Techkings

Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

My Hijack This Log

Evastar

TK Veteran
Hi, think i've picked up a virus, this is my HiJack This Log, would appreciate some help:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:19:34, on 08/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.plusnetwork.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,[email protected]
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1209039206657
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbt_device - - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Update Service (gupdate1c905bf27451120) (gupdate1c905bf27451120) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 10130 bytes
 

homesick

VIP Member
Forum Supporter
you have quite a few programs running on your system that are unnecessary eva..

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Toolbar\wltuser.ex
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
"is the above real player media player?"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

just to name a few, need to cut back on alot of your programs kthat are starting up with your pc.

my favorite way of doing it, rather than opening each program itself and trying to find the setting is to go to start/run/ type in msconfig

Then click on the startup tab and just unselect the unnecessary programs.
 

dee

TK Veteran
Eva have a look at wot i asked there are some is some info on there that might help you. thats about being hijacked.
 

Evastar

TK Veteran
Ok deleted some stuff, this is the new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:27 PM, on 6/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Fiona\Fiona.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.1.254/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,[email protected]
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [Fiona] C:\Documents and Settings\Fiona\Fiona.exe /i
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: zqosys32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1209039206657
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbt_device - - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Update Service (gupdate1c905bf27451120) (gupdate1c905bf27451120) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 9661 bytes

Nothing comes up on my profile, but on Fiona's avira antivir keeps beeping and saying i have a trojan TR/Crypt.XDR.Gen Trojan in my system 32 drivers.
 
Last edited:

homesick

VIP Member
Forum Supporter
i would also turn off quicktime, ms office, anything google related, anything ipod related, skype if you don't use it all of the time,

i am assuming this is ipod related? seen it in some other logs as well who had ipods in them
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

toolbars really should go, unless you are using them.
 

Evastar

TK Veteran
I don't know, she uses windows messenger a lot as well. I just downloaded Spybot Search and Destroy there, that said it got rid, but avira is still giving me a warning.

Think i might have to get an external hard drive, take all my pics and stuff off and reformat the pc. :(
 

homesick

VIP Member
Forum Supporter
I don't know, she uses windows messenger a lot as well. I just downloaded Spybot Search and Destroy there, that said it got rid, but avira is still giving me a warning.

Think i might have to get an external hard drive, take all my pics and stuff off and reformat the pc. :(

yea, as i said in linny's post, that is alyways my first opinion, i actually reformat all of my pc's once a year. especially if you are experienced enough to not have trouble, i say forget fooling around with it and just reformat the pc everytime. just make sure if you are weary you have a virus on your pc Eva, that you pay close attention to those mp3's. If they were obtained by a torrent, those tend to have a high infection rate.
 

Evastar

TK Veteran
I'm not sure where she's been getting them, she buys some cds herself and then shares with her friends. I'll ask her has she put any new music on recently.

The warning is coming up on my profile now as well. :(
 

Evastar

TK Veteran
This is my log from scanning with Avira in safemode:

Avira AntiVir Personal
Report file date: 10 June 2009 16:29

Scanning for 1459945 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Save mode
Username : Administrator
Computer name : SHADOWFAX

Version information:
BUILD.DAT : 9.0.0.394 17962 Bytes 17/04/2009 11:20:00
AVSCAN.EXE : 9.0.3.5 466689 Bytes 27/04/2009 15:52:41
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 10:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 12:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 11/02/2009 20:33:26
ANTIVIR2.VDF : 7.1.4.38 2692096 Bytes 29/05/2009 16:36:22
ANTIVIR3.VDF : 7.1.4.71 287232 Bytes 08/06/2009 16:40:38
Engineversion : 8.2.0.180
AEVDF.DLL : 8.1.1.1 106868 Bytes 30/04/2009 15:56:06
AESCRIPT.DLL : 8.1.2.0 389497 Bytes 15/05/2009 16:26:41
AESCN.DLL : 8.1.2.3 127347 Bytes 15/05/2009 16:26:40
AERDL.DLL : 8.1.1.3 438645 Bytes 29/10/2008 18:24:41
AEPACK.DLL : 8.1.3.18 401783 Bytes 28/05/2009 16:34:22
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 26/02/2009 20:01:56
AEHEUR.DLL : 8.1.0.129 1761655 Bytes 15/05/2009 16:26:40
AEHELP.DLL : 8.1.2.2 119158 Bytes 26/02/2009 20:01:56
AEGEN.DLL : 8.1.1.44 348532 Bytes 15/05/2009 16:26:37
AEEMU.DLL : 8.1.0.9 393588 Bytes 09/10/2008 14:32:40
AECORE.DLL : 8.1.6.12 180599 Bytes 28/05/2009 16:34:21
AEBB.DLL : 8.1.0.3 53618 Bytes 09/10/2008 14:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 05/12/2008 10:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 20/01/2009 14:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 05/12/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 27/04/2009 15:52:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/01/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/01/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 02/02/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 05/12/2008 10:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 09/02/2009 11:45:45
RCTEXT.DLL : 9.0.37.0 86785 Bytes 27/04/2009 15:52:41

