to 500, because you deserve it!
Good to know that the problem is solved.
And we're glad to help, :)
Thanks for the points and excellent grading!
And we're glad to help, :)
Thanks for the points and excellent grading!
ASKER