Author Topic: I think im infected (Read 10431 times)

Medman · « **on:** April 03, 2007, 08:55:03 AM »

So, ive got AVG virus and spyware, Asquared, Adaware SE, Spybot and Sygate for my protections. I also run Killbox, Ccleaner, and Emprunner to keep stuff clean, but i think my comp got a bug. Im run windows xp on a Sony Vaio.

Symptoms: When i shut down computer i get a warning sign that says a program must be terminated. THIs program is Iexploere.exe. I checked that program at Bleepingcomputer.com and they said it was bad.

Also, when i rebooted my comp the system did a scandisk thing on a file called Fat32.exe which also is labeled as bad at bleepingcomputer.com.

I have run my protection programs and none of them have found anything. If these programs are indeed bad, how do i get rid of them? I have Hijackthis downloaded but have never used it, but let me know if you need me to post one. Thanks.

soybean · « **Reply #1 on:** April 03, 2007, 10:00:29 AM »

I think you mean Iexplore.exe, not Iexploere.exe. Iexplore.exe is Internet Explorer so that's not a bad file. Can you cite the page you mentioned that says it's bad?

Fat32.exe, on the other hand, does appear to be an evil one. Can you run a HijackThis report and post it?

oddjob · « **Reply #2 on:** April 03, 2007, 10:04:35 AM »

Make sure you have exposed all Hidden Files & Folders.

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and close My Computer.

***********************

Please unzip/extract that HJT file to a permanent location such as your C: drive so you have this ...

C:\Program Files\HijackThis

Go to the folder and rename the hijackthis.exe file to medmanhijackthis.exe ...

Run the medmanhijackthis.exe file ...

From the menu click on "Do a system scan and save a logfile".

Copy and paste both the HJT logfile to this thread. More specific removal instructions will follow for whatever it is that's causing the problem.

OJ

soybean · « **Reply #3 on:** April 03, 2007, 10:21:29 AM »

OJ, why the renaming procedure?

patio · « **Reply #4 on:** April 03, 2007, 10:39:54 AM »

Hijack This can be attacked by malware and give false info...

oddjob · « **Reply #5 on:** April 03, 2007, 10:45:47 AM »

Malware sometimes changes names of legit files so they slip by unnoticed. Example ... the W32/Agobot-S virus renames svchost to scvhost. Check the spelling.

This looks like one of this occasions.

You correctly say that iexplore.exe is valid but Medman spells it differently and that indicates malware.

Also this particular file corruption can be linked with the smitfraud infection amongst others.

At this stage we don't know how much malware is on Medman's computer and I want to expose as much of it as I can straight away.

There is a version of Vundo malware that hides if it knows HJT is scanning. It will not appear in a HJT log. The way round this is to rename the HJT executable. If present, that version of Vundo will then appear in the log.

Hope that helps.

OJ

Medman · « **Reply #6 on:** April 03, 2007, 10:51:25 AM »

http://www.bleepingcomputer.com/startups/

thats what says its bad, and yes its iexplore.exe

ill run HJT and post

soybean · « **Reply #7 on:** April 03, 2007, 10:51:34 AM »

That helps. Thanks.

soybean · « **Reply #8 on:** April 03, 2007, 10:55:28 AM »

Quote from: Medman on April 03, 2007, 10:51:25 AM

http://www.bleepingcomputer.com/startups/

thats what says its bad, and yes its iexplore.exe

ill run HJT and post

So, it is iexplore.exe. I still see nothing in http://www.bleepingcomputer.com/startups/ that says iexplore.exe is a bad file. Can you cite SPECIFICALLY where you're getting the notion that it's a bad file?

Again iexplore.exe is the executable file for Internet Explorer.

Medman · « **Reply #9 on:** April 03, 2007, 10:57:07 AM »

Logfile of HijackThis v1.99.1
Scan saved at 10:57:27 AM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\User\Desktop\Bacteria\Protections\medmanHijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://crossfit.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Medman · « **Reply #10 on:** April 03, 2007, 11:15:23 AM »

also, i dont know if this is related, but my Adaware SE scanner freezes each time while scanning "Web Browser casche" or somethine like that (cant remember exaclty). THe program does not freeze or become unresponsive, but instead just sits there not doing anything. AT this point it says it has picked up on one Critical item but wont tell me what that is until the scan is complete, which it never is. But ive run all my other protection programs and they come up with nothing except tracking cookies which i easily remove.

