| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 74376 | 2006-11-20 08:40:00 | Hijack this logfile help please | sam m (517) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 500684 | 2006-11-20 08:40:00 | Hi, I found a very strange text file on my computer. I have run hijackthis so wonder if anyone can see any problems. Cheers Logfile of HijackThis v1.99.1 Scan saved at 9:27:09 PM, on 11/20/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5296.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RunDll32.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F 2.EXE C:\WINDOWS\zHotkey.exe C:\WINDOWS\system32\wfxsnt40.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ezSP_Px.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\MSI\Core Center\CoreCenter.exe C:\Program Files\ASUPSM\USB Phone\UPhone.exe C:\Program Files\MailWasher\MailWasher.exe C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Microsoft ActiveSync\WCESMgr.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Sam\LOCALS~1\Temp\Rar$EX00.797\HijackT his.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtra.co.nz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F 2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310" O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe O4 - Global Startup: USB Phone.lnk = C:\Program Files\ASUPSM\USB Phone\UPhone.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - by19fd.bay19.hotmail.msn.com O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - a532.g.akamai.net O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - i.grab.com O17 - HKLM\System\CCS\Services\Tcpip\..\{44C2D6BA-F5AF-4A7F-803F-03107F2F1B11}: NameServer = 202.27.184.3,202.27.184.5 O17 - HKLM\System\CS1\Services\Tcpip\..\{44C2D6BA-F5AF-4A7F-803F-03107F2F1B11}: NameServer = 202.27.184.3,202.27.184.5 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe |
sam m (517) | ||
| 500685 | 2006-11-20 09:38:00 | Looks alright to me. Wait for a second opinion to confirm just in case I missed something. |
pheonix (36) | ||
| 500686 | 2006-11-20 10:02:00 | Thanks but I think I might have jumped to the wrong conclusion. The reason for my concern is I found a text file which was really weird. Googling has uncovered that this file msxml4-kb927978-en appears to be something to do with MS update. The strange thing about this is that the file appears on my 2nd HDD used only for storage - no OS - so I got a little concerned, especially as it was created at a time I was no where near my computer. I think it must have occurred due to me having MS Auto updates on. Still, if nothing comes from it at least it has got me to run spybot and adaware again for the first time in a few months. Cheers |
sam m (517) | ||
| 500687 | 2006-11-20 16:29:00 | O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - a532.g.akamai.net Nasty ...and your HJT is in a Temp file area..get it into a perm area |
SurferJoe46 (51) | ||
| 500688 | 2006-11-20 18:06:00 | O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - a532.g.akamai.net Nasty ...and your HJT is in a Temp file area..get it into a perm area Thanks - done - does look better? Logfile of HijackThis v1.99.1 Scan saved at 6:59:16 AM, on 11/21/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RunDll32.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F 2.EXE C:\WINDOWS\zHotkey.exe C:\WINDOWS\system32\wfxsnt40.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ezSP_Px.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\MSI\Core Center\CoreCenter.exe C:\Program Files\ASUPSM\USB Phone\UPhone.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Sam\Start Menu\Programs\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtra.co.nz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F 2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310" O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe O4 - Global Startup: USB Phone.lnk = C:\Program Files\ASUPSM\USB Phone\UPhone.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - by19fd.bay19.hotmail.msn.com O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - i.grab.com O17 - HKLM\System\CCS\Services\Tcpip\..\{44C2D6BA-F5AF-4A7F-803F-03107F2F1B11}: NameServer = 202.27.184.3,202.27.184.5 O17 - HKLM\System\CS1\Services\Tcpip\..\{44C2D6BA-F5AF-4A7F-803F-03107F2F1B11}: NameServer = 202.27.184.3,202.27.184.5 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe |
sam m (517) | ||
| 500689 | 2006-11-20 19:10:00 | Run HJT again / close browsers, tick these then tick fix checked. O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) Uninstall Sun Java, and update it from here (java.sun.com) |
Speedy Gonzales (78) | ||
| 500690 | 2006-11-20 19:27:00 | Run HJT again / close browsers, tick these then tick fix checked. O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) Uninstall Sun Java, and update it from here (java.sun.com) Thanks - have removed entries you listed above but Unistalling Sun Java is not clear to me. In add/remove programs I take it you are referring to the JSE Runtime Environment - I have 3 entries in add/remove. Do I have to uninsall all of them and then go to the site you linked but go to this page (sdlc3e.sun.com 11A3F6B9258) and download jdk-1_5_0_09-windows-i586-p-iftw.exe? The 3 x JSE programs now are quite large, 119MB this one is a lot smaller at 33MB - is this correct? |
sam m (517) | ||
| 500691 | 2006-11-20 19:53:00 | Yup uninstall all 3 entries in add/remove programs. Thats it, the JSE Runtime Environment entries. You should UNINSTALL previous entries before u install the latest version of Java. Since if u dont uninstall previous versions (even tho you've installed the latest versions), any vulnerabilities the previous version/s may have you'll get. Its here (sdlc1d.sun.com:443 0824D497ED5) The first download. 15.74 mb. |
Speedy Gonzales (78) | ||
| 500692 | 2006-11-20 19:58:00 | Thanks Speedy, will get it done when I get back from work. Cheers Sam |
sam m (517) | ||
| 500693 | 2006-11-21 04:37:00 | Surferjoe, that isn't really a nasty as such, just a program that has vulnerabilities. It is actually a valid program... player.virtools.com |
pheonix (36) | ||
| 1 2 | |||||