Recommended Driver Scanner
Go Back   PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs
Reload this Page Think-Adz got me...Hijackthis log....
Register for a Free Account

[Fixed] Hijackthis! Logs - Think-Adz got me...Hijackthis log.... posted in the Security & Safety forums; I git hit with Think-adz and i uninstalled it but it keeps coming back. here is a hijackthis log... i am new to this so any help would be great. ...

JOIN US NOW to remove these Ads


Reply
Page 1 of 2 1 2
Similar discussions...
Thread Thread Starter Forum Replies Last Post
Hijackthis log computerjunkie [Fixed] Hijackthis! Logs 2 08-05-2007 03:20 PM
PC Issues - HijackThis log deyalir [Fixed] Hijackthis! Logs 1 07-11-2007 12:56 PM
[Resolved] My Hijackthis Log wegronautic [Fixed] Hijackthis! Logs 1 11-24-2006 02:41 AM
[Resolved] HiJackThis Log (Task Manger and RegEdit Disabled) Log File in 2 parts minchia [Fixed] Hijackthis! Logs 3 11-10-2006 02:31 AM
[Resolved] HijackThis! log Ksince [Fixed] Hijackthis! Logs 3 08-09-2006 03:30 AM
  #1  
Old 10-16-2007
Bronze Member
  
Join Date: Oct 2007
Posts: 6
nickruocco - See this Members User comments on their Profile page
Default Think-Adz got me...Hijackthis log....
I git hit with Think-adz and i uninstalled it but it keeps coming back. here is a hijackthis
log... i am new to this so any help would be great. thank you!!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:06 PM, on 10/16/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\IEXPLORE.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\SYSTEM32\lldsrngl.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S4I2S 1.EXE
C:\WINDOWS\system32\twinmmds.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {178D4E6A-BA5A-4ECB-8521-F7B8393FDB97} - C:\WINDOWS\system32\mljhfee.dll (file missing)
O2 - BHO: (no name) - {64E869DF-A79D-4520-BE72-FFDABA6A64C1} - C:\WINDOWS\system32\byxur.dll (file missing)
O2 - BHO: Microsoft Internet Explorer Helper Class - {7ECB9D24-D642-4076-BD62-14426E2CEEA6} - C:\WINDOWS\system32\CryptUI32.dll (file missing)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\nhsyhvgw.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S4I2S 1.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [{91-13-3D-DB-ZN}] C:\WINDOWS\SYSTEM32\lldsrngl.exe CHD003
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\twinmmds.exe CHD003
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\fmcrnelh.dll",sitypnow
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S4I2S 1.EXE /P23 "EPSON Stylus C66 Series" /M "Stylus C66" /EF "HKCU"
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/in/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O20 - Winlogon Notify: hgghfdb - hgghfdb.dll (file missing)
O20 - Winlogon Notify: mljhfee - mljhfee.dll (file missing)
O20 - Winlogon Notify: winlogon - C:\WINDOWS\system32\winlogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\system32\IEXPLORE.EXE
--
End of file - 4905 bytes


Last edited by nickruocco; 10-16-2007 at 11:30 PM..
  #2  
Old 10-17-2007
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 5,837
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile page
Default Re: Think-Adz got me...Hijackthis log....
Please download Combofix from HERE or HERE

Save ComboFix to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #3  
Old 10-17-2007
Bronze Member
  
Join Date: Oct 2007
Posts: 6
nickruocco - See this Members User comments on their Profile page
Default Re: Think-Adz got me...Hijackthis log....
Thank for very much for your help! i have done what you said.

