HELP!! Hijacked

95blklsc · Joined: 28 Aug 2008 Posts: 2

I am trying to fix my parents computer, it has some serious problems. It forwards websites to softwarereferral.com, the system time is in military time, many icons are removed from the start menu. I had to start in safe mode to even download hijack this and get a logfile. I've scanned with AVG, adaware, and trend micro. None have fixed the problem. Thanks for all of your help!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:58: VIRUS ALERT!, on 8/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\lanmanwrk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {2579D159-8D4E-44E9-AAAC-4236F055DF5B} -
C:\WINDOWS\system32\ddccbAqO.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer
- {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program
Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program
Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {719332E6-7427-4F8A-B959-0055135B174B} -
C:\WINDOWS\system32\byXnliff.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar -
{A057A204-BACC-4D26-9990-79A187E2698E} -
C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O2 - BHO: QXK Olive - {AEFFF7D6-917C-4D8D-A780-7C2D69F1B01A} -
C:\WINDOWS\nfavxwdbsxb.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO -
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: {f39def0e-c5a3-ce9b-0d54-06fdbde7b92c} -
{c29b7edb-df60-45d0-b9ec-3a5ce0fed93f} -
C:\WINDOWS\system32\cjfjgx.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: fdkowvbp - {BF53502D-3BEF-4273-9925-89D7526A5F87} -
C:\WINDOWS\fdkowvbp.dll (file missing)
O3 - Toolbar: AVG Security Toolbar -
{A057A204-BACC-4D26-9990-79A187E2698E} -
C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: bgrqfetx - {D94F8861-8B9F-417B-960F-62212C452045} -
C:\WINDOWS\bgrqfetx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common
Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program
Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program
Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\Ed\LOCALS~1\Temp\scksexde.exe/r
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend
Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [lanmanwrk.exe clean] C:\WINDOWS\System32\lanmanwrk.exe clean
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program
Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program
Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System,
DisableRegedit=1
O8 - Extra context menu item: Add to AD Black List - C:\Program
Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server -
C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant
Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... -
C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program
Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}
- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver
Installation Control) -
http://inst.c-wss.com/n031p/EN/install/gtdownlr.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com
Operating System Class) -
http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr
Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O20 - Winlogon Notify: ddccbAqO - ddccbAqO.dll (file missing)
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O21 - SSODL: eqvwamkl - {CAFFB608-555E-490B-8F94-00678B0EEA50} -
C:\WINDOWS\eqvwamkl.dll (file missing)
O21 - SSODL: wnslvxtf - {56E82DB6-65A1-4965-AE8E-08B85958718F} -
C:\WINDOWS\wnslvxtf.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft -
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies
CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ,
s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program
Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools -
C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools -
C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) -
Trend Micro Inc. - C:\Program Files\Trend Micro\Internet
Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service
(TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend
Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc.
- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 9426 bytes

HJT Analyzer · Joined: 15 Mar 2006 Posts: 728

Hello, visitor!

The Hijack This log analyzer has analyzed your log. Please take a closer look on the results.

Your log does not indicate any spyware or virus infection. However, there are some entries that you might want to fix. Please follow the steps below.

The following entries are not malicious, but some of them are not used anymore. You may use HijackThis to fix a few of them. However, please keep in mind that some of the entries marked as Questionable or Not Needed are fully legitimate and might be required by installed software to work properly, while some others might be related to certain parasites. It is up to you to decide whether you need any of them, or not.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System,
O8 - Extra context menu item: Add to AD Black List - C:\Program
O8 - Extra context menu item: Block All Images from the Same Server -
O8 - Extra context menu item: Highlight - C:\Program Files\Avant
O8 - Extra context menu item: Open All Links in This Page... -
O8 - Extra context menu item: Open In New Avant Browser - C:\Program
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
O9 - Extra ''Tools'' menuitem: Sun Java Console -
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583}
O9 - Extra ''Tools'' menuitem: @xpsp3res.dll,-20001 -
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
O9 - Extra ''Tools'' menuitem: Windows Messenger -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
O20 - Winlogon Notify: ddccbAqO - ddccbAqO.dll (file missing)

The following files and Windows registry entries are marked as "unknown". Currently, the HijackThis Log Analyzer cannot provide required information on these items. The files and entries in the list below can be both malicious and fully legitimate. Because of this, please do not take any action! Wait for the forum responders or other forum users to provide you with necessary details and further instructions.
C:\WINDOWS\System32\lanmanwrk.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {2579D159-8D4E-44E9-AAAC-4236F055DF5B} -
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -
O2 - BHO: (no name) - {719332E6-7427-4F8A-B959-0055135B174B} -
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
O2 - BHO: AVG Security Toolbar -
O2 - BHO: Google Toolbar Helper -
O2 - BHO: QXK Olive - {AEFFF7D6-917C-4D8D-A780-7C2D69F1B01A} -
O2 - BHO: Google Toolbar Notifier BHO -
O2 - BHO: {f39def0e-c5a3-ce9b-0d54-06fdbde7b92c} -
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
O3 - Toolbar: fdkowvbp - {BF53502D-3BEF-4273-9925-89D7526A5F87} -
O3 - Toolbar: AVG Security Toolbar -
O3 - Toolbar: bgrqfetx - {D94F8861-8B9F-417B-960F-62212C452045} -
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\Ed\LOCALS~1\Temp\scksexde.exe/r
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend
O4 - HKLM\..\Run: [lanmanwrk.exe clean] C:\WINDOWS\System32\lanmanwrk.exe clean
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O21 - SSODL: eqvwamkl - {CAFFB608-555E-490B-8F94-00678B0EEA50} -
O21 - SSODL: wnslvxtf - {56E82DB6-65A1-4965-AE8E-08B85958718F} -
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft -
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ,
O23 - Service: GoogleDesktopManager - Google - C:\Program
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools -
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools -
O23 - Service: Trend Micro Unauthorized Change Prevention Service

If you want to see more detailed analysis of your log, click here.

Thank you for using the 2-Spyware.com HijackThis log analyzer beta 2!