| Post ID |
Timestamp |
Content |
User |
| 365350 |
2005-06-19 15:13:00 |
I have reason to believe my computer is running several worms and pieces of spyware that i cannot get rid of, i have Mcafee and Ad Aware, Mcafee says the computer is not running any viruses which does not seem to be the case, if someone could help me out I would greatly appreciate it,
Hijack this log, run from safe mode :
Logfile of HijackThis v1.99.1
Scan saved at 23:01:29, on 20/01/2000
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\rpcclient.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\DT\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\boitt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\boitt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\boitt.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\boitt.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = looking-for.cc
O2 - BHO: Class - {FBA5235F-EC2A-A50C-81E0-3492DB3393E2} - C:\WINDOWS\javaut.dll
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [KeyBoardDriver] C:\Program Files\Creative\Creative Desktop Wireless\KbDriver_2K.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKLM\..\Run: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [winhh.exe] C:\WINDOWS\winhh.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Windows Processe Manager] mspn32.exe
O4 - HKLM\..\Run: [Required Service Drivers] micront.exe
O4 - HKLM\..\Run: [Compaq Service Drivrs] copq.exe
O4 - HKLM\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Service Drivers] msnpg.exe
O4 - HKLM\..\Run: [appya32.exe] C:\WINDOWS\appya32.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedrb32.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\temp532.exe -N
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AutoLoaderrysc1JclaLJI] "C:\WINDOWS\System32\hcctools.exe"
O4 - HKLM\..\Run: [r53W37h] hcctools.exe
O4 - HKLM\..\Run: [KYK Control Settings] KYSVCXD.EXE
O4 - HKLM\..\Run: [ntsb32.exe] C:\WINDOWS\ntsb32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\RunServices: [Windows Processe Manager] mspn32.exe
O4 - HKLM\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivrs] copq.exe
O4 - HKLM\..\RunServices: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\RunServices: [Service Drivers] msnpg.exe
O4 - HKLM\..\RunServices: [KYK Control Settings] KYSVCXD.EXE
O4 - HKLM\..\RunOnce: [appuj.exe] C:\WINDOWS\appuj.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:one.MHT!www.t058.com
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - static.windupdates.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - a840.g.akamai.net
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - messenger.msn.com
O23 - Service: Workstation NetLogon Service ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\sdkkg.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINDOWS\System32\rpcclient.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
thankyou |
Jackp (8381) |
| 365351 |
2005-06-19 15:41:00 |
Welcome to Press F1, Jackp.
Sorry, I'm not expert enough to analyse your log - but I can tell that your calendar is running 5 years 4 months slow.
No doubt the Hijack people will do better for you later... |
Laura (43) |
| 365352 |
2005-06-19 18:28:00 |
that sure is loaded with nasties, this (www.hijackthis.de) is your hijack this log and it shows what is needs to be fixed. i see quite a few worms and trojans. :(
update your virus scanner, get a firewall eg zonealarm, swap over to firefox as your browser instead of IE, download adaware and spybot search and destroy. update them and run them and it should fix your problem.
if you have anymore problems post back, :)
good luck :thumbs: |
Prescott (11) |
| 365353 |
2005-06-19 20:04:00 |
nice site Prescott, that will come in handy thanks |
beama (111) |
| 365354 |
2005-06-19 20:15:00 |
hi
firstly thanks a lot for your help, I wasnt aware that there was a site that could analyze those logs automatically so cheers,
I rescanned after removing the entries with hijackthis and the site and got this
www.hijackthis.de
Im going to go back into safe mode and remove those two entries but i dont think they are that important because they werent there on the last scan, I have also virus scanned with an up to date program and that removed many infected files etc.
Unfortunately im still having some problems
- "Hijack this", "mcafee" and "windows task manager" will still not open unless in safe mode, i thought that this was because of a virus called 'winlogon' which runs in system32. However i could not see any process related to this in the 'hijack this' scan
-when i open IE i sometimes get a load of new browser windows repeatedly opening up to 10 times with the 'windowx XP security page' displayed, this is not the actual page obviously but the url directs to some file in my 'mydocuments.
-even though i have scanned with adware and Spybot SD I am still getting these popups that say "come to my site" e.t.c. in a little dialogue box.
If you could help with any of these problems it would be great, cheers. |
Jackp (8381) |
| 365355 |
2005-06-19 20:42:00 |
Have a look at the faqs at the top of this page.
Some more programs and online scans for you to try.
SpywareBlaster
here (www.javacoolsoftware.com)
Stinger
stinger (vil.nai.com)
cwshredder
here (www.spywareinfo.com)
http://hjt.iamnotageek.com/
Online scans
Spyware scanhere (www.windowsecurity.com)
Trendmicrohere (http://housecall.trendmicro.com/)
Pandahere (www.pandasoftware.com)
Bitdefenderhere (www.bitdefender.com)
Symantechere (security.symantec.com)
hth |
johnboy (217) |
| 365356 |
2005-06-19 21:14:00 |
Thanks from me too Prescott.It's shown I have a nasty as well. |
Neil McC (178) |
| 365357 |
2005-06-19 23:31:00 |
Hi Jack
(always wanted to post that on a hijack thread:p)
Do reset your computer date and time, because leaving it back in 2000 may inhibit automatic AV or other security program updates or notifications .
Also, I didn't notice any mention of firewall protection and at the very least you should have ZoneAlarm or similar installed . Without a firewall you are leaving yourself open to virtually instant re-infection the minute you go back on line .
You should also have Spybot and MS-AntiSpy installed, the combination of those three will catch just about any nasties you might pick up . AFAIK only MS-AntiSpy will do a scheduled daily scan, at least for the free version, but I can't see anything about scheduled scans in the free versions of Ad-Aware or SpyBot so set up your AV and MS-AntiSpy to auto-scan daily .
At this stage dont't waste your time changing browsers, IE is quite OK so long as you keep your security updates current, use a good firewall and don't surf recklessly . I base that opinion on 10 years of infection-free surfing, protected only by Norton AV, ZoneAlarm, regular security updates, and good old-fashioned commonsense .
Other opinions and computer-health experiences may vary .
Cheers
Billy 8-{) :2cents: |
Billy T (70) |
| 1 |
|