Solve : HighjackThis log - I need help please :/?

1.	Solve : HighjackThis log - I need help please :/?
Answer» Quote oddjob what are these C:\WINDOWS\SYSTEM32\USRmlnkA.exe C:\WINDOWS\SYSTEM32\USRshutA.exe C:\WINDOWS\SYSTEM32\USRmlnkA.exe USR is U.S. Robotics...Its my modem I useQuote Well, umm I have a lil question...Should I just attach my next logs? because i noticed thats alot of stuff there >.< Don't worry, it's fine to just post them normally. AVG cleaned up quite a bit, so your future virus-scan logs shouldn't be so big. Unfortunately, AVG didn't clean up that worm, which disappoints me some, but hey, it can't get everything. Worms can be a little trickier at times. Your log is a bit cleaner, but there's still some junk in there. The ones that concern me most are... (NOTE: The following is just an observation. Whether I'm right or not, I would advise to not take any action until someone with more EXPERIENCE tells you to.) O2 - BHO: (no name) - {4148A482-1466-15BE-4C84-60D4CCB5AABC} - C:\Windows\System32\iudum.dll (file missing) I can't find any information on the CLSID or filename. It could be harmless, but I think it generally isn't a good idea when you can't find any information on something. HJT says that the file is missing, and if that's true, checking it for removal should be safe either way. IF you can find the file in C:\Windows\system32, then scan it on VirusTotal and post the results. O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe These two identical entries show traces of CoolWebSearch still remaining on your computer. As I have some experience with this particular INFECTION, I might not get scolded too bad for telling you what to do. Heh. (You might want to print this out or save it to a Notepad file...) 1. Find those entries (they look the same, but there's two of them) and check them for removal. 2. Close all windows (including this one), except for HJT. Click on Fix Selected. 3. Reboot into Safe Mode. 4. Open up Add/Remove Programs and uninstall any mention of MyWebSearch or CoolWebSearch. 5. Navigate to C:\Program Files\MyWebSearch and delete it. Also look for a CoolWebSearch folder and delete it if you find one. 6. Just to be THOROUGH, run through the CWShredder procedure again. Then post another log to see if we've gotten rid of the infection. O4 - HKLM\..\Run: [explorer] C:\Program Files\Mozilla Firefox\two.exe I'm not very familiar with Firefox, so I don't know if two.exe is a normal executable. But I suspect it may be malicious. A bit of research leads me to think that it's a PurityScan infection, but this isn't the type of filename that I'm used to seeing, so I'm not 100% positive. Head over to VirusTotal and do a scan of C:\Program Files\Mozilla Firefox\two.exe and post the log. O20 - Winlogon Notify: mszsrn32 - C:\Windows\System32\mszsrn32.dll Here's our friend the worm again. I can't find any guides for proper removal for this particular infection, so my suggestion would be to fix the entry in HJT and then delete C:\Windows\System32\mszsrn32.dll in Safe Mode. However, I'll have to ask you to await the approval of oddjob or someone else. There are a few more entries I would suggest that you fix, but the above entries are the ones that need immediate attention. Unfortunately, I'm still a trainee, so I can only extend my help so far. I'm confident when it comes to a simple infection such as CoolWebSearch, but there is some semi-unfamiliar territory here and I would really hate to advise you in the wrong direction. The best I can do right now without getting in trouble is help diagnose. But don't worry, we'll get this problem sorted out for you soon enough. Thank you for your patience.Kurt 2 other things you can do in the meantime. DLoad Stinger. Disconnect from the web. Turn off system restore. Re-boot into safe mode. Run Stinger. Re-run AVG anti-spyware. It's possible these nasties are hiding in restore points and coming back each restart. Let us know.Looks like oddjob is busy with things right now. He's told me to take a crack at this, so I'll be advising you as much as I possibly can. Sir patio makes a good point; follow his instructions. And because it's been a couple of days, please post a fresh log so we have a more current view of what we're working with here.Quote O2 - BHO: (no name) - {4148A482-1466-15BE-4C84-60D4CCB5AABC} - C:\Windows\System32\iudum.dll (file missing) I can't find any information on the CLSID or filename. It could be harmless, but I think it generally isn't a good idea when you can't find any information on something. HJT says that the file is missing, and if that's true, checking it for removal should be safe either way. IF you can find the file in C:\Windows\system32, then scan it on VirusTotal and post the results. This file isnt there. Quote O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe These two identical entries show traces of CoolWebSearch still remaining on your computer. As I have some experience with this particular infection, I might not get scolded too bad for telling you what to do. Heh. (You might want to print this out or save it to a Notepad file...) 1. Find those entries (they look the same, but there's two of them) and check them for removal. 