|
|
|
My hijack this Log. Can anyone help???
|
|
|
furryboo
Member
|
6. April 2006 @ 09:55 |
Link to this message
|
Logfile of HijackThis v1.99.1
Scan saved at 18:52:52, on 06/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Update03\Keygen.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\The Boo's\My Documents\utorrent.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO} /NO_DEFPS
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATITool] "C:\Program Files\ATITool\ATITool.exe" -s
O4 - HKLM\..\Run: [Keygen] C:\Program Files\Update03\Keygen.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15021/CTPID.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
|
|
Advertisement
|
 |
|
|
Senior Member
|
6. April 2006 @ 10:44 |
Link to this message
|
Hello furryboo,
I'll be helping you with your log.
Your running an anti virus (which is good :D) but however you have no software firewall installed (unless Nod32 has a firewall..??)
remember to disable windows Xp firewall if you have it on after you've installed a full software firewall (controll pannel>secuirty centre>windows XP firewall OFF),the xp firewall won't do as it only works "one way" so you won't get the protection a full software firewall will give.
Please download one of the following:
Zone alarm free
Excelent firewall, easy the best freeware firewall and evern better than some paid for firewalls.
Download Zone alarm free:
http://www.zonelabs.com/store/content/company/products/znalm/free...
Agnitum firewall
Agnitum firewall is also a good firewall, i prefere zone alarm though, does the job fine and worth a try.
download Agnitum:
http://www.agnitum.com/products/outpostfree/download.php
Kerio firewall
Kerio personal firewall is good too but i dont know their situiation, they are about to be aquired by sun belt firewall but i think they are continuing the firewall.
Download kerio personal firewall:
http://www.kerio.com/kpf_download.html
id go for zone alarm free out of all of them, excelent firewall.
Theese are also able firewalls:
Jetico Personal Firewall http://www.jetico.com/index.htm#/jpfirewall.htm
SoftPerfect Personal Firewall http://www.softperfect.com/products/firewall/
Wyvern Firewall 2004
http://www.wyvernworks.com/firewall.html
Please be patient, reviewing logs can take time..
This message has been edited since posting. Last time this message was edited on 7. April 2006 @ 01:53
|
Senior Member
|
6. April 2006 @ 12:05 |
Link to this message
|
Hello aggain,
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
its your choice to remove this.
Removal
Quote:
First of all close any instances of MSN Messenger & Internet Explorer (IEXPLORE.EXE), then go to Control Panel > Add/Remove programs, then scroll down to "Messenger Plus! 3", press "Uninstall the sponsor program only." As the adware bundled in the installer (As said earlier) is optional, and it isn't required for Messenger Plus! to work, it is simply a form of income for Patchou. Then follow the steps that it gives, then you can restart your computer, and your computer will be 100% free of any c2media adware, unless of course, the adware has came from another source.
^^^ ^^^^
From AuditMyPC..
Put a check on theese boxes:
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
(Check that unless your system admin has disabled regedit..)
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class)
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO} /NO_DEFPS
(dont know what this is, dont check this yet..)
C:\Program Files\Update03\Keygen.exe
Your infected by W32.HLLW.Shower.L (symantec AV)
Put a check on this line.
(you must end Keygen.exe in task manager before "fixing checked")
O4 - HKLM\..\Run: [Keygen] C:\Program Files\Update03\Keygen.exe
Now click "Fix Checked" and disable system restore.
heres how to disable system restrore in XP:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/20011119...
Once disabled restart and re enable it, un check turn off system restore.
Now run a Trend Micro Free online virus Scan to get rid of W32.HLLW.Shower.L.
http://housecall.trendmicro.com/
Once the scan has finished please copy and paste the report of what ever it has found here, please navigate to(if found)
C:\windows\flux.exe
C:\Program Files\Update03\
and delete the folders in bold if they are still there.
After you've done that do a clean up with Ewido anti malware:
Get Ewido Here:
http://www.ewido.net/en/download/
# Install ewido anti-malware.
# When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu."
# Launch ewido, there should be a big "E" icon on your desktop, double-click it.
# The program will prompt you to update; click the "OK" button
# The program will now go to the main screen
Update ewido:
You will need to update ewido to the latest definition files.
# On the left hand side of the main screen click update
# Click on Start
The update will start and a progress bar will show the updates being installed. After the updates are installed, exit ewido.
IMPORTANT!:
Once the updates are installed do the following:
# If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
# Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run ewido.
# Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
Scan with ewido:
# Click on scanner
# Click on Settings
* Under "How to scan" all boxes should be selected
* Under "Possibly unwanted software" all boxes should be selected
* Under "What to scan" select scan every file
* Click OK
# Click on Complete system scan
# Let the program scan the machine
# If ewido finds anything, it will pop up a notification. NOTE: We have been finding some cases of false positives with the new version of Ewido, so you need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL, pcAnywhere and the game "Risk" have been flagged. In particular, watch for alerts that have the word "Heuristic" in them - if you recognize the file name as "friendly," these may actually be false positives) select "none" as the action. DO NOT check "Perform action with all infections." If you are unsure of an entry, select "none" for the time being. The Helper assisting you will see it in the log that you will post later and they will let you know if ewido needs to be run again.
Save and Post Your Report:
Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
# Click Save report
# Save the report to your desktop
# Exit ewido
Restart and post a fresh HJT log once you've done all the above.
This message has been edited since posting. Last time this message was edited on 7. April 2006 @ 09:08
|
|
-kemisti-
AfterDawn Addict
|
6. April 2006 @ 22:43 |
Link to this message
|
|
No need to fix this:
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
You can't trust "file missing" unless it's in O2- or O3-entry.
It's a HjT bug.
Also, Messenger Plus ISN'T installed along with a sponsor program, because there are no signs of lop in HjT log :)
This message has been edited since posting. Last time this message was edited on 6. April 2006 @ 22:53
|
Senior Member
|
7. April 2006 @ 01:53 |
Link to this message
|
|
Ok then,i've removed that one line -Kemisti-
I don't know what this line means, its not in any of the start up lists i have been looking at..
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO} /NO_DEFPS
All i know is that its a auto loading startup program, what it is??
This message has been edited since posting. Last time this message was edited on 7. April 2006 @ 01:55
|
|
-kemisti-
AfterDawn Addict
|
7. April 2006 @ 08:55 |
Link to this message
|
|
@rav009: BTW, this is windows own subdirectory and that's why shouldn't be deleted ;)
C:\windows\system32\wbem
But those are your instructions and your "customer", not mine :P
|
Senior Member
|
7. April 2006 @ 09:15 |
Link to this message
|
EDITED, -Kemisti- your right, i just read that one wrong the "wbem" folder is a legit folder if it is in the system 32 folder, just read it wrong, i thought it was elsewhere..mistakes happen..
Luckily someone spotted it, next time i think i'll post the "shadow log" else where before i post it here to be checked by malware profesionals...or atleast read it twice, its not as if i would have put that there if i read it right..
Quote:
But those are your instructions and your "customer", not mine :P
Now whats all that about...
|
|
Advertisement
|
|
|
|
-kemisti-
AfterDawn Addict
|
7. April 2006 @ 09:21 |
Link to this message
|
|
I mean that everyone makes mistakes and you learn when you make :)
No hard feelings. I just mean that I'm not your "babysitter" ;)
|
|
