hijackthis log [PROBLEM SOLVED - lock please]

tdao91 · September 27, 2006

Well, lately I've been getting this weird pop-up. It's called Win Antivirus Pro 2006 and says "you may be infected! download it now for free!" (or something like that). I've done some scans with AVG free and ad aware. It removes some trojan, but it always comes back. And when I do the scan, it removes it again. but after a while the pop up comes back up. Sooooo... I decided to post a HJT log. And i am begging for some assistance. ty in advance.

Logfile of HijackThis v1.99.1

Scan saved at 6:33:19 PM, on 9/26/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss[Caution: Executable File]

C:\WINDOWS\system32\winlogon[Caution: Executable File]

C:\WINDOWS\system32\services[Caution: Executable File]

C:\WINDOWS\system32\lsass[Caution: Executable File]

C:\WINDOWS\system32\svchost[Caution: Executable File]

C:\WINDOWS\System32\svchost[Caution: Executable File]

C:\WINDOWS\system32\LEXBCES[Caution: Executable File]

C:\WINDOWS\system32\spoolsv[Caution: Executable File]

C:\WINDOWS\system32\LEXPPS[Caution: Executable File]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: Executable File]

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService[Caution: Executable File]

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4[Caution: Executable File]

C:\WINDOWS\Explorer[Caution: Executable File]

C:\Program Files\Analog Devices\Core\smax4pnp[Caution: Executable File]

C:\Program Files\Java\jre1.5.0_03\bin\jusched[Caution: Executable File]

C:\Program Files\CyberLink\PowerDVD\DVDLauncher[Caution: Executable File]

C:\WINDOWS\system32\dla\tfswctrl[Caution: Executable File]

C:\WINDOWS\system32\hkcmd[Caution: Executable File]

C:\WINDOWS\system32\igfxpers[Caution: Executable File]

C:\Program Files\D-Tools\daemon[Caution: Executable File]

C:\Program Files\Dell Photo Printer 720\dlbcserv[Caution: Executable File]

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa[Caution: Executable File]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: Executable File]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: Executable File]

C:\Program Files\Grisoft\AVG Free\avgcc[Caution: Executable File]

C:\WINDOWS\system32\wuauclt[Caution: Executable File]

C:\WINDOWS\system32\igfxsrvc[Caution: Executable File]

C:\WINDOWS\system32\wscntfy[Caution: Executable File]

C:\PROGRA~1\MOZILL~1\FIREFOX[Caution: Executable File]

C:\Program Files\hijackthis\HijackThis[Caution: Executable File]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp[Caution: Executable File]

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched[Caution: Executable File]

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher[Caution: Executable File]"

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray[Caution: Executable File]" /r

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask[Caution: Executable File]" -atboottime

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl[Caution: Executable File]

O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3[Caution: Executable File]

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray[Caution: Executable File]

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd[Caution: Executable File]

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers[Caution: Executable File]

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: Executable File] /STARTUP

O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback[Caution: Executable File] /dump:os_startup

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient[Caution: Executable File]"

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon[Caution: Executable File]" -lang 1033

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs[Caution: Executable File]" /background

O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm[Caution: Executable File] -autorun

O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv[Caution: Executable File]

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9[Caution: Executable File]

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim[Caution: Executable File]

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp[Caution: Executable File] (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp[Caution: Executable File] (file missing)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: Executable File]

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: Executable File]

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4608363812

O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedow ... in9USA.cab

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: Executable File]

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: Executable File]

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: Executable File]

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES[Caution: Executable File]

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc[Caution: Executable File]

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon[Caution: Executable File]

O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService[Caution: Executable File]" "WUSB54Gv4[Caution: Executable File] (file missing)[/b]

____ · September 27, 2006

Fix then unregister this dll, reboot then delete it.