2. Close all windows (including this one), except for HJT. Click on Fix Selected. 3. Reboot into Safe Mode. 4. Open up Add/Remove Programs and uninstall any mention of MyWebSearch or CoolWebSearch. 5. Navigate to C:\Program Files\MyWebSearch and delete it. Also look for a CoolWebSearch folder and delete it if you find one. 6. Just to be thorough, run through the CWShredder procedure again. Then post another log to see if we've gotten rid of the infection. Neither of them was on the HJT and the folders wasn't in my Program Files either. Quote O4 - HKLM\..\Run: [explorer] C:\Program Files\Mozilla Firefox\two.exe I'm not very familiar with Firefox, so I don't know if two.exe is a normal executable. But I suspect it may be malicious. A bit of research leads me to think that it's a PurityScan infection, but this isn't the type of filename that I'm used to seeing, so I'm not 100% positive. Head over to VirusTotal and do a scan of C:\Program Files\Mozilla Firefox\two.exe and post the log. This file is no longer there either. I checked my AVG log and this file is in the infections and was quarantined. Quote O20 - Winlogon Notify: mszsrn32 - C:\Windows\System32\mszsrn32.dll Here's our friend the worm again. I can't find any guides for proper removal for this particular infection, so my suggestion would be to fix the entry in HJT and then delete C:\Windows\System32\mszsrn32.dll in Safe Mode. However, I'll have to ask you to await the approval of oddjob or someone else. This file says (file is missing) in HJT log. I have this file quarantined in AVG as wellHere is my new HJT. Logfile of HijackThis v1.99.1 Scan saved at 11:31:54 PM, on 3/25/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Windows\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\Windows\system32\services.exe C:\Windows\system32\lsass.exe C:\Windows\system32\svchost.exe C:\Windows\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Windows\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Windows\System32\svchost.exe C:\Windows\Explorer.EXE C:\WINDOWS\SYSTEM32\USRmlnkA.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\WINDOWS\SYSTEM32\USRshutA.exe C:\WINDOWS\SYSTEM32\USRmlnkA.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\Program Files\Common Files\AOL\1128817780\ee\aolsoftware.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Windows\twain_32\SiPix\SCDeluxe\DELUXECC.exe c:\program files\common files\aol\1128817780\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe c:\program files\common files\aol\1128817780\ee\aolsoftware.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\NetZero\exec.exe C:\Program Files\NetZero\exec.exe C:\Program Files\Trillian\trillian.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\System32\LVComsX.exe C:\Documents and Settings\Administrator\Desktop\High Jack This\Analyse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {4148A482-1466-15BE-4C84-60D4CCB5AABC} - C:\Windows\System32\iudum.dll (file missing) O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128817780\ee\AOLSoftware.exe O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [explorer] C:\Program Files\Mozilla Firefox\two.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [DELUXECC] C:\Windows\twain_32\SiPix\SCDeluxe\DELUXECC.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w O4 - Startup: Dora Fairytale Adventures Registration.lnk = D:\ATR1.exe O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360 O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361 O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{869C53F5-AF1E-4866-AAD5-BC4E503BCB34}: NameServer = 64.136.28.122 64.136.20.122 O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: mszsrn32 - C:\Windows\System32\mszsrn32.dll (file missing) O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Documents and Settings\Administrator\Desktop\7.6 YurOTs\xampp\FileZillaFTP\FileZillaServer.exe (file missing) O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)Patio, Where would the best place to DLoad Stinger be?Quote Patio, Where would the best place to DLoad Stinger be? Try this ... http://vil.nai.com/vil/stinger/ Also ... log reviewers ... like CBMatt says ... look/research these entries ... O4 - HKLM\..\Run: [explorer] C:\Program Files\Mozilla Firefox\two.exe >> probably not what you think it is. O20 - Winlogon Notify: mszsrn32 - C:\Windows\System32\mszsrn32.dll (file missing) >> a worm. In safe mode ... fix both with HJT & delete corresponding files, if present. MyWebSearch can be more of a nuisance than real malware (if it's still around). If OP wants to ensure it's gone ... fix MyWebSearch related entries in HJT & delete the folder ...... C:\Program Files\MyWebSearch Afterwards ... fresh HJT log in normal mode & update on how machine is running. OJ

