28 replies to this topic

[theToes]

I have been having a problem with some redirects. I tried to run malwarebytes but it stops after a few seconds and then gives me an access error if I try to run it again.

I am using XP pro sp3
any help would be appreciated. I really don't want to have to redo the op system.


here is my HJT log

Logfile of HijackThis v1.97.7
Scan saved at 8:59:33 AM, on 8/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Cookie Washer\aolwasher.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\George\LOCALS~1\Temp\b.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\George\Desktop\Win32kDiag.exe
C:\System Recovery\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\Run: [Monopod] C:\DOCUME~1\George\LOCALS~1\Temp\b.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://pmavpn.pmagroup.com/vdesk/terminal/...,2008,1015,1912
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - http://bbns2k73//llc...inxp/AXXPEE.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} -
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://pmavpn.pmagroup.com/vdesk/terminal/...llerControl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} -
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://pmavpn.pmagroup.com/vdesk/terminal/...,2008,1015,1902
O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://kingsisle.hs.llnwd.net/e1/static/th...ameLauncher.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/...7944.5470138889
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...0.20/ttinst.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://pmavpn.pmagroup.com/vdesk/terminal/...,2008,1015,1907
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://pmavpn.pmagroup.com/vdesk/terminal/...,2008,1015,1906

[theToes]

I saw some other posts were asked to download and run win32diag. I did this and attached the log



 Win32kDiag.txt   10.22K   46 downloads

[sUBs]

• Download The Avenger2 by SwanDog46.
  
• Unzip avenger.exe to your desktop.
  
• Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
  

  Files to move:
  C:\WINDOWS\system32\logevent.dll| C:\WINDOWS\system32\eventlog.dll

• Now start The Avenger2 by double clicking avenger.exe on your desktop.
  
• Read the prompt that appears, and press OK.
  
• Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  
• Press the "Execute" button.
  
• You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
  Note: It is possible that Avenger will reboot your system TWICE.
  
• Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

[theToes]

sUBs, on Aug 29 2009, 04:43 PM, said:

• Download The Avenger2 by SwanDog46.
  
• Unzip avenger.exe to your desktop.
  
• Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
  

  Files to move:
  C:\WINDOWS\system32\logevent.dll| C:\WINDOWS\system32\eventlog.dll

• Now start The Avenger2 by double clicking avenger.exe on your desktop.
  
• Read the prompt that appears, and press OK.
  
• Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  
• Press the "Execute" button.
  
• You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
  Note: It is possible that Avenger will reboot your system TWICE.
  
• Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

When I execute the script in avenger I get an invalid script error. The error says a valid script must begin with a directive.

[sUBs]

Make sure you copy/paste these into Avenger's script box

Files to move:
C:\WINDOWS\system32\logevent.dll| C:\WINDOWS\system32\eventlog.dll

[theToes]

sUBs, on Aug 29 2009, 06:58 PM, said:

Make sure you copy/paste these into Avenger's script box

Files to move:
C:\WINDOWS\system32\logevent.dll| C:\WINDOWS\system32\eventlog.dll

I made a mistake withteh copy but I got it to run. The machine rebooted but I didn't get a prompt and it seems to be hung up. I'm on another machine now because i can't get anything to run on the other

Does Avenger take a while to run???

[sUBs]

Quote

it seems to be hung up

Please reboot the machine & show me a fresh Win32Diag log.

[theToes]

sUBs, on Aug 29 2009, 07:12 PM, said:

Please reboot the machine & show me a fresh Win32Diag log.

I can't get the machine to come up all the way. It gets to my desktop and seems to hang. It's frozen.

[sUBs]

Shut down the machine. Let it rest for 5-10 minutes. Then boot it up.

[theToes]

sUBs, on Aug 29 2009, 06:21 PM, said:

Shut down the machine. Let it rest for 5-10 minutes. Then boot it up.

Here is the new win32diag.txt


 Win32kDiag.txt   9.74K   32 downloads

[sUBs]

Despite not producing a log, it looks like Avenger did it's thing. Machine should be feeling less sluggish now. Is that correct?


Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@Win32kDiag -F -R
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

## IMPORTANT ## Place fix.bat next to Win32kDiag.exe

Double click on fix.bat & allow it to run

Post back to tell me what it says


---------------


Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that.

[theToes]

sUBs, on Aug 29 2009, 06:34 PM, said:

Despite not producing a log, it looks like Avenger did it's thing. Machine should be feeling less sluggish now. Is that correct?


Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@Win32kDiag -F -R
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

## IMPORTANT ## Place fix.bat next to Win32kDiag.exe

Double click on fix.bat & allow it to run

Post back to tell me what it says

When you say next to does that mean in the desktop folder?

---------------


Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that.

[theToes]

When you say next to does that mean in the desktop folder?

[sUBs]

Yes, both must be in the same location.

[theToes]

sUBs, on Aug 29 2009, 06:37 PM, said:

Yes, both must be in the same location.

It ran but when I pressed the key to contunue it did not create a log txt file. Is there something else I should do?

[theToes]

it looks like the win32diag.txt updated Is this what you needed?

 Win32kDiag.txt   15.47K   31 downloads

[sUBs]

Yes, the win32diag log was what I was after.

Now please run ComboFix.

[theToes]

I am running combofix. It re-booted my machine and says it is preparing the report. It has been at this point for about 5 minutes. Is this normal?

[sUBs]

Give it another 5 minutes. Then look in Task Manager & tell me if you see any strange processes

[theToes]

Combofix has completed. Here is the report it produced.
Am I fixed? Can I download and run my Malware?


 ComboFix.txt   14.51K   45 downloads