| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 90225 | 2008-05-27 06:11:00 | HijackThis log analysis | Renmoo (66) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 673095 | 2008-05-28 06:01:00 | ESET online scan yielded nothing bad. Will try the method of disabling system restore and deleting the file via HijackThis. | Renmoo (66) | ||
| 673096 | 2008-05-28 06:11:00 | FreeRAMXPPro is just there for me to monitor amount of free RAM available . I don't ever use its function of freeing up the RAM :) Ok well up to you if you leave this here TeaTimer . exe (as part of Spybot S & D) is responsible for monitoring entries that have been added or deleted from the startup list . I think teatimer can also block some things from installing properly, if its running in the background As for this entry: "C:\Program Files\Windows Defender\MSASCui . exe" -hide It is just the Windows Defender application? I know it is, cant you run it manually?? Does it actualy do anything tho? This entry: O4 - HKLM\ . . \Run: [Zshutdown] c:\sysprep\patch\sysprep . cmd Got me googling for quite some time . Not entirely sure whether it is legitimate program . I see you've got a restore partition . I'm not too sure whether this has anything to do with it tho . I've never had a restore partition on any pc to find out . I have tried deleting O20 - Winlogon Notify: yayvSjkL - C:\WINDOWS\SYSTEM32\yayvSjkL . dll under safe mode (without turning off System Restore), but it still remains . Will it make a difference if I turn off System Restore in the first place? It should, but it'll probably work if you deleted (or tried to delete it in safe mode) . I usually disable system restore, show system files / right mouse on the SR folder, add myself to it (properties/security) . And delete the files in the SR folder (after I disable SR) . Then turn SR back on . Altho, IMO SR is a waste of time and space . The only thing its good for is storing trojans / viruses etc . |
Speedy Gonzales (78) | ||
| 673097 | 2008-05-28 06:12:00 | ESET online scan yielded nothing bad. Will try the method of disabling system restore and deleting the file via HijackThis. Delete the file itself, in safe mode, if HJT wont remove it |
Speedy Gonzales (78) | ||
| 673098 | 2008-05-28 12:09:00 | Delete the file itself, in safe mode, if HJT wont remove it Cheers Speedy. This method worked out fine! :thumbs: Guys: Hip Hip... |
Renmoo (66) | ||
| 673099 | 2008-05-28 12:10:00 | Cool, hopefully it doesnt come back, if you disabled system restore first :banana |
Speedy Gonzales (78) | ||
| 673100 | 2008-05-29 00:46:00 | Just to make sure its out of the registry . . Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions . It's IMPORTANT to carry out the instructions in the sequence listed below . 1 . Close any open browsers . 2 . Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix . Open *notepad* and copy/paste the text in the quotebox below into it: Killall:: File:: C:\WINDOWS\system32\yayvSjkL . dll Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54018E98-10E3-46C6-9673-2999253F9C65}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "Zshutdown"=- [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks] "{54018E98-10E3-46C6-9673-2999253F9C65}"=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayvSjkL] Save this as CFScript . txt, in the same location as ComboFix . exe which is on the Desktop . . pandora . be/bluepatchy/miekiemoes/images/CFScript . gif" target="_blank">users . pandora . be Refering to the picture above, drag CFScript . txt into ComboFix . exe When finished, it shall produce a log for you at C:\ComboFix . txt Please copy and paste the ComboFix . txt along with a fresh HijackThis log in your next reply please . *Note: Do not mouseclick combofix's window whilst it's running . That may cause it to stall . Altering this script in any way could damage your computer* |
Pancake (6359) | ||
| 673101 | 2008-06-01 00:01:00 | Pancake: Done. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:10:53 a.m., on 1/06/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.17184) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\WINDOWS\ATK0100\HControl.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Wireless Console 2\wcourier.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe C:\Program Files\D-Tools\daemon.exe C:\PROGRA~1\Comodo\CBOClean\BOC425.exe C:\Program Files\Comodo\Firewall\cfp.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Free Download Manager\FUM\fumoei.exe D:\Program Backup\FreeRAM XP Pro 1.40.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Desktop Sidebar\dsidebar.exe C:\Program Files\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe C:\Program Files\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe C:\Program Files\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Program Files\BOINC\boincmgr.exe C:\Program Files\WordWeb\wweb32.exe C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Comodo\CBOClean\BOCORE.exe C:\Program Files\Comodo\Firewall\cmdagent.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Streamload\MediaMax XL\StreamloadService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\BOINC\boinc.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\BOINC\projects\www.worldcommunitygrid.org\wc g_rice_6.15_windows_intelx86 C:\Program Files\BOINC\projects\www.worldcommunitygrid.org\wc g_faah_autodock_6.05_windows_intelx86 C:\Program Files\Mozilla Firefox\firefox.exe D:\Program Backup\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///mindyourownbusiness R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = www.ec.auckland.ac.nz:80 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\STARDOCK\WINCUS~1\BOOTSKIN\BootSkin.ex e" /StartupJobs O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe O4 - HKCU\..\Run: [FreeRAM XP] "D:\Program Backup\FreeRAM XP Pro 1.40.exe" -win O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [YahooWidget] "C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe" O4 - Startup: TransBar.lnk = C:\Program Files\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe O4 - Startup: Y'z Shadow.lnk = C:\Program Files\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe O4 - Startup: RocketDock.lnk = C:\Program Files\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe O4 - Startup: UberIcon.lnk = C:\Program Files\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - messenger.zone.msn.com O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - www.update.microsoft.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - www.update.microsoft.com O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - messenger.zone.msn.com O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe O23 - Service: COMODO Firewall Pro Helper Service (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Streamload Service (StreamloadService) - Streamload - C:\Program Files\Streamload\MediaMax XL\StreamloadService.exe -- End of file - 11485 bytes Oddly enough, my Avast system tray icon has disappeared. Cheers :) |
Renmoo (66) | ||
| 673102 | 2008-06-01 00:08:00 | Yes thats cleaned it out.You should be fine now.As for the tray icon,try a reinstall. | Pancake (6359) | ||
| 673103 | 2008-06-01 00:19:00 | Yes thats cleaned it out.You should be fine now.As for the tray icon,try a reinstall. Cheers Pancake. :D :) |
Renmoo (66) | ||
| 673104 | 2008-06-01 22:55:00 | I can't read these things at all,just wondered if Pancake knows more of these things than Speedy. | Cicero (40) | ||
| 1 2 3 | |||||