O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll

tdao91 · September 28, 2006

oh and here's a pic of the pop-up (very suspicious pop-up!)

coltm4carbine · September 28, 2006

If you have downloaded winantivirus that means you have vundo.

Don't download it.

Rename Hijackthis[Caution: Executable File] to something like Scan[Caution: Executable File].

Then post another HJT log.

KnightLite · September 28, 2006

I had the same thing happen to me. I just simply did a system restore to the day it happened, problem solved

Rcty · September 28, 2006

DO NOT DO ANYTHING TO THIS POP UP. I GOT THE SAME ONE BEFORE AND WHEN I GOT MY SPY SWEEPER AND PC CILLIN PROGRAMS, IT SAID IT ACTUALLY DOWNLOADED SOME VIRUSES ONTO MY COMPUTER. THAT AD IS ANNOYING BECAUSE IT REDIRECTS YOU AND DOWNLOADS WITHOUT YOUR PERMISSION, I KNOW.

~Rcty

tdao91 · September 29, 2006

If you have downloaded winantivirus that means you have vundo.

Don't download it.

Rename Hijackthis.e3e (CAUTION - executable file) to something like Scan.e3e (CAUTION - executable file).

Then post another HJT log.

well i haven't clicked on it yet (and don't plan to) but how would i go about changing the renaming it? just go into my hijackthis folder and change the name to scan?

blade995 · September 29, 2006

If you have downloaded winantivirus that means you have vundo.

Don't download it.

Rename Hijackthis.e3e (CAUTION - executable file) to something like Scan.e3e (CAUTION - executable file).

Then post another HJT log.

well i haven't clicked on it yet (and don't plan to) but how would i go about changing the renaming it? just go into my hijackthis folder and change the name to scan?

Yes

tdao91 · September 29, 2006

here ya go:

new HJT log

Logfile of HijackThis v1.99.1

Scan saved at 4:35:16 PM, on 9/29/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss[Caution: Executable File]

C:\WINDOWS\system32\winlogon[Caution: Executable File]

C:\WINDOWS\system32\services[Caution: Executable File]

C:\WINDOWS\system32\lsass[Caution: Executable File]

C:\WINDOWS\system32\svchost[Caution: Executable File]

C:\WINDOWS\System32\svchost[Caution: Executable File]

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon[Caution: Executable File]

C:\WINDOWS\system32\LEXBCES[Caution: Executable File]

C:\WINDOWS\Explorer[Caution: Executable File]

C:\WINDOWS\system32\spoolsv[Caution: Executable File]

C:\WINDOWS\system32\LEXPPS[Caution: Executable File]

C:\Program Files\Analog Devices\Core\smax4pnp[Caution: Executable File]

C:\Program Files\Java\jre1.5.0_03\bin\jusched[Caution: Executable File]

C:\Program Files\CyberLink\PowerDVD\DVDLauncher[Caution: Executable File]

C:\WINDOWS\system32\dla\tfswctrl[Caution: Executable File]

C:\WINDOWS\system32\hkcmd[Caution: Executable File]

C:\WINDOWS\system32\igfxpers[Caution: Executable File]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: Executable File]

C:\Program Files\Zone Labs\ZoneAlarm\zlclient[Caution: Executable File]

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa[Caution: Executable File]

C:\Program Files\D-Tools\daemon[Caution: Executable File]

C:\Program Files\Dell Photo Printer 720\dlbcserv[Caution: Executable File]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: Executable File]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: Executable File]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: Executable File]

C:\Program Files\Mozilla Firefox\firefox[Caution: Executable File]

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService[Caution: Executable File]

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4[Caution: Executable File]

C:\Program Files\Windows Media Player\wmplayer[Caution: Executable File]

C:\Program Files\hijackthis\Scan[Caution: Executable File]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

O2 - BHO: (no name) - {21C4D498-A414-48E0-A43B-E9AF41621005} - C:\WINDOWS\system32\ddaby.dll

O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\fvwfqydo.dll (file missing)