|
|
|
A little help please.
|
|
|
vwsport80
Member
|
4. June 2007 @ 18:03 |
Link to this message
|
Hey guys and gals,
My computer is acting up. The firewall (Sygate) will shut down as soon as I boot up, I can't back-up movies as I get errors (which was working fine before). I'll post a HijackThis log. Any suggestions would be great. Thanks in advance.
Logfile of HijackThis v1.99.1
Scan saved at 7:57:40 PM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\**\Desktop\HijackThis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\KGB Keylogger\winlogons.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/f...302/Coupons.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
This message has been edited since posting. Last time this message was edited on 5. June 2007 @ 05:25
|
|
Advertisement
|
 |
|
|
|
Indochine
Senior Member
|
5. June 2007 @ 00:36 |
Link to this message
|
|
Well, A*** R*******, I know know your real name, and so does whoever planted KGB keylogger on your system. I suggest you cancel all your credit cards, and change all your passwords.
On m'a dit que je suis nul ŕ l'oral, que je n'peux pas mieux faire !
This message has been edited since posting. Last time this message was edited on 5. June 2007 @ 06:02
|
|
vwsport80
Member
|
5. June 2007 @ 05:12 |
Link to this message
|
|
Okay, I took my name out, and I know about the keylogger being put on it. Although, I thought I took it off. How would I go about getting it off my computer? Anything else popping out at you guys?
This message has been edited since posting. Last time this message was edited on 5. June 2007 @ 05:21
|
|
bluecoal
Suspended due to non-functional email address
|
5. June 2007 @ 05:36 |
Link to this message
|
Please work through these steps and see if that improves your situation.
Set your system to show hidden files. Scroll down the instructions here to find the ones for your operating system:
http://www.bleepingcomputer.com/tutorials/tutorial62.html
You can reverse these setting changes after you finish cleaning your system.
(Edited to fix link error.)
Get ATF cleaner here:
http://www.atribune.org/content/view/25/2/
Print the instructions.
(I am going to ask you to run an online scan, my objective with this cleaner is to have you clean all the temporary file locations and all the cookies you do not have a reason to save. This will reduce the amount of ?infected? items the online scan will catch. You do not need to clean the history and prefetch files if you do not want to.
For the keylogger:
O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\KGB Keylogger\winlogons.exe
First check the add/remove programs for anything relating to it. If you find anything, run the remove. Next, go to C:\Program Files\KGB Keylogger and try to delete that folder. If the folder will not delete, delete as many files inside of it as you can. If the winlogons.exe file will not delete because it is in use, HijackThis has a delete file on reboot option in its misc tool section. Try that on the winlogons file. I?ll get you more instructions on that if you need them.
After you get the keylogger folder removed, have HijackThis fix these lines.
(The only reason I included the last two is because they indicated missing files.)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\KGB Keylogger\winlogons.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
Then reboot the system.
Please run the atf cleaner.
Then please do an online scan. This one will not fix anything, but it is a good scan for catching things. Infections will show up on the screen report as little skulls. Those are the lines we will be interested in.
Please do an online scan with Kaspersky Online Scanner: http://www.kaspersky.com/virusscanner
1. Click on Kaspersky Online Scanner.
2. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
3. The program will launch and then begin downloading the latest definition files.
4. Once the files have been downloaded click on Next.
5. Now click on Scan Settings.
6. In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
Extended
o Scan Options:
Scan Archives
Scan Mail Bases
7. Click OK.
8. Now under select a target to scan:
o Select My Computer.
9. This program will start and scan your system.
10. The scan will take a while so be patient and let it run.
11. Once the scan is complete it will display if your system has been infected.
o Now click on the Save Report As button.
o In the File name: field, type kavscan.
o In the Save as type: field, select Text file (*.txt).
12. Save the file to your desktop.
13. Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.
Then I think you should do a check for rootkits. If something shows up, I?ll probably have to ask for help in advising you on getting rid of it, but the first thing is just to check it out.
Let AVG Antirootkit scan
? Download the Beta Version of AVG AntiRootkit and save it to your desktop.
? (at the bottom of this link
? http://free.grisoft.com/doc/5390#avg-anti-rootkit-free )
? Install the program. All applications must be closed. You will have to restart your system.
? Start antiRootkit.exe in its own folder.
? Click onto the button "Search for Rootkits".
? When the scan is finished, click the button "Save result to file",
rename this log to log1.
? Click the button "Perform in-depth search". You may not do anything on your machine while the scan is running.
? When the scan is finished, click onto the button "Save result to file", rename this log to log2.
? Locate avgark.log in the Grisoft folder, copy its content and post it.
Then post a fresh HjT log, the Kaspersky scan log, and the rootkit log.
Thanks.
bc
This message has been edited since posting. Last time this message was edited on 8. June 2007 @ 06:05
|
|
vwsport80
Member
|
5. June 2007 @ 06:54 |
Link to this message
|
|
Thanks for the response. I noticed the last 2 files you mention when I posted. Should I un & reinstall Avast since it has missing files?
I'll get to work on your suggestions when I get home (at work now).
Thanks again.
|
|
bluecoal
Suspended due to non-functional email address
|
5. June 2007 @ 07:01 |
Link to this message
|
|
Hi,
I don't have the experience to give you a good answer on the avast question, just thinking about what I would do if it was my computer, I think I would do the scans first and fix the things they find and then do the avast reinstall.
bc
|
|
vwsport80
Member
|
5. June 2007 @ 07:28 |
Link to this message
|
|
Thanks for the advice. I'll keep you all updated.
|
|
Advertisement
|
|
|
|
vwsport80
Member
|
7. June 2007 @ 10:10 |
Link to this message
|
Just wanted to leave a little update.
I set it to show hidden files, already knew how to do that (BTW your link just brings me to this thread).
Got the ATF cleaner and ran it. Though you should know I have Firefox set to clean everything everytime I close the browser. I also have a program for IE for when I have to use it (rarely). I think it's called IE privacy keeper. Cool little program.
I don't remember how I removed the key logger before (uninstall, add & remove, ect.) but obviously it didn't get everything. I looked in add & remove, nothing. I tried going to it's location, nothing. Any ideas?
I should be doing the rest tonight.
If it makes any difference, it seems to crash everytime I run DVD Shrink.
This message has been edited since posting. Last time this message was edited on 7. June 2007 @ 10:11
|
|