ComboFix 07-10-17.8@ - Valued Customer 10/17/2007 12:23:01.1 - FAT32x86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\Valued Customer\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Valued Customer\Application Data\setup_en[1].exe
C:\Documents and Settings\Valued Customer\Start Menu\Programs\Startup\TA_Start.lnk
C:\Documents and Settings\Valued Customer\Start Menu\Programs\Startup\ta_start.lnk
C:\Documents and Settings\Valued Customer\Start Menu\Programs\Startup\think-adz.lnk
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Temp\fse
C:\Temp\xOe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\Quarantine
C:\WINDOWS\start.exe
C:\WINDOWS\system32\1_exception.nls
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\iexplore.exe
C:\windows\system32\iexplore.exe
C:\WINDOWS\system32\kecnbqxn.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\twinmmds.exe
C:\WINDOWS\system32\twinmmdt.exe
C:\WINDOWS\system32\winlogon.dll
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\xhelper.dll
C:\WINDOWS\xmlhelper2.dll
C:\WINDOWS\xmlhelper4.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\runtime

((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.
2007-10-17 12:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-16 16:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-16 15:32 <DIR> d-------- C:\WINDOWS\pss
2007-10-12 13:11 <DIR> d-------- C:\FOUND.006
2007-10-05 01:07 1,339,828 ---hs---- C:\WINDOWS\SYSTEM32\ruxyb.bak2
2007-10-04 13:07 6,465 ---hs---- C:\WINDOWS\SYSTEM32\ruxyb.bak1
2007-10-02 12:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\vMW10a
2007-10-02 12:14 2,368 --a------ C:\WINDOWS\SYSTEM32\SVKP.sys
2007-10-02 12:13 77,824 --a------ C:\MicroSoft.pif
2007-10-02 12:13 182 --a------ C:\MicroSoft.vbs
2007-10-02 12:13 30 --a------ C:\MicroSoft.bat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-08-14 19:00 52,761 ----a-w C:\WINDOWS\SYSTEM32\lldsrngl.exe
2007-07-31 18:34 59,392 ----a-w C:\WINDOWS\mscrypt.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2004-11-10 19:13 305 ---h--w C:\Program Files\desktop.ini
2004-11-10 19:10 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 04:00 32,528 ----a-w C:\WINDOWS\inf\wbfirdma.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64E869DF-A79D-4520-BE72-FFDABA6A64C1}]
C:\WINDOWS\system32\byxur.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ECB9D24-D642-4076-BD62-14426E2CEEA6}]
C:\WINDOWS\system32\CryptUI32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"EPSON Stylus C66 Series"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\ 3\E_S4I2S1.exe" [04-01-13 03:00 ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [07-09-14 08:29 ]
"{91-13-3D-DB-ZN}"="c:\windows\system32\dwdsrngt.exe" [07-10-17 12:28 ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [04-10-29 16:50 ]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINDOWS\SYSTEM32\mobsync.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04-11-12 15:35 ]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY. DLL" [04-10-29 16:50 ]
"EPSON Stylus C66 Series"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\ 3\E_S4I2S1.exe" [04-01-13 03:00 ]
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
C:\Documents and Settings\Valued Customer\Start Menu\Programs\Startup\
TA_Start.lnk - C:\WINDOWS\SYSTEM32\dwdsrngt.exe [2007-10-17 12:28:54]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghfdb]
hgghfdb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhfee]
mljhfee.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlogon]
C:\WINDOWS\system32\winlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=NVDESK32.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\svchost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
mobsync.exe /logon
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
SysTray.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
R0 amd751;AMD AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\amd751.sys
R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINDOWS\system32\Drivers\avg7rsnt.sys
R2 SVKP;SVKP;\??\C:\WINDOWS\system32\SVKP.sys
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINDOWS\system32\DRIVERS\openhci.sys
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\usbhub20.sys
R3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);C:\WINDOWS\system32\drivers\adm8830.sys
S2 ohcuusb;Open Host Controller Miniport USB Driver;\??\C:\WINDOWS\system32\drivers\ohcuusb.sys
*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2007-10-17 04:00:02 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-17 05:00:02 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-17 06:00:02 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-17 07:00:02 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-17 08:00:02 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-17 09:00:02 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-17 10:00:02 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-17 11:00:02 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-17 12:00:02 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-17 13:00:02 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-17 14:00:02 C:\WINDOWS\Tasks\At11.job"
"2007-10-17 15:00:02 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-17 16:00:02 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-16 17:00:02 C:\WINDOWS\Tasks\At14.job"
"2007-10-16 18:00:04 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-16 19:00:02 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-16 20:00:02 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-16 21:00:02 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-16 22:00:02 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-16 23:00:02 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-17 00:00:02 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-17 01:00:02 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-17 02:00:02 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
"2007-10-17 03:00:02 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\1n7sVxw0.exe
.
************************************************** ************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 12:28:36
Windows 5.0.2195 Service Pack 4 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-10-17 12:29:39 - machine was rebooted
.
--- E O F ---