Answer»

Quote

oddjob what are these

C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe

USR is U.S. Robotics...Its my modem I useQuote

Well, umm I have a lil question...Should I just attach my next logs? because i noticed thats alot of stuff there >.<

Don't worry, it's fine to just post them normally. AVG cleaned up quite a bit, so your future virus-scan logs shouldn't be so big. Unfortunately, AVG didn't clean up that worm, which disappoints me some, but hey, it can't get everything. Worms can be a little trickier at times. Your log is a bit cleaner, but there's still some junk in there. The ones that concern me most are...

(NOTE: The following is just an observation. Whether I'm right or not, I would advise to not take any action until someone with more EXPERIENCE tells you to.)

O2 - BHO: (no name) - {4148A482-1466-15BE-4C84-60D4CCB5AABC} - C:\Windows\System32\iudum.dll (file missing)
I can't find any information on the CLSID or filename. It could be harmless, but I think it generally isn't a good idea when you can't find any information on something. HJT says that the file is missing, and if that's true, checking it for removal should be safe either way. IF you can find the file in C:\Windows\system32, then scan it on VirusTotal and post the results.

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
These two identical entries show traces of CoolWebSearch still remaining on your computer. As I have some experience with this particular INFECTION, I might not get scolded too bad for telling you what to do. Heh.

(You might want to print this out or save it to a Notepad file...)
1. Find those entries (they look the same, but there's two of them) and check them for removal.
2. Close all windows (including this one), except for HJT. Click on Fix Selected.
3. Reboot into Safe Mode.
4. Open up Add/Remove Programs and uninstall any mention of MyWebSearch or CoolWebSearch.
5. Navigate to C:\Program Files\MyWebSearch and delete it. Also look for a CoolWebSearch folder and delete it if you find one.
6. Just to be THOROUGH, run through the CWShredder procedure again. Then post another log to see if we've gotten rid of the infection.

O4 - HKLM\..\Run: [explorer] C:\Program Files\Mozilla Firefox\two.exe
I'm not very familiar with Firefox, so I don't know if two.exe is a normal executable. But I suspect it may be malicious. A bit of research leads me to think that it's a PurityScan infection, but this isn't the type of filename that I'm used to seeing, so I'm not 100% positive. Head over to VirusTotal and do a scan of C:\Program Files\Mozilla Firefox\two.exe and post the log.

O20 - Winlogon Notify: mszsrn32 - C:\Windows\System32\mszsrn32.dll
Here's our friend the worm again. I can't find any guides for proper removal for this particular infection, so my suggestion would be to fix the entry in HJT and then delete C:\Windows\System32\mszsrn32.dll in Safe Mode. However, I'll have to ask you to await the approval of oddjob or someone else.

There are a few more entries I would suggest that you fix, but the above entries are the ones that need immediate attention. Unfortunately, I'm still a trainee, so I can only extend my help so far. I'm confident when it comes to a simple infection such as CoolWebSearch, but there is some semi-unfamiliar territory here and I would really hate to advise you in the wrong direction. The best I can do right now without getting in trouble is help diagnose. But don't worry, we'll get this problem sorted out for you soon enough. Thank you for your patience.Kurt 2 other things you can do in the meantime.
DLoad Stinger.
Disconnect from the web.
Turn off system restore.
Re-boot into safe mode.
Run Stinger.
Re-run AVG anti-spyware.

It's possible these nasties are hiding in restore points and coming back each restart.

Let us know.Looks like oddjob is busy with things right now. He's told me to take a crack at this, so I'll be advising you as much as I possibly can. Sir patio makes a good point; follow his instructions. And because it's been a couple of days, please post a fresh log so we have a more current view of what we're working with here.Quote

O2 - BHO: (no name) - {4148A482-1466-15BE-4C84-60D4CCB5AABC} - C:\Windows\System32\iudum.dll (file missing)
I can't find any information on the CLSID or filename. It could be harmless, but I think it generally isn't a good idea when you can't find any information on something. HJT says that the file is missing, and if that's true, checking it for removal should be safe either way. IF you can find the file in C:\Windows\system32, then scan it on VirusTotal and post the results.