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: 10 June 2009 16:29

Starting search for hidden objects.
The driver could not be initialized.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
11 processes with 11 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '61' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Fiona\Local Settings\temp\BN10.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Fiona\Start Menu\Programs\Startup\fmnupd32.exe.vir
[DETECTION] Is the TR/Inject.acyf Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\acpi32.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\amd64si.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\fips32cup.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\i386si.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ksi32sk.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\netsik.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\nicsk32.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\port135sik.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\securentm.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\systemntmi.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ws2_32sik.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\WINDOWS\system32\drivers\amd64si.sys
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\WINDOWS\system32\drivers\fips32cup.sys
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\WINDOWS\system32\drivers\ksi32sk.sys
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\WINDOWS\system32\drivers\netsik.sys
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\WINDOWS\system32\drivers\nicsk32.sys
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\WINDOWS\system32\drivers\port135sik.sys
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\WINDOWS\system32\drivers\securentm.sys
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
C:\WINDOWS\system32\drivers\systemntmi.sys
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan

Beginning disinfection:
C:\Documents and Settings\Fiona\Local Settings\temp\BN10.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4a60dd6b.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\Fiona\Start Menu\Programs\Startup\fmnupd32.exe.vir
[DETECTION] Is the TR/Inject.acyf Trojan
[NOTE] The file was moved to '4a9ddd8a.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\acpi32.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4a9fdd80.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\amd64si.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4a93dd8a.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\fips32cup.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4a9fdd86.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\i386si.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4a67dd50.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ksi32sk.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4a98dd91.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\netsik.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4aa3dd83.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\nicsk32.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4a92dd87.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\port135sik.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4aa1dd8d.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\securentm.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4a92dd83.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\systemntmi.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4aa2dd97.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ws2_32sik.sys.vir
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4a61dd91.qua'!
C:\WINDOWS\system32\drivers\amd64si.sys
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4a93dd8b.qua'!
C:\WINDOWS\system32\drivers\fips32cup.sys
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4a9fdd88.qua'!
C:\WINDOWS\system32\drivers\ksi32sk.sys
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4a98dd92.qua'!
C:\WINDOWS\system32\drivers\netsik.sys
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4aa3dd84.qua'!
C:\WINDOWS\system32\drivers\nicsk32.sys
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4a92dd88.qua'!
C:\WINDOWS\system32\drivers\port135sik.sys
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4aa1dd8e.qua'!
C:\WINDOWS\system32\drivers\securentm.sys
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4a92dd85.qua'!
C:\WINDOWS\system32\drivers\systemntmi.sys
[DETECTION] Is the TR/Crypt.XDR.Gen Trojan
[NOTE] The file was moved to '4aa2dd99.qua'!


End of the scan: 10 June 2009 17:19
Used time: 48:53 Minute(s)

The scan has been done completely.

7877 Scanned directories
145142 Files were scanned
21 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
21 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
145120 Files not concerned
1509 Archives were scanned
1 Warnings
22 Notes
 

axxxo

VIP Member
looked up qoobox and it looks like its from a program thats called combofix, so, at least thats a friendly anti spyware program and judging by the hijack log all the virus info is stored in a quarantine, if you dont have combofix anymore the virus vault or quarantine vault, basically where it stores the nasties, may still be left over.

when the hijack log finishes note there are check boxes next to everything found, delete all those quarantined viruses and if you did have combofix or still have it its possible avira is still detecting these viruses so to stop this its necessary to delete them.

if you want to uninstall combofix (again if you have ever even had it:) ) go to start, run and then type in this

combofix /u (note the space between the x /u)

no harm to try this anyway, if you never had it youll get a message saying windows cant find it.

you can safely delete all the BHO entries too.

hope this helps :)
 

Evastar

TK Veteran
Thanks axxxo, i do have combofix, are you saying i should uninstall it?

I am going to reformat the pc anyway, just want to make sure i don't accidentally save the virus to my external hard drive.
 

axxxo

VIP Member
well you could uninstall it before you back up and then once youve reformatted, put it back on again, but if you know what your moving to your external you should be ok, just leave the System32 folder alone and everything should be fine.
 

d4rkn1ght

Registered
Hey axxo and Eva

Ok... Qoobox is the quarantine folder of ComboFix, which is a handy but powerful malware removal tool that should only be used under supervision.

Hmm... Eva, do you want to remove the malware from your PC or are you going to format it?

Best Regards :grin:
 

axxxo

VIP Member
yeah ive read up on combofix, it actually tells you that it can corrupt your system, not in a bad way but that it will literally delete anything you tell it to, system files included resulting in your computer not booting up.
 

Evastar

TK Veteran
Well i would like to remove the malware, but probably will reformat shortly anyway, cos it's getting kind of slow. I'll do a HiJack This Log and a Combo Fix Log for you later :)
 

dan-ger-ous

VIP Member
Sometimes im just not satisfied if i end up getting the virus, i always feel the need to reinstall the entire OS, its just the way i go about it ;), perhaps i might try Acronis True Home Image after my next reinstall.
 
Top