----------------------------------HiJackThis LOG-----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:51 PM, on 10/17/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S4I2S 1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
c:\windows\system32\dwdsrngt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {64E869DF-A79D-4520-BE72-FFDABA6A64C1} - C:\WINDOWS\system32\byxur.dll (file missing)
O2 - BHO: Microsoft Internet Explorer Helper Class - {7ECB9D24-D642-4076-BD62-14426E2CEEA6} - C:\WINDOWS\system32\CryptUI32.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S4I2S 1.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [{91-13-3D-DB-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S4I2S 1.EXE /P23 "EPSON Stylus C66 Series" /M "Stylus C66" /EF "HKCU"
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsrngt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/in/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O20 - Winlogon Notify: hgghfdb - hgghfdb.dll (file missing)
O20 - Winlogon Notify: mljhfee - mljhfee.dll (file missing)
O20 - Winlogon Notify: winlogon - C:\WINDOWS\system32\winlogon.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\system32\IEXPLORE.EXE (file missing)
--
End of file - 4675 bytes
  #4  
Old 10-17-2007
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 5,837
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile page
Default Re: Think-Adz got me...Hijackthis log....
The log shows the 'Scheduled Tasks' folder has something running every hour...have you set something to run ??



Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\SYSTEM32\ruxyb.bak2
C:\WINDOWS\SYSTEM32\ruxyb.bak1
C:\WINDOWS\SYSTEM32\dwdsrngt.exe
C:\WINDOWS\svchost.exe

Folder::
C:\FOUND.006
C:\WINDOWS\SYSTEM32\vMW10a


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64E869DF-A79D-4520-BE72-FFDABA6A64C1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ECB9D24-D642-4076-BD62-14426E2CEEA6}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghfdb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhfee]
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe
Restart your computer.
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*


__________________
  • An Australian Member of
  • and
My real name is Eddy
Last edited by Pancake; 10-17-2007 at 11:46 PM..
  #5  
Old 10-18-2007
Bronze Member
  
Join Date: Oct 2007
Posts: 6
nickruocco - See this Members User comments on their Profile page
Default Re: Think-Adz got me...Hijackthis log....
I looked at the scheduled tasks and there were 24 one for each hour named at1, at2..at24, etc.

i ran combo fix with the script
rebooted
found and deleted scheduled tasks
ran hijackthis

here are the logs, thanks so much!
Attached Files
File Type: log hijackthis.log (4.0 KB, 0 views)
File Type: txt combofixlog.txt (9.3 KB, 1 views)


  #6  
Old 10-19-2007
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 5,837
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile page
Default Re: Think-Adz got me...Hijackthis log....
I looked at the scheduled tasks and there were 24 one for each hour named at1, at2..at24, etc
What I am wanting to know is,have you set whatever this program is, to run every hour ???


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #7  
Old 10-19-2007
Bronze Member
  
Join Date: Oct 2007
Posts: 6
nickruocco - See this Members User comments on their Profile page
Default Re: Think-Adz got me...Hijackthis log....
no i did not. i remember seeing something in the start menu "ta...something" and i deleted it but it kept coming back after i restarted. so i am fairly positive it has to do something with that.

Reply
Page 1 of 2 1 2

Bookmarks

« [Fixed] Please help it going from bad to worse. | Please help, want to get rid of CDNUP.exe with HIGHJACK THIS »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On


Site Map - Top

All times are GMT +1. The time now is 01:26 AM.
Powered by vBulletin
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.0 RC7