HiJackThis log

My computer freezes. Can only work in Safe Mode.
Avast shows no viruses, have done thorough and boot scans.
I’ve just downloaded MBam and am running that right now.
I’ve never reformatted, but am very inclined to go back to XP and willing to give it the ole college try.

I’ve attached all of the results of scans (sorry, files too large!), along with what may have been the initial infection (snagit snapshot) - though I didnot run the systemtoolslisted.exe, but bought the professional Avast and got started trying to clean up. I also have uploaded a screen shot of the event viewer when system freezes.

Please let me know if you see anything. I thank you!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:16 PM, on 12/4/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16916)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
E:\micro office\Office12\OUTLOOK.EXE
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
E:\micro office\Office12\WINWORD.EXE
C:\Users\Roberta\Downloads\sdsetup(2).exe
C:\Users\Roberta\AppData\Local\Temp\is-AUG2K.tmp\sdsetup(2).tmp
C:\Users\Roberta\AppData\Local\Temp\is-7J89Q.tmp\iMonitor.exe
C:\Users\Roberta\AppData\Local\Temp\Temp1_HiJackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\Time Stand Still\MSDXM6.OCX
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROO~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\MICROO~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O20 - Winlogon Notify: DPWLN - C:\Windows\system32\DPWLEvHd.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Windows\System32\nvSCPAPISvr.exe
O23 - Service: TeamViewer 3 (TeamViewer) - TeamViewer GmbH - C:\Program Files\TeamViewer3\TeamViewer_Service.exe


End of file - 5954 bytes

Malwarebytes should be able to remove the infection, if not, a more advanced program such as smitfraudfix or something might be in order.

Doesn’t look like much is bad in your hjt log.

Vista SP1 has been available since April 2008:
http://www.microsoft.com/downloads/details.aspx?FamilyId=B0C7136D-5EBB-413B-89C9-CB3D06D12674&displaylang=en

Vista SP2 has been available since May 2009:
http://www.microsoft.com/downloads/details.aspx?FamilyID=a4dd31d5-f907-4406-9012-a5c3199ea2b3&displaylang=en

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.

IE8 is more secure than IE7 and has a lot better performance:
http://www.microsoft.com/windows/Internet-explorer/default.aspx

Adobe Acrobat 6.0 is very vulnerable to attack so go to Add/Remove programs and un-install it.

Adobe Acrobat 9.2 is the current version:
http://get.adobe.com/reader

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

Hi rkstarkey,

You have a malware downloader on your system,

Fix the following two entries using HJT:

C:\Users\Roberta\Downloads\sdsetup(2).exe

C:\Users\Roberta\AppData\Local\Temp\is-AUG2K.tmp\sdsetup(2).tmp

This one you can check through opening Task Manager for mem consumption…

C:\Users\Roberta\AppData\Local\Temp\is-7J89Q.tmp\iMonitor.exe (Sophos genuine)

polonus

Thank you all from the bottom of my heart. MBam did not show any infections

Polonus: I am sorry, and I have not used HJT before, and when I do a scan, and from the results I can not locate any of these files on the screen in order to ‘fix’ them. I see them in the log file, but not in the HJT file. Pulling up the task mgr - I still don’t see the last one…I am new to the ‘under the hood’ processes.
Can I go into my harddrive and delete it there?
Roberta

Hi Roberta,

Yep, only kill C:\Users\Roberta\Downloads\sdsetup(2).exe

C:\Users\Roberta\AppData\Local\Temp\is-AUG2K.tmp\sdsetup(2).tmp

Maybe you have to perform that going into SafeMode,

polonus

Hi Polonus,
I deleted C:\Users\Roberta\Downloads\sdsetup(2).exe
But I couldn’t find C:\Users\Roberta\AppData\Local\Temp\is-AUG2K.tmp\sdsetup(2).tmp

Then I ran the HJT again, got an error (attached in another reply) and the log is below.

But the monitor went into fuzzy mode (see attached screen shotattached in another reply), and when I rebooted in normal mode - it goes into fuzzy mode - but completely freezes. I can still get around fuzzily in safe mode.

I think I still have a problem.
Here’s my new HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:10 PM, on 12/7/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16916)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Roberta\AppData\Local\Temp\Temp2_HiJackThis.zip\HijackThis.exe
C:\Windows\system32\Taskmgr.exe
E:\micro office\Office12\OUTLOOK.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts file is located at: C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: ::1 localhost
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\Time Stand Still\MSDXM6.OCX
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\RunOnce: [Malwarebytes’ Anti-Malware] C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe /install /silent
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROO~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\MICROO~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O20 - Winlogon Notify: DPWLN - C:\Windows\system32\DPWLEvHd.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Windows\System32\nvSCPAPISvr.exe
O23 - Service: TeamViewer 3 (TeamViewer) - TeamViewer GmbH - C:\Program Files\TeamViewer3\TeamViewer_Service.exe


End of file - 5365 bytes

Here is my HJT error

Here’s a screen shot of what my monitor looks like when it goes into fuzzy mode while in safe mode…

After I uploaded it, I realize the screen shot looks perfect - but in reality - it is very blurry -

Any more ideas?

Have you tried updating your video card drivers?

Have you downloaded the service packs and updates that were suggested?

:slight_smile: Hi :

It is highly recommended NOT to get ANY of the new Service Packs unless
you are reasonably sure you are malware-free, which is NOT your current
“situation” . Unless “essexboy” comes here, perhaps you need to have an
experienced, certified, Volunteer “Malware Removal Specialist” ( like
“essexboy” ) recommend a Course of Action on an Advanced Malware
Removal Forum, such as the One at www.geekstogo.com !?

Ok, and thank you for this! I tried downloading the Sp1 and my computer did something (I don’t remember what), but I have not bothered.
I did check my video card driver, but maybe I should uninstall it and reinstall?
I took a screenshot of my what the fuzzies are all about, but the screen shot shows it’s perfect.

I don’t know if I’m right or not, suggesting a video card driver update.

Others have said that you still have malware on your computer, but I’ve never seen malware make a monitor “fuzzy” as you explain. I’ve only seen driver and monitor problems cause this.

However, since you have system lockups and other problems, I’d take spiritsong’s advice and head over to geekstogo to see if someone can look into your hijackthis log more deeply, or to suggest some other removal tools/procedures.

If avast and malwarebytes aren’t finding anything, that can’t be a good sign.

The Fuzzy Video problem is reminding me of a problem a friend of mine had about 2 weeks ago. She suddenly started telling us that our Blogs’ Comment Boxes were fuzzy and had weird colors and shadows in them. We told her that NOPE! On our end everything was fine. I told her to send me a Screen Capture of her video problem. She did. But, like in YOUR case, her Screen Capture showed perfect video.

She started thinking that maybe this friend of hers who does computer maintenance on her computer might have changed a setting. He denied it, but did suggest to her to check some Video Setting … some Sharpness Video Setting somewhere. That was it. Her video problem went away. Since her friend still denied that he had changed that Video Setting, her best theory in thinking back is that it’s possible that her video problem happened right after a Windows Update.