| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 83712 | 2007-10-10 08:50:00 | Installing XP SP2 and Autopatcher | Grimy (3041) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 600224 | 2007-10-10 22:02:00 | I think they'd prolly be sufficient...but run them in Safe Mode to really clean the system better. | SurferJoe46 (51) | ||
| 600225 | 2007-10-11 08:16:00 | Would posting a HJT log be a good idea? | Grimy (3041) | ||
| 600226 | 2007-10-11 08:22:00 | Would posting a HJT log be a good idea? Wont hurt. Put it in its own folder first, then run it then click on scan the system and save a log. |
Speedy Gonzales (78) | ||
| 600227 | 2007-10-11 08:31:00 | Will do Speedy. Not sure when as the neighbours do shift work and not home much when I am. Usually the best day is Saturday, but as it's my wedding anniversary this one coming I could be in a bit of strife if I say I'm popping over to play on the neighbours PC instead of going out to lunch! | Grimy (3041) | ||
| 600228 | 2007-11-03 01:53:00 | Hi Speedy, Would you please have a look at the following HJT log and let me know if there is anything nasty, or likely to be a problem with upgrading to SP2. I Updated Trojan Remover, Ad-Aware, Spybot and AVG this morning before getting this log. Many thanks. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:15:00 p.m., on 3/11/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\windows\system\hpsysdrv.exe C:\Program Files\USB Storage RW\shwicon.exe C:\Windows\system32\HpSrvUI.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\HP\KBD\KBD.EXE C:\Program Files\VERITAS Software\Update Manager\sgtray.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\ctfmon.exe c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\SiteAdvisor\SiteAdv.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\SoftwareDistribution\Download\f941c900a 413f153861a4032214a1aec\update\update.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clear.net.nz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.clear.net.nz/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Clear.net O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\SiteAdv.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\SiteAdv.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW" O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Microsoft Network Services Controller] C:\WINDOWS\System32\mmsvc32.exe O4 - HKLM\..\Run: [Spools Service Controller] C:\WINDOWS\System32\spools.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.clear.net.nz/ O17 - HKLM\System\CCS\Services\Tcpip\..\{E9B120C9-0905-4BF3-8912-AAE1CD91C16B}: NameServer = 203.97.33.14 203.97.37.14 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 6417 bytes |
Grimy (3041) | ||
| 600229 | 2007-11-03 02:02:00 | Lucky you didnt put SP2 on it, its got worms. Run HJT again, tick these entries then tick fix checked O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) Looks like this belongs to this (www.sophos.com) O4 - HKLM\..\Run: [Microsoft Network Services Controller] C:\WINDOWS\System32\mmsvc32.exe And this belongs to this (www.sophos.com) O4 - HKLM\..\Run: [Spools Service Controller] C:\WINDOWS\System32\spools.exe This is safe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install Was trojan remover updated?? Its now upto 6.6.3 it should have picked up Kassbot If not, run it again update it click on scan, and select all options under the utilities menu. This entry looks suss C:\WINDOWS\SoftwareDistribution\Download\f941c900a 413f153861a4032214a1aec\update\update.exe |
Speedy Gonzales (78) | ||
| 600230 | 2007-11-03 03:17:00 | Hi Speedy, thanks for that. Yes TR was updated this morning to the latest definitions (I'm using the paid version). I tick all the entries you mention? What does "This is safe" mean? Many thanks for your help. TR Version 6.6.3.2497 Database 6886 2/11/07. |
Grimy (3041) | ||
| 600231 | 2007-11-03 03:21:00 | What does "This is safe" mean?. It means its not nasty or malware, but doesnt have to be in startup. I would kill Windows messenger and get MSN messenger or whatever its called now. Thats if u use it. |
Speedy Gonzales (78) | ||
| 600232 | 2007-11-03 03:26:00 | So if I tick the This is safe items and then tick fix checked, does it remove them completely, or just from start-up? Sorry, I may be being a bit thick, but just being careful as it's not my PC. Thanks. | Grimy (3041) | ||
| 600233 | 2007-11-03 03:30:00 | You tick all of the entries I posted. And then find and delete. C:\WINDOWS\System32\spools.exe <--- And this file C:\WINDOWS\System32\mmsvc32.exe<--- If they dont delete in normal Windows, delete them in safe mode. You may have to disable System restore too, in case they come back. After u tick the safe entries, it just stops them from running on startup, it doesnt uninstall them completely. |
Speedy Gonzales (78) | ||
| 1 2 3 | |||||