AntiVirus help

its blocked then

 

Using an older version of HijackThis is not a very good idea because it will "miss" things.

Please reboot into Safe Mode:

* Reboot your computer.
* When you hear your computer "beep" and display its information, keep tapping the F8 key. Some systems display an error if this is done too soon; if this happens then try again.
* The Advanced Options menu will display; select Safe Mode (not Safe Mode with Networking) withe the arrow keys and press Enter.
* Log in as you normally would.
* Try to run HijackThis v1.99.1 in Safe Mode and save a logfile. It will not be as detailed as the scan run in Normal Mode, but it will do.
* Reboot into Normal mode and post that logfile. It will be in wherever you saved HijackThis (for example, if HijackThis was in C:\HJT, the logfile would be at C:\HJT\hijackthis.log).

Next, please go here and download Deckard's System Scanner. Note: This program is meant for Windows 2000 and higher (including Vista) only! Save the file to your desktop, and double-click it to run it. Press "OK" and let the scanner do its work. It may appear to freeze or hang your computer; this is normal, so let the scanner do its work. It usually will not take too long. When the scan is finished, it shall make two logs for you - one will be called "main" and the other, "extra". "main" will be maximized and "extra" will be minimized. Post both logfiles (as in copy and paste) in a reply.

Finally, please download Combofix: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Note:
Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

In your next reply:
* HijackThis v1.99.1 log in Safe Mode
* main.txt from Deckard's System Scanner
* extra.txt from Deckard's System Scanner
* Combofix logfile

 

http://www.richardthelionhearted.com/?url=merijn.richardthelionhearted.com
See "NOTE:" at the bottom of the December 15, 2004 block.

bc

 

Yes, but many other things do that as well (some keyloggers and odd chinese trojans) and an older version of HijackThis isn't usually the way to go. Often a Safe Mode scan followed by a few fixes will suffice.

 

google it yourself it will show up lol

 

Umm... what?

 

i booted in safe mode and hijack this still won't run.

 

Did you rename it to something benign like "Cat" or "ABC"??

 

i renamed it to "cant ho" and it still dosent work but i was just renameing it im not sure if that was what i was supposed to do or not.

but i did manage to get this. it runs for about half a seconed and i got a log file saved by opening it and hitting enter as fast as i can. i got Hijackthis.log and here it is... i hope this is right

Logfile of HijackThis v1.98.2
Scan saved at 11:34:44 PM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\vadqtofc.exe
C:\WINDOWS\system32\scchk32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\mspaint.exe
C:\DOCUME~1\OWNER~1.HER\LOCALS~1\Temp\Rar$EX25.391\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - XB
J - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14B2D544-61FC-1D0B-A74E-6FE339E5F3EF} - C:\WINDOWS\system32\vhspnop.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - ¨

¨

2-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - ¨A
8DD50-C996-44fc-AC52-0FECFF82ED58} - (no file)
O2 - BHO: (no name) - èB
78D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - Ø

Ø

2-2623-438e-9CA2-C9043AB28508} - (no file)
O2 - BHO: (no name) - ØA
B4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vadqtofc.exe] C:\WINDOWS\system32\vadqtofc.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Pbso] "C:\PROGRA~1\WNSXS~1\tracert.exe" -vt yazr
O4 - HKCU\..\Run: [Rnxybgf] "C:\Program Files\?ymantec\m?dtc.exe" 99001275
O4 - HKCU\..\Run: [Eati] "C:\WINDOWS\system32\YSTEM3~1\csrss.exe" -vt yazr
O4 - HKCU\..\Run: [Uuympxz] C:\Program Files\s?curity\n?tepad.exe
O4 - HKCU\..\Run: [PaSystem] "C:\Program Files\pasystem\pasystem.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?9fc4b03debec49969a0dc8a6bd159ef5
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?9fc4b03debec49969a0dc8a6bd159ef5
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171861015074
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

 

Yes, thank you for the log. I will take a look at it as soon as I get home from school, or possibly sooner, because I have nothing to do for the next 15 mins until I go home.

Good work on getting the logfile

Did you run Deckard's System Scanner?

 

I can't seem to find anything of great importance, so it's even more imperative that you get a log from Deckard's System Scanner.

Please download F-Secure BlackLight. It is a free trial and offers a stand-alone executable file (meaning it does not have to be installed). Please disconnect from the Internet, physically if possible before you do this step. Double-click on fsbl.exe to open the program. Accept the license agreement and other things that pop up. Do a scan; if hidden objects are found DO NOT rename them; just save the log for me to look at. If they are not, then, well, that's ruled out. When the scan is done and the logfile saved, you can reconnect your Internet.

Next, pay a visit to http://www.virustotal.com and submit a file. At the top of the page, there will be a "Browse" button. Click that button, and paste this text exactly as it appears into the window that appears:

C:\WINDOWS\system32\vadqtofc.exe

Click "Open", and then click the brownish-yellow "Send" button. You may have to wait a while because VirusTotal is a high-demand service for many users. Once the scan is finished, it will produce two tables. The table on top will show all the scans performed on it; the table on the bottom will show other information. Copy the entire table on top and paste it in your reply. Don't bother with the table formatting, it's just important that the text gets through.

Do all the above, including Deckard's System Scanner, and post all the logs that you get.

 

i did not run Deckard's System Scanner i used cant be hijacked


no hiddden files were found with "blacklight"

i did the virustotal scan and here are the results


Antivirus
Version
Update
Result
AhnLab-V3
2007.5.9.0
05.09.2007
no virus found
AntiVir
7.4.0.32
06.15.2007
HEUR/Malware
Authentium
4.93.8
06.15.2007
is a security risk or a "backdoor" program
Avast
4.7.997.0
06.15.2007
no virus found
Aditional Information
File size: 10752 bytes
MD5: 7109d0ea743a850fa91aef85efd7fcdc
SHA1: 1c6c7eb21dcc3df7e9bad4b98651af8be6ecb8dd


thank you for all the help

 

You did not finish the VirusTotal scan. Leave it running for at least five minutes after it has started scanning as it will use 32 different antivirus programs.

Please do a Deckard's System Scanner scan.

 

The two tables came up i thought it was finished.

Where is a good site to download Deckerds?

 

Read all the first page! lol

 

sorry for missing that, i will do it when i get home

and thank you again

 

No problem. I'll be waiting

 

jst a question Fredil. How old are u, and how do you know all this stuff?

Ur a big help around these forums, jst curious :]

 

Hehehe. I'm thirteen, and I know this stuff mostly by Internet study. I'm also a freshman at the Geeks to Go University, but I must say, nothing is better than experience, and practice logs don't give you the satisfaction of helping real people

 

combofix will not run there was a error when I tried to run it.

**nevermind it worked after i restarted the computer