This file isnt there.

Quote

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
These two identical entries show traces of CoolWebSearch still remaining on your computer. As I have some experience with this particular infection, I might not get scolded too bad for telling you what to do. Heh.

(You might want to print this out or save it to a Notepad file...)
1. Find those entries (they look the same, but there's two of them) and check them for removal.
2. Close all windows (including this one), except for HJT. Click on Fix Selected.
3. Reboot into Safe Mode.
4. Open up Add/Remove Programs and uninstall any mention of MyWebSearch or CoolWebSearch.
5. Navigate to C:\Program Files\MyWebSearch and delete it. Also look for a CoolWebSearch folder and delete it if you find one.
6. Just to be thorough, run through the CWShredder procedure again. Then post another log to see if we've gotten rid of the infection.

Neither of them was on the HJT and the folders wasn't in my Program Files either.

Quote

O4 - HKLM\..\Run: [explorer] C:\Program Files\Mozilla Firefox\two.exe
I'm not very familiar with Firefox, so I don't know if two.exe is a normal executable. But I suspect it may be malicious. A bit of research leads me to think that it's a PurityScan infection, but this isn't the type of filename that I'm used to seeing, so I'm not 100% positive. Head over to VirusTotal and do a scan of C:\Program Files\Mozilla Firefox\two.exe and post the log.

This file is no longer there either. I checked my AVG log and this file is in the infections and was quarantined.

Quote

O20 - Winlogon Notify: mszsrn32 - C:\Windows\System32\mszsrn32.dll
Here's our friend the worm again. I can't find any guides for proper removal for this particular infection, so my suggestion would be to fix the entry in HJT and then delete C:\Windows\System32\mszsrn32.dll in Safe Mode. However, I'll have to ask you to await the approval of oddjob or someone else.

This file says (file is missing) in HJT log. I have this file quarantined in AVG as wellHere is my new HJT.

Logfile of HijackThis v1.99.1
Scan saved at 11:31:54 PM, on 3/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1128817780\ee\aolsoftware.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Windows\twain_32\SiPix\SCDeluxe\DELUXECC.exe
c:\program files\common files\aol\1128817780\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
c:\program files\common files\aol\1128817780\ee\aolsoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\LVComsX.exe
C:\Documents and Settings\Administrator\Desktop\High Jack This\Analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4148A482-1466-15BE-4C84-60D4CCB5AABC} - C:\Windows\System32\iudum.dll (file missing)
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128817780\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [explorer] C:\Program Files\Mozilla Firefox\two.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DELUXECC] C:\Windows\twain_32\SiPix\SCDeluxe\DELUXECC.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - Startup: Dora Fairytale Adventures Registration.lnk = D:\ATR1.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{869C53F5-AF1E-4866-AAD5-BC4E503BCB34}: NameServer = 64.136.28.122 64.136.20.122
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mszsrn32 - C:\Windows\System32\mszsrn32.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Documents and Settings\Administrator\Desktop\7.6 YurOTs\xampp\FileZillaFTP\FileZillaServer.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)Patio, Where would the best place to DLoad Stinger be?Quote

Patio, Where would the best place to DLoad Stinger be?

Try this ...

http://vil.nai.com/vil/stinger/

Also ... log reviewers ... like CBMatt says ... look/research these entries ...

O4 - HKLM\..\Run: [explorer] C:\Program Files\Mozilla Firefox\two.exe
>> probably not what you think it is.

O20 - Winlogon Notify: mszsrn32 - C:\Windows\System32\mszsrn32.dll (file missing)
>> a worm.

In safe mode ... fix both with HJT & delete corresponding files, if present.

MyWebSearch can be more of a nuisance than real malware (if it's still around). If OP wants to ensure it's gone ... fix MyWebSearch related entries in HJT & delete the folder ......

C:\Program Files\MyWebSearch

Afterwards ... fresh HJT log in normal mode & update on how machine is running.

OJ

Solve : HighjackThis log - I need help please :/?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment