Help withTrojans PLEASE!!

**jim8uofa** · 03-15-2008, 11:43 AM

Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 12:39:19 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\bobyte\WinBoss classic\WinBoss.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Money 2007\MNYCoreFiles\mnybbsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDO WS\system32\userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\oozcnxbn.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BM6fda5c05] Rundll32.exe "C:\WINDOWS\system32\fyvswyuo.dll",s
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinBoss] "C:\Program Files\bobyte\WinBoss classic\WinBoss.exe"
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1178394754234
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - Unknown owner - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Thanks

**jholland1964** · 03-16-2008, 03:21 PM

What problems are you having? Did you follow all the steps given HERE?
If not please do so, post back with exact description of your problems and all the requested logs from the link, along with a NEW HJT scan.
Judy

**jim8uofa** · 03-18-2008, 04:08 PM

My probelms started with a few popups about how my computer was infected, I have had this before and removed it with little problems. Then I noticed that my volume contorl in my system tray was gone. I went to sounds and audio devices properties, and it said No Audio Device. Then I went to device manager and it says my audio device is installed and working properly. After following the steps you gave me, it seems to have taken care of the pop up problem, but I still have no sound. Thank you for the help, and sorry for the first post.

**jholland1964** · 03-18-2008, 05:15 PM

Still looking at your logs...the one log listed as log...what scanner is that from and did you tell it to fix? If not, run it again and ask it to fix.
Also, your java is way, way, WAY out of date. Please go here and download the latest version which is update 6 version 5. Please choose the Offline install, download and save to desktop.
Once it is downloaded then go to Add/Remove and uninstall Java 2 Runtime Environment, SE v1.4.2.
Once it is uninstalled then install the new version and then go here to verify the install.

**jim8uofa** · 03-18-2008, 06:31 PM

The Log.txt file is from the ESET Online Scanner, as soon as I am done with this post I will rerun it and fix it. I installed the latest version of JAVA, thanks for that and for all your help

**jholland1964** · 03-18-2008, 10:38 PM

jim, once you have re-run that Eset scanner and allowed it to fix be sure to save that log. Also then run a NEW HJT scan after that and post that log here too.

**jim8uofa** · 03-19-2008, 05:55 PM

Here is the Eset scan log and the Hijack log

**jholland1964** · 03-19-2008, 10:22 PM

Please do the following:

Download combofix.exe by sUBs to your computer's Desktop.
Alternate Download
(If you already have a previous version, delete it and download a new version).
Double click combofix.exe & follow the prompts.
Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

Produce a log for you. ( C:\ComboFix\ComboFix.txt)
Restore your Internet connection.

IMPORTANT:

Do not use your computer while Combofix is running.
Do not mouseclick combofix's window while it's running. That may cause it to stall.
If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

Please post that log for us. You can copy&paste this one into this thread.

**jim8uofa** · 03-21-2008, 10:53 AM

ComboFix 08-03-20.5 - Owner 2008-03-20 18:46:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.159 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\sanR24
C:\WINDOWS\BM6fda5c05.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\ecurit~1
C:\WINDOWS\ecurit~1\?ecurity\
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dehvocie.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\fyvswyuo.dll
C:\WINDOWS\system32\h1
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\snohpmup.dll
C:\WINDOWS\system32\winpfz32.sys

.
((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.

2008-03-18 19:26 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-18 19:22 . 2008-03-18 19:22 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-18 07:33 . 2008-03-18 19:34 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-17 19:32 . 2008-03-17 19:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-17 19:32 . 2008-03-17 19:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-17 19:32 . 2008-03-17 19:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-12 23:04 . 2008-03-12 23:04 <DIR> d-------- C:\fsaua.data
2008-03-08 22:50 . 2008-03-08 22:50 <DIR> d-------- C:\Program Files\MP3 Ringtone Maker
2008-03-08 22:36 . 2008-03-08 22:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Nitrogen
2008-03-08 22:19 . 2005-05-13 19:33 4,333,568 --a------ C:\06 Name.mid
2008-02-24 13:32 . 2008-03-20 18:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-24 13:32 . 2008-02-24 13:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-24 13:31 . 2008-02-24 13:31 <DIR> d-------- C:\Program Files\iTunes
2008-02-24 13:31 . 2008-02-24 13:31 <DIR> d-------- C:\Program Files\iPod
2008-02-24 13:28 . 2008-02-24 13:29 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-03-20 22:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-18 23:26 --------- d-----w C:\Program Files\Java
2008-03-14 02:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-03-13 03:19 --------- d-----w C:\Program Files\Azureus
2008-03-12 21:00 --------- d-----w C:\Program Files\Yahoo!
2008-03-12 20:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 20:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-28 12:31 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-27 17:34 3,320 ----a-w C:\Documents and Settings\Owner\Application Data\ViewerApp.dat
2008-02-11 13:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 13:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 17:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 12:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2007-11-06 17:15 6,465 --sha-w C:\WINDOWS\system32\ttutv.bak1
2007-11-08 05:15 454,077 --sha-w C:\WINDOWS\system32\ttutv.bak2
2007-11-08 23:22 460,952 --sha-w C:\WINDOWS\system32\ttutv.ini2
.

**jholland1964** · 03-21-2008, 12:09 PM

Jim, have you previously run combofix?

Thread: Help withTrojans PLEASE!!

Thread Tools

Display

Hybrid View

HijackThis help

Thread Information

Users Browsing this Thread

Posting Permissions