Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

I got hijacked, but spybot/adaware wont remove everything...help please

(In Progress)
(!)

misterT31's Avatar
misterT31 misterT31 is offline
Computer Specs
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Jan 2009
Location: CA
03-Jan-2009, 02:10 PM #1
I got hijacked, but spybot/adaware wont remove everything...help please
Hello,

January 1st found myself with a gnarly virus of some sort which slowed my computer to a snails pace and took me to varous websites. Downloaded and scanned with Avast, Spybot, Hijack this, Malwarebytes, AVG, etc. Malwarebytes seemed to work the best and removed most everything including trojans, and the virumonde virus.

Anyhow, Adaware won't delete or quarantine 9 "infected items" such as:
THEREALSEARCH.COM
GREG-SEARCH.com
AFIND.INFO
FIND4U.NET
etc.

Spybot wont remove:
Myway.mywebsearch.com
FunWebProducts
WildTangent

because "some files are still in use (memory)."

Is these threats i should worry about, and if so how do i remove?

Lastly i've never done a Hijack this, and not sure if you can help me figure out which items i should have "fixed".

Can you give me some direction? I have attached the startup log and another as attachments.

Thank you!
Ed
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
cybertech's Avatar
Moderator with 69,340 posts.
 
Join Date: Apr 2002
Location: USA
05-Jan-2009, 09:34 AM #2
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named.


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

Please note once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.



  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.




  • At the next prompt, click 'Yes' to run the full ComboFix scan.
  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
misterT31's Avatar
misterT31 misterT31 is offline
Computer Specs
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Jan 2009
Location: CA
07-Jan-2009, 03:26 PM #3
I got hijacked, but spybot/adaware wont remove everything...help please
Thank you.

I used the combo fix and downloaded windows console. When i started combo fix it said i still had Norton and AVG still running (tried to turn them both off but couldnt)

Here is the TXT results: If i can find a way to attach i will.

Thank you,
Ed



ComboFix 09-01-07.01 - HP_Owner 2009-01-07 12:56:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.345 [GMT -6:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
AV: Norton Internet Security *On-access scanning enabled* (Outdated)
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
AV: avast! antivirus 4.8.1296 [VPS 090107-0] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
FW: Norton Internet Security *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-03 12:20 . 2009-01-03 12:20 <DIR> d-------- c:\program files\Avira
2009-01-03 12:20 . 2009-01-03 12:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-03 00:11 . 2009-01-03 00:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 00:11 . 2009-01-03 00:11 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-01-03 00:11 . 2009-01-03 00:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-03 00:11 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 00:11 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-02 17:46 . 2009-01-02 17:46 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AVG7
2009-01-02 11:42 . 2009-01-02 11:42 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-02 11:42 . 2009-01-02 11:42 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-02 11:42 . 2009-01-02 11:42 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-02 11:42 . 2009-01-02 11:42 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-02 10:54 . 2009-01-02 10:54 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-02 09:55 . 2009-01-02 10:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-02 09:53 . 2009-01-02 09:53 <DIR> d-------- c:\program files\Alwil Software
2009-01-02 01:25 . 2009-01-02 01:25 <DIR> d-------- c:\program files\Trend Micro
2009-01-01 21:33 . 2009-01-01 21:33 0 --a------ c:\windows\system32\drivers\seneka.sy_
2009-01-01 20:15 . 2009-01-01 20:15 2,461 --a------ c:\windows\system32\senekadf.da_
2009-01-01 20:15 . 2009-01-01 20:15 59 --a------ c:\windows\system32\seneka.da_
2009-01-01 20:09 . 2009-01-01 21:41 4,565 --a------ c:\windows\system32\senekalog.da_
2009-01-01 18:23 . 2009-01-01 18:23 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Amazon
2009-01-01 17:13 . 2009-01-01 17:14 <DIR> d-------- c:\program files\iTunes
2009-01-01 17:13 . 2009-01-01 17:13 <DIR> d-------- c:\program files\iPod
2009-01-01 17:13 . 2009-01-01 17:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-01 17:05 . 2009-01-01 17:06 <DIR> d-------- c:\program files\QuickTime
2009-01-01 16:48 . 2009-01-01 16:48 <DIR> d-------- c:\program files\Amazon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 19:10 249,274,400 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-07 19:07 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-07 19:00 2,922,116 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-01-07 09:00 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2009-01-04 16:18 --------- d-----w c:\program files\Google
2009-01-04 06:34 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-04 01:47 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-03 18:26 --------- d-----w c:\program files\SpywareBlaster
2009-01-03 16:58 --------- d-----w c:\program files\CCleaner
2009-01-03 15:37 --------- d-----w c:\documents and settings\HP_Owner\Application Data\AVG7
2009-01-02 22:43 --------- d-----w c:\program files\Easy Adder
2009-01-02 15:55 --------- d-----w c:\program files\Lavasoft
2009-01-01 23:13 --------- d-----w c:\program files\Common Files\Apple
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-11-26 02:07 8,321,027 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-21 20:02 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Apple Computer
2008-11-08 23:07 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ----a-w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2002-09-11 14:26 63,730 ----a-w c:\program files\viewsonicinstruct_xp.pdf
2007-12-13 14:35 27,976 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-03-14 13:25 125,848 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2007-12-13 14:35 46,408 ----a-w c:\program files\mozilla firefox\plugins\atmccli.dll
2007-12-13 14:36 98,704 ----a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-08-24 05:01 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082420080825\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 94208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-18 339968]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-02 219136]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2006-12-30 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\WPN111.exe [2007-07-14 884838]
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2005-06-16 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=cmueyx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a------ 2004-10-14 14:54 253952 c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2004-09-25 01:37 1691648 c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-02 111184]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-02 20560]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-07-13 17149]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2007-07-14 362944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-07 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 14:54]

