| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 78515 | 2007-04-18 10:10:00 | Internet usage troubles! | Chris815 (10270) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 542098 | 2007-04-18 12:05:00 | Okay, here it is: --------------------------------------------- Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 10:25:19 p.m., on 18/04/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Chris\My Documents\My Received Files\HiJackThis_v2.exe C:\Program Files\Internet Explorer\iexplore.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk.disabled O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: Adobe Gamma Loader.lnk.disabled O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003 O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002 O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000 O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dl l,-115 - {BB8A8834-A0A1-4d70-A21A-72FF89AA737A} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll O9 - Extra 'Tools' menuitem: ImageShack Toolbar - {BB8A8834-A0A1-4d70-A21A-72FF89AA737A} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://toolbar.imageshack.us O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - by13fd.bay13.hotmail.msn.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - toolbar.imageshack.us O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - www.linksysfix.com O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - messenger.msn.com O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} - O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing) O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe -- End of file - 8325 bytes --------------------------------------------- I don't have any of the Sony stuff mentioned in there, I uninstalled them. |
Chris815 (10270) | ||
| 542099 | 2007-04-18 12:22:00 | Put HJT in its own folder then run it again, tick these entries then tick fix checked. Close browser/s. O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - Startup: Adobe Gamma.lnk.disabled O4 - Startup: PowerReg Scheduler V3.exe <- This maybe adware. O4 - Global Startup: Adobe Gamma Loader.lnk.disabled O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled Did u add this as a trusted zone? O15 - Trusted Zone: http://toolbar.imageshack.us If not tick it. O23 - Service: Microsoft authenticate service (Ms |
Speedy Gonzales (78) | ||
| 542100 | 2007-04-18 12:25:00 | And close browsers. | Speedy Gonzales (78) | ||
| 542101 | 2007-04-18 12:27:00 | Just in case the forum kills the above post, I'll post it again Put HJT in its own folder then run it again, tick these entries then tick fix checked. Close browser/s. O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - Startup: Adobe Gamma.lnk.disabled O4 - Startup: PowerReg Scheduler V3.exe <- This maybe adware. O4 - Global Startup: Adobe Gamma Loader.lnk.disabled O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled Did u add this as a trusted zone? O15 - Trusted Zone: http://toolbar.imageshack.us If not tick it. O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) <- This belongs to a worm. Boot into safe mode after. delete msasvc.exe Get trojan remover in my sig below install make sure its up to date (click update) then scan. Then select the 3rd to 7th option under the utilities menu. Get Spybot (www.spybot.info) and the detection updates. Install both then scan. And get a firewall. |
Speedy Gonzales (78) | ||
| 542102 | 2007-04-19 00:00:00 | Get a firewall !! | FoxyMX (5) | ||
| 542103 | 2007-04-19 00:03:00 | If you have wireless internet someone could be stealing it. My mates bro did that once | Fishy (10540) | ||
| 542104 | 2007-04-19 00:04:00 | How much data are you talking about? | Rob99 (151) | ||
| 542105 | 2007-04-19 03:09:00 | We have a password on our wireless network, this has never happened before. Speedy, this is getting a bit above me. I am not that knowledgeable in this area, and all this stuff your asking me to do sounds a tad complicated! |
Chris815 (10270) | ||
| 542106 | 2007-04-19 03:22:00 | We have a password on our wireless network, this has never happened before. Speedy, this is getting a bit above me. I am not that knowledgeable in this area, and all this stuff your asking me to do sounds a tad complicated! So, did u run hijackthis again, then tick the entries I posted then select fix checked? Thats all u have to do, then boot into safe mode (press F8) after u reboot. Then select safe mode. Then once u get into safe mode, go to start/search, and type in msasvc.exe if found delete this file. And also get trojan remover install it click on scan. Make sure its updated (it's just been updated to 6.6.0). Then go to the utilities menu in trojan remover, select the 3rde to 7th option. Then as previously posted get Spybot and the detection updates. Install both, then click on check for problems. Whatever it brings up remove it. And I wouldnt come back online until those entries have been ticked and u tick fix checked, in HJT. And u get trojan remover and spybot and scan your system with both. And if u use IRC, DON'T go near it. Until u do the above. That worm u have is an IRC backdoor. |
Speedy Gonzales (78) | ||
| 542107 | 2007-04-19 04:04:00 | So, did u run hijackthis again, then tick the entries I posted then select fix checked? Thats all u have to do, then boot into safe mode (press F8) after u reboot. Then select safe mode. Then once u get into safe mode, go to start/search, and type in msasvc.exe if found delete this file. And also get trojan remover install it click on scan. Make sure its updated (it's just been updated to 6.6.0). Then go to the utilities menu in trojan remover, select the 3rde to 7th option. Then as previously posted get Spybot and the detection updates. Install both, then click on check for problems. Whatever it brings up remove it. And I wouldnt come back online until those entries have been ticked and u tick fix checked, in HJT. And u get trojan remover and spybot and scan your system with both. And if u use IRC, DON'T go near it. Until u do the above. That worm u have is an IRC backdoor. Good news, I used HiJackThis and got rid of those features you specified. Also, I used Trojan Remover and got rid of the msasvc.exe file (as well as some other useless things) and now the data packets are have returned to normal. They are not rising unnecessarily, with the sent/received numbers only going up when I use the net. I didn't end up using safe mode to do any of this, does that matter? I also didn't select the 3rd to 7th option in Trojan Remover, as I am not sure I need to. Resetting internet preferences? I'm not so sure... I'll let you know if I encounter any more problems. |
Chris815 (10270) | ||
| 1 2 3 | |||||