Medman · « **Reply #11 on:** April 03, 2007, 11:19:09 AM »

hmmm, yea the link i posted to bleepingcomputer didnt bring you to the page i wanted, but just type in iexplore.exe in the search field and it comes up wiht a bunch of stuff:

Examples:

Default web browser IexpIore.exe X Added by the OBLIVION.B TROJAN! Note - do not confuse "IexpIore.exe" with "iexplore.exe" (Internet Explorer), the first has a captial "i" in place of ... Read More

or

mssysint Iexplore .exe X Added by the PWSTEAL.ABCHLP and PSPIDER.310.B TROJANS! Note - this is not the legitimate Internet Explorer (iexplore.exe) process, which should not ap ... Read More

unlovedwarrior · « **Reply #12 on:** April 03, 2007, 11:25:55 AM »

dllhost.exe

Gilat SOM Enumerator dllhost.exe Y For Gilat Communications internet satellite systems - associated with SkyBlaster modem. Required if you have this system ... Read More
WinMngn dllhost.exe X Added by the Troj/Sivion-A TROJAN by appearing to be an anti-virus program. Additional files are installed to the Program Files to enable unauthorised ... Read More
DllHost dllhost.exe X Added by the BKDR_PROSTI.A backdoor.
DNS Event dllhost.exe X Added by the Infostealer.Svcstor information stealing Trojan. This infection should not be confused with the legitimate Windows file c:\Windows\System ... Read More
COM+ System Service dllhost.exe X Added by the W32/Tilebot-HT worm and IRC backdoor. W32/Tilebot-HT spreads to other network computers by exploiting common buffer overflow vulnerabilit ... Read More
Windows Host Services dllhost.exe X Added by the W32/Tilebot-IH worm and IRC backdoor. W32/Tilebot-IH spreads to other network computers by exploiting common buffer overflow vulnerabilit ... Read More
000hpdllhos hpdllhost.exe X LZIO.com adware downloader

oj can you check this out

patio · « **Reply #13 on:** April 03, 2007, 11:28:24 AM »

A few quick questions:

I noticed you are still running Norton along with AVG....do you need both ? ?

For the AdAware issue are you clearing your browser cache and deleting Temporary Internet files before scanning ? ?
If not this might be slowing the scan down.

Did you run the scans ( not Hijack This ) in safe mode with system restore turned off ? ?

soybean · « **Reply #14 on:** April 03, 2007, 11:34:42 AM »

Quote from: Medman on April 03, 2007, 11:19:09 AM

hmmm, yea the link i posted to bleepingcomputer didnt bring you to the page i wanted, but just type in iexplore.exe in the search field and it comes up wiht a bunch of stuff:

Examples:

Default web browser IexpIore.exe X Added by the OBLIVION.B TROJAN! Note - do not confuse "IexpIore.exe" with "iexplore.exe" (Internet Explorer), the first has a captial "i" in place of ... Read More

or

mssysint Iexplore .exe X Added by the PWSTEAL.ABCHLP and PSPIDER.310.B TROJANS! Note - this is not the legitimate Internet Explorer (iexplore.exe) process, which should not ap ... Read More

OK, I see all the search findings now. This is a case where a valid file, iexplore.exe, gets exploited in many ways to cause problems.

oddjob · « **Reply #15 on:** April 03, 2007, 11:35:37 AM »

As soybean indicates there is nothing wrong with iexplore.exe. BC's startup programs database simply indicates programs that (as BC remarks) "... should not appear in Msconfig/Startup unless you add [them] manually!". They are not necessarily bad.

As unlovedwarrior mentions that file is dubious. Again, not necessarily causing the trouble you have but please go to this site ....

http://www.virustotal.com/en/indexf.html

Browse to this file on your system ...

C:\WINDOWS\system32\dllhost.exe

...and upload it to Virustotal for checking.

Post back the results here.

You said the bad file was spelt "Iexploere.exe" which indicates you have an infection as this is not the correct spelling of the legit file. You must be careful to post the correct spelling when reporting errors.

The log does not show any dreadful infections although this may be because you are starting the computer in selective startup mode. This means some running processes may not be visible. Please go to your msconfig and ensure all items are enabled at startup. This will give a clearer picture of what's occurring on your computer.

Couple of things about the log entries.

Trusted zone
You have two entries in this zone. It's your choice but my advice is never to have anything in permanently that zone. It's just too dangerous.

If you want to remove them then open HJT again ... click on scan ... put tick/check marks next to all 015 entries ... close ALL open browser windows (including this one) ... click "Fix Checked" at the foot of the HJT window.

The entries will the be gone.

Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications"…..
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

Reboot your computer to normal mode and use it as you usually do.

If this doesn't fix things post a fresh HJT log in full startup mode and give us an update on what's still not right.

OJ

Medman · « **Reply #16 on:** April 03, 2007, 12:42:45 PM »

thank you for the great response guys, looks like ive got some work to do. Ill post back when i've tried some of those things.