2009-01-07 c:\windows\Tasks\xyjxcric.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3ACF947C-489E-4BEF-B0F5-D2883A57045C} - (no file)
HKU-Default-Run-msiexec.exe - msiconf.exe
Notify-ljJDWoMd - ljJDWoMd.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://finance.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.turbotax.com

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\iacqfg6d.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.therainforestsite.com
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 13:03:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Iomega\AutoDisk\ADService.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-01-07 13:14:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-07 19:13:51

Pre-Run: 109,033,861,120 bytes free
Post-Run: 109,703,262,208 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=,1,2,3,4
258 --- E O F --- 2008-12-18 09:01:23
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
cybertech's Avatar
Moderator with 69,340 posts.
 
Join Date: Apr 2002
Location: USA
07-Jan-2009, 07:25 PM #4
Open Notepad and copy and paste the text in the code box below into it:
Code:
KILLALL::
File::
c:\windows\system32\drivers\seneka.sy_
c:\windows\system32\senekadf.da_
c:\windows\system32\seneka.da_
c:\windows\system32\senekalog.da_
c:\windows\system32\cmueyx.dll
c:\windows\Tasks\xyjxcric.job
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. It may ask to reboot. Post the contents of c:\Combofix.txt in your next reply.


Please download ATF Cleaner by Atribune.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Click Exit on the Main menu to close the program.




Please download Malwarebytes Anti-Malware and save it to your desktop. alternate link 1 alternate link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply with a new hijackthis log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.


Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u11-windows-i586-p.exe and select "Run as an Administrator".)
misterT31's Avatar
misterT31 misterT31 is offline
Computer Specs
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Jan 2009
Location: CA
08-Jan-2009, 01:29 AM #5
I got hijacked, but spybot/adaware wont remove everything...help please
Hi,

Ok, after some time ive been able to perform the operations... including the kaspersky scan, combo fix, install new java, new hijack this log, new malware bytes scan, ran the ATF cleaner, etc.

Attached are the txt files of the new logs... i think we are making progress... i hope! thank you for the help. please let me know what your looking for in the logs.... kaspersky says i still have a virus.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
cybertech's Avatar
Moderator with 69,340 posts.
 
Join Date: Apr 2002
Location: USA
08-Jan-2009, 06:55 PM #6
Run HJT again and put a check in the following:

O4 - Startup: PowerReg Scheduler.exe

Close all applications and browser windows before you click "fix checked".



You have two anti-virus programs running, which will cause trouble. Uninstall one of them.


These infections:
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Outlook\archive1.pst
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst

are in your e-mail. You need to find them and delete them. The will be found in the Archive folder and the personal folder. I can't tell you what they are. You will access these folders from inside Outlook. If you delete the entire .pst file it will remove all of the mail in those Outlook folders, and the folder will no longer exist. Carefully clean those saved e-mail files.

These infected files:
C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE
D:\I386\Apps\APP22084\src\HPSummer2005.exe
are not a big deal. When you install these applications don't use the easy install use the custom install and de-select the add-on which is the malware feature.


Please post back and if all is well I will provide removal instructions for the tools I have requested you to download.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


Tags
adaware, hijack this, spybot, trojan, virus

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