We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

Hijachthis Log

Could you please have a look at this Hickthis log.

Have had problems with popups recently.

Have run Malwarebyte and found infections which have been deleted

Change Antivirus from AVG to Avira.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:40, on 26/04/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O5 "LPT1:" /M "Stylus C44"
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [qswwc] "c:\users\john bailey\appdata\local\qswwc.exe" qswwc
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{71AC500C-75FA-45EE-B44E-B94B81FE60D4}: NameServer = 212.74.112.66,212.74.112.67
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
--
End of file - 7722 bytes

Comments

  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Open MALWAREBYTES, goto LOGS and post the last scan you ran (COMPLETE log)
    :idea:
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    TICK this in hijack then FIX it~
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

    any idea what this is all about? ~
    c:\users\john bailey\appdata\local\qswwc.exe
    :idea:
  • stulaunch
    stulaunch Posts: 556 Forumite
    Part of the Furniture 100 Posts
    Thanks
    Here is the first Malwarebytes log, it has something about the file you asked about.



    Malwarebytes' Anti-Malware 1.36
    Database version: 2043
    Windows 6.0.6001 Service Pack 1
    26/04/2009 10:04:50
    mbam-log-2009-04-26 (10-04-50).txt
    Scan type: Quick Scan
    Objects scanned: 86130
    Time elapsed: 6 minute(s), 51 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> Quarantined and deleted successfully.
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    C:\Users\john bailey\Local Settings\Application Data\qswwc_navps.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
    C:\Users\john bailey\Local Settings\Application Data\qswwc_nav.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
    C:\Users\john bailey\Local Settings\Application Data\qswwc.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
    C:\Users\john bailey\Local Settings\Application Data\qswwc.exe (Adware.Navipromo.H) -> Quarantined and deleted successfully.



    I ran a 2nd log after deleting problems and that came back with no infections
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    TICK this in hijack then FIX it~
    O4 - HKCU\..\Run: [qswwc] "c:\users\john bailey\appdata\local\qswwc.exe" qswwc

    Update Malwarebytes (If its needed) and run a FULL scan. Post the whole log here (If it finds anything)

    then ~
    Download SUPERANTISPYWARE (Make sure you click 'DOWNLOAD LATEST VERSION')
    http://www.filehippo.com/download_superantispyware/
    UPDATE and PERFORM COMPLETE SCAN
    (Then goto console and LOGS and post the log it created then untick it from STARTING UP WITH WINDOWS)
    :idea:
  • stulaunch
    stulaunch Posts: 556 Forumite
    Part of the Furniture 100 Posts
    OK Malwarebytes was clear

    SAS found these

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com
    Generated 04/26/2009 at 04:26 PM
    Application Version : 4.26.1000
    Core Rules Database Version : 3864
    Trace Rules Database Version: 1815
    Scan type : Complete Scan
    Total Scan Time : 01:03:51
    Memory items scanned : 610
    Memory threats detected : 0
    Registry items scanned : 6741
    Registry threats detected : 0
    File items scanned : 38255
    File threats detected : 32
    Adware.Tracking Cookie
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@www.googleadservices[5].txt
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@webstats.landregistry.gov[2].txt
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@webstats.landregistry.gov[1].txt
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@www.googleadservices[6].txt
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@www.googleadservices[7].txt
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@nextag[1].txt
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@imrworldwide[2].txt
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@ad.uk.tangozebra[1].txt
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@avgtechnologies.112.2o7[2].txt
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@specificclick[2].txt
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@keywordmax[1].txt
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@ads.belointeractive[1].txt
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@saletrack.co[1].txt
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@incredimailltd.112.2o7[1].txt
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@realnetworks.112.2o7[1].txt
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@ads.contactmusic[1].txt
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@www3.addfreestats[1].txt
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@nextag.co[2].txt
    C:\Users\ann bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\ann_bailey@digitalclarity.112.2o7[1].txt
    C:\Users\john bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\john_bailey@bs.serving-sys[2].txt
    C:\Users\john bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\john_bailey@viacom.adbureau[1].txt
    C:\Users\john bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\john_bailey@serving-sys[2].txt
    C:\Users\john bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\john_bailey@specificclick[2].txt
    C:\Users\john bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\john_bailey@2o7[2].txt
    C:\Users\john bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\john_bailey@ad.yieldmanager[2].txt
    C:\Users\john bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\john_bailey@media.mtvnservices[1].txt
    C:\Users\john bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\john_bailey@adlegend[2].txt
    C:\Users\john bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\john_bailey@tribalfusion[1].txt
    C:\Users\john bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\john_bailey@revsci[2].txt
    C:\Users\john bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\john_bailey@microsoftwindows.112.2o7[1].txt
    C:\Users\john bailey\AppData\Roaming\Microsoft\Windows\Cookies\Low\john_bailey@adtech[1].txt
    Trojan.Dropper/Gen
    C:\USERS\JOHN BAILEY\APPDATA\LOCAL\TEMP\MIA2CE.TMP\DATA\MICROSOFT VISUAL C++ RUNTIME 9.0 (INCLUDES ATL AND MFC) SERVICE PACK 1\915FF0F9\CD46533A\AAWDRIVERTOOL.EXE
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Download CCLEANER (Make sure you click 'DOWNLOAD LATEST VERSION' ~ make sure YAHOO TOOLBAR is unticked on installation)
    http://www.filehippo.com/download_ccleaner/
    Run the CLEANER scan (UNTICK 'cookies')
    Then run the REGISTRY scan (Backup the registry when it asks)

    Hows the popups?

    Id guess youll be ok now but if you have anymore trouble we can look deeper
    :idea:
  • stulaunch
    stulaunch Posts: 556 Forumite
    Part of the Furniture 100 Posts
    All seems fine, Thanks
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 348.3K Banking & Borrowing
  • 252.1K Reduce Debt & Boost Income
  • 452.4K Spending & Discounts
  • 240.8K Work, Benefits & Business
  • 617.1K Mortgages, Homes & Bills
  • 175.6K Life & Family
  • 254K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.