Medman · « **Reply #17 on:** April 03, 2007, 12:45:16 PM »

oh and patio- no, i dont need both Norton and AVG. In fact, i didnt know Norton was still running. I thought i took it off but aparantly it's not that easy.

unlovedwarrior · « **Reply #18 on:** April 03, 2007, 12:53:40 PM »

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

removal tool

patio · « **Reply #19 on:** April 03, 2007, 12:57:02 PM »

DLoad the tool below...

Norton Removal Tool

Do not run it yet.

1) DLoad and install ERUNT and have it make a backup of your registry...
2) Use Add Remove Programs first and un-install Norton...
3) From Windows Explorer search for any folders named Norton and Symantec and delete them...
4) Open regedit and type Norton in the search bar. Delete all entries it finds. F3 takes you to the next instance of Norton. Continue til you have reached the end of the registry...
5) Repeat the above process using Symantec instead in the search field. Delete any Symantec keys it finds...
6) Now run the Norton Removal tool you DLoaded...
7) Empty the recycle bin...

Go to My Computer and right clik the C: drive and select Properties and run disk cleanup...
9) Re-boot and run disk defrag....

There you're done !

patio.

oddjob · « **Reply #20 on:** April 04, 2007, 07:44:15 AM »

For anyone who may be interested this is another good source of information on startup programs ...

http://www.sysinfo.org/startuplist.php

OJ

Medman · « **Reply #21 on:** April 04, 2007, 09:37:01 AM »

i ran the bootup with all files allowed to ron from msconfig. should i run it like that all the time? cuz theres certain programs like quiktime and stuff that i would rather not have at startup. Anyway, here is the HJT after that and all of the other suggestions

Logfile of HijackThis v1.99.1
Scan saved at 9:34:47 AM, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\Bacteria\Protections\medmanHijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://crossfit.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138591397\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0c\AOL.EXE" -b
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

soybean · « **Reply #22 on:** April 04, 2007, 09:47:35 AM »

I'm not an experienced HijackThis analyzer but, while looking at some of your log, this item seems to be a suspicious one: yt.dll

Medman · « **Reply #23 on:** April 04, 2007, 09:48:50 AM »

virustotal came up with no threats on dllhost.exe

heres the link to it, i tried to post a pic but it didnt go thru..whatever:

http://www.virustotal.com/vt/en/resultadof?44ceb017762f293cc4bc301d1c7dab47

patio · « **Reply #24 on:** April 04, 2007, 10:12:28 AM »

As to the startup items you can DLoad a great little app from Mike Lin called Startup CPL which resides in the Control Panel...

Gives you full control on what loads up and what doesn't.

oddjob · « **Reply #25 on:** April 04, 2007, 10:49:56 AM »

Log is much improved.

That yt.dll is OK. It's part of the Yahoo! Companion and I see that the dllhost.exe file came up clean at Virustotal.

Just one thing in the log. Open HJT and fix this one ...

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Now run a system search and find the file(s) ... ALCMTR.EXE. Delete it/them.

Empty your recycle bin.

Make sure your java, antivirus, firewall and other protection programs stay fully up to date.

How is you computer operating now? Can Adaware now full scan?

Note that there is currently an issue with Adaware. It won't always update properly. If you experience this problem just bear with it and keep trying the update. Also keep looking at comments on the Lavasoft site & forums on that. They are hoping to clear it up soon.

OJ

Medman · « **Reply #26 on:** April 05, 2007, 09:10:26 AM »

well the messages about fat32 and such have left, norton is officiall gone, and my java software has now been updated. Things seem to be going a bit better, however Adaware SE still isnt running properly but ill check in with their website about those problems. Also, internet has been running waaayyyy slow after all of this. I use Opera mostly but have Firefox as well and they both are slowing down.
I dunno if theres any suggestions about that, but either way, thank you all for the huge help with this.

patio · « **Reply #27 on:** April 05, 2007, 09:49:09 AM »

This can also relate to your internet connection...what type of service do you have ? ?

Medman · « **Reply #28 on:** April 06, 2007, 09:24:11 AM »

Ive got comcast cable. THe problem seems to come and go. I thought it might have a little to do with the fact that i just cleared ALL of my cache, but i didnt think it would effect it this much. SOmetimes my Opera browser even "encounters an error" and must close. Firefox has never done that yet. Today, however, seems to be running fine right now (im on Opera).

unlovedwarrior · « **Reply #29 on:** April 06, 2007, 09:37:52 AM »

it could just be your provider is having problems or the stregnthen of the connection is getting weaker because you might be using it during the peak hours ... when does this happen?

Computer Hope Forum

News:

Author Topic: I think im infected (Read 10431 times)

Medman

soybean

oddjob

soybean

patio

oddjob

Medman

soybean

soybean

Medman

Medman

Medman

unlovedwarrior

patio

soybean

oddjob

Medman

Medman

unlovedwarrior

patio

oddjob

Medman

soybean

Medman

patio

oddjob

Medman

patio

Medman

unlovedwarrior