Highjackthis log

letsbehonest · 6 February 2008 at 5:35PM

I have been having a few problems on my system mainly when online. a reappearing Avast virus warning which keeps telling me not to worry as it has stopped a trojan being downloaded onto my PC , the inability to restore a Ghost image from my 2nd HDD. + two other Avast antivirus warnings of Win32 Hupignon-ENW effecting two files within a temp internet file to do with IE 5, I use Firefox. Having run a full system antivirus scan, AVG antispyware7.5, AWC2, Ccleaner, Spybot, Adaware7, Superantispyware free, and Trend housecall. I have now resorted to Highjackthis. log attached.
Browntoa can you help ?
regards
O/S win 2k pro Athlon XP 2800, 1 gb ram.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:36:28, on 06/02/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Gizmo Project\mDNSResponder.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gearsec.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\perfs.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\config\sy.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\Tablet.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Magitime\magitime.exe
C:\Program Files\Comodo\VEngine\VEngine.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Gizmo Project\Gizmo.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Software by Design\Calendar.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\PopTray\PopTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\explorer.exe
C:\unzipped\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - !!02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - !!53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - !!9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: ESigil Browser Helper - {A968A4B4-C492-4834-B651-17602C3885C8} - C:\Program Files\Comodo\VEngine\ESigil.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: &Google - !!2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - !!8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Magitime] C:\Program Files\Magitime\magitime.exe
O4 - HKLM\..\Run: [VEngine] C:\Program Files\Comodo\VEngine\VEngine.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [Gizmo Project] "C:\Program Files\Gizmo Project\Gizmo.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Calendar 2000.lnk = C:\Program Files\Software by Design\Calendar.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: GetMP3 - !!76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINNT\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O16 - DPF: !!17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: !!88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/aplicacion.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D447F488-AAFD-42E7-A22E-93B137362D75}: NameServer = 212.139.132.4 212.139.132.21
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ATWinLog - C:\WINNT\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo Project\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINNT\system32\perfs.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Snake SockProxy Service (SkServer) - noname. http://snake.gnuchina.org - C:\WINNT\system32\config\sy.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe

--
End of file - 9791 bytes

Alfonso_Skinarelli · 6 February 2008 at 6:39PM

Hmmm....a few nasties in there.

Download ComboFix from any of these links to your DESKTOP:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

CLICK HERE to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts. Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Before we begin, let's feed ComboFix some additional files to target.

Open notepad (Start > Run and type notepad) and copy/paste the text in the code box below to it:

File::
C:\WINNT\system32\perfs.exe
C:\WINNT\system32\config\sy.exe

Driver::
SkServer
perfmons

Save this as "CFScript"

Refering to the picture above, drag CFScript into ComboFix.exe

Before you begin, close any open browsers.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.

Browntoa · 7 February 2008 at 2:29PM

seeing Alfonso started this one I'll leave it to him to avoid conflicting advice

Alfonso_Skinarelli · 7 February 2008 at 10:41PM

letsbehonest,

You need to follow my instructions to the letter. You didn't make the CFScript and you ran ComboFix twice when I only asked you to run it once. It's important you follow the instructions. If you're not sure of anything, please stop and ask.

Lets try again.....

Open notepad (click Start then Run and type notepad) and copy/paste the text inside the box below to it:

File::
C:\alexamw.exe
C:\WINNT\system32\perfs.exe
C:\WINNT\system32\config\sy.exe

Driver::
SkServer
perfmons

Save this as "CFScript"

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again.

Post the resultant log file please with a fresh HJT log.

Alfonso_Skinarelli · 8 February 2008 at 11:11PM

Open HijackThis again and place a check before the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O20 - Winlogon Notify: ATWinLog - C:\WINNT\
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINNT\system32\perfs.exe (file missing)

Close any open browser windows and click the Fix Checked button.

Close HijackThis.

Restart the machine.

Lastly, using Internet Explorer, click here to use the Eset Online Scanner.

Accept the terms of use and click the Start button.
When prompted to install an ActiveX Control, click the yellow notification bar and select Install ActiveX Control..
Click the Install button on the Security Warning window which appears.
Once the ActiveX installs click the Start button to download the signature database when prompted.
On the "Computer Scan" options window leave Remove found threats UNCHECKED but include Scan unwanted applications, then hit the Scan button.
A log file of the results can be found at C:/Program Files/EsetOnlineScanner/log.txt
Post the results in your next reply please along with a new HJT log and an update on the machine's performance.

letsbehonest · 10 February 2008 at 11:39AM

many thanks for your help.
Following your last set of Instruction's I have found that when trying to use the Eset online scanner and after clicking the start button I am told "Error update failed (200)" this halts the procedure. I have retried several times.
regards

Alfonso_Skinarelli · 10 February 2008 at 11:59AM

Use the Kaspersky On-line Scanner

Accept the Active X object and download the latest definitions.
When the scanner is ready, click Scan Settings.
Select the Extended anti-virus database.
Select Scan Archives & Scan Mail Bases and then ok.
Click My Computer to run a full system scan.
When complete, choose Save as Text and save the log file to your desktop ready for posting.

letsbehonest · 10 February 2008 at 9:16PM

scan to big to attach to this thread,

Browntoa · 10 February 2008 at 9:18PM

you may need to open the file , highlight about half the text and copy in one post

then do the same with the other half in a 2nd post

Browntoa · 10 February 2008 at 9:23PM

see Mr Skint is back...again

letsbehonest · 11 February 2008 at 10:14AM

I'm afraid this is going to take more than two posts to get this all in.

Highjackthis log

Comments

Categories

Get our FREE Weekly email full of deals & guides - and it’s spam-free