1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HJT Log

Discussion in 'Virus & Other Malware Removal' started by tridirk, Sep 22, 2008.

Thread Status:
Not open for further replies.
  1. tridirk

    tridirk Thread Starter

    Joined:
    Sep 22, 2008
    Messages:
    1
    I have picked up a trojan or virus that keeps reinstallining itself. Tries to add itself to the startup programs, and got right by Kaspersky and PrevX.

    I can't find it... Can some one please help? Thanks;

    Here is the HJT Log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:57:38 PM, on 9/21/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal
    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\system32\Ati2evxx.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\WINDOWS\system32\Ati2evxx.exe
    F:\WINDOWS\system32\spoolsv.exe
    F:\Program Files\Creative\Shared Files\CTAudSvc.exe
    F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
    F:\WINDOWS\system32\CTsvcCDA.exe
    F:\Program Files\Prevx2\PXAgent.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\Explorer.EXE
    F:\WINDOWS\system32\SearchIndexer.exe
    F:\WINDOWS\system32\wscntfy.exe
    F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
    F:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    F:\Program Files\Microsoft IntelliType Pro\itype.exe
    F:\Program Files\Microsoft IntelliPoint\ipoint.exe
    F:\PROGRAM FILES\Google\GOOGLE DESKTOP SEARCH\GOOGLEDESKTOP.EXE
    f:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
    F:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
    F:\WINDOWS\system32\ctfmon.exe
    F:\PROGRA~1\MICROS~4\rapimgr.exe
    F:\PROGRAM FILES\Google\GOOGLE DESKTOP SEARCH\GoogleDesktop.exe
    F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    F:\Program Files\Internet Explorer\iexplore.exe
    F:\WINDOWS\system32\SearchProtocolHost.exe
    F:\PROGRAM FILES\PREVX2\PXCONSOLE.EXE
    F:\WINDOWS\system32\CTHELPER.EXE
    F:\PROGRAM FILES\WINDOWS DESKTOP SEARCH\WINDOWSSEARCH.EXE
    F:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE
    F:\Program Files\Skype\Plugin Manager\skypePM.exe
    F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.prevx.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.prevx.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.prevx.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.prevx.com
    O4 - HKLM\..\Run: [AVP] "F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
    O4 - HKLM\..\Run: [WinPatrol] F:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
    O4 - HKLM\..\Run: [StartCCC] "F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [itype] "f:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "f:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [IndexSearch] F:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [Google Desktop Search] F:\PROGRAM FILES\Google\GOOGLE DESKTOP SEARCH\GOOGLEDESKTOP.EXE /startup
    O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Add to Banner Ad Blocker - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\INetRepl.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - F:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
    O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219433883281
    O16 - DPF: {8BF7B588-F4AC-4A6E-AF63-F664449EED2E} (PDM Plugin2) - http://www.triwestltd.com/wps/PA_1_VVVVVVVVVVBKC021O8JDJQ18K6/applets/DMPlugin.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - http://domino.triwestltd.com/dwa8W.cab
    O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://service.futuremark.com/virtualmark/tc/MSC3.cab
    O16 - DPF: {F4A1DC8A-3D7A-4C28-A5B6-C624B814A702} (Control Panel FileManager Uploader) - https://cp.aplus.net/tools/fileman/FileMan.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15105/CTPID.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
    O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - F:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - F:\Program Files\Creative\Shared Files\CTAudSvc.exe
    O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Neevia docuPrinter helper service (NVDPservice) - Unknown owner - F:\Program.exe (file missing)
    O23 - Service: PREVXAgent - Prevx - F:\Program Files\Prevx2\PXAgent.exe
    --
    End of file - 7321 bytes
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    113,946
    Hi and welcome to TSG,

    Please download Malwarebytes Anti-Malware form Here or Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply along with a new HijackThis log please.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/752168

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice