| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 60150 | 2005-07-24 06:14:00 | Hijack This now what | nanpoly (8563) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 374865 | 2005-07-24 06:14:00 | After having problems with bugs etc I ran Hijack This as advised earilier on this site & pasted results as requested here :help: www.hijackthis.de This has given me a list of files marked Safe Unknown & Nasty. Now what do I do how do I know what to delete & what not to delete | nanpoly (8563) | ||
| 374866 | 2005-07-24 06:16:00 | Paste the log here and someone will check it (if u dont know what file does what) . Or the entries that site brings up as nasty/unknown . Do a search in google or yahoo . To see what it does . |
Speedy Gonzales (78) | ||
| 374867 | 2005-07-24 08:30:00 | Hey, let's give nanpoly a little hint here . If you take the readout from HJT and look for alpha-numeric codes between the brackets (Here's an example) {B56A7D7D-6927-48C8-A975-17DF180C71AC} (this one is PCTools Spyware Doctor according the CastleCops and is a legitimate browser helper object or BHO) etc, and copy/paste them into the Google browser bar, not the url or address bar, then you will get a lot of answers quickly . Other things have names that can be Googled too, like those with extensions on them: (extensions are the little 3-letter words after a dot ( . ) in the HJT log) wkcalrem . exe (for example) This produces a pop-up reminder of events scheduled using the MS Works Calendar, as found by IAmNotAGeek . Some of the names alone in the HJT log will give them away right up front . If you see something that you absolutley know you didn't invite into your system, write the name down so that you can recognise it a little later on . . . but read on first: The problem is: What site has the info you need and what site can you trust? Before you go anywhere, I make the following suggestions for places to get this info and for a neophyte, they are pretty good at explaining what you have, and when you get the search results from Google, look for these places : Castlecops IAmNotAGeek Lockergnome GeeksToGo CyberTechHelp etc . Right now, I have mixed emotions about the sites that offer to advise you on what is wrong in your scan results . I check up on them to see if others have the same evaluation, and if they all comply pretty much, I make the decision that there must be something they all know . I honestly recommend that you do all your HJT work and such in SAFE MODE with network accessability . To get into that condition, just reboot your 'puter by hitting the Windows key (with the little flag on in) and rapidly hit in sequence the "u" and the "r" keys . This will reboot your system, and when it generates the black info splash screen, read the fine print and see what the macro is for getting into safe mode . It most often is the F8 key hit a few times when that screen shows up . If you miss safe mode the first time, use the Windows-u-r again . Once the screen asks you what mode you want, use the up arrow keys (called the CURSOR keys) to get to SAFE MODE WITH INTERNET ACCESS, or words to that effect . Then hit the ENTER key . You are now in SAFE MODE with internet access, but just the minimum support programs running . Find HJT in the programs area or the desktop if it appears, turn it on again and run another scan . Google any that you want to make sure of again, and follow the instructions and warnings on the HJT instructions . Do all your removing of the offending files and strange stuff that HJT found (you DID write them down?), and click the boxes in front of the stuff you want to remove while you are in SAFE MODE . THEY WILL BE REMOVED EVEN IF YOU MAKE A MISTAKE AND NEED TO GET THEM BACK! There is no BACK from here . . . HJT will kill, maim, destroy and remove them never to be found again . There is a warning about killing a necessary file, so make this choice by thorough investigation through a few different sources and don't jump on just one bad pronouncement of something . Get multiple opinions . Some of the stuff you will get bad reports on, will be things you want to have, but are a little iffy . It's better to err on the conservative side at this point until you get some grey hair from your 'puter . Age will strengthen your bravado . For now, just do one exorcising at a time . As a rule for future reference, stay away from FREE anything that gives you the time, temperature, pretty pictures, free anti-virus scans that come in outta the blue, and generally anything the has Bonzixxxx attached to it . And for your sake and the safety of your 'puter, STAY OUTTA THE PORNO SITES! If something's free and offered to you and you didn't ask for it . . then it is probably spyware at least, a virus or keylogger or screenshotter at medium trouble, or a zombie or spoofer or something big like the Chernobyl virus that fries the BIOS . motherboard and any/all hard drives you have on the 15th of the month . . . . . . I know! Remember that time wounds all heels, and you are not exempt . . . we all got here by trial and error and you aren't the last to go through this either . Learn from your mistakes, and better yet learn from other's mistakes! BTW: restarting the 'puter will remove it from the SAFE MODE when it reboots . |
SurferJoe46 (51) | ||
| 374868 | 2005-07-24 08:49:00 | Nasty - remove Unknown - google search to see what it is Safe - leave it |
pctek (84) | ||
| 374869 | 2005-07-24 09:27:00 | HERES THE RESULT . Entry Kind (Safe, Nasty, Unknown) Description Tip Logfile of HijackThis v1 . 99 . 1 Safe . Shows the version of HijackThis an . The newest version is: v1 . 99 . 1! This should be the newest version . (v1 . 99 . 1) Platform: Windows XP SP2 (WinNT 5 . 01 . 2600) MSIE: Internet Explorer v6 . 00 SP2 (6 . 00 . 2900 . 2180) Safe . Shows the version of your Internet Explorer . Newest Version is: 6 . 00 . 2800 . 1106! This should be the newest version . (6 . 00 . 2900 . 2180) C:\WINDOWS\System32\smss . exe Safe . running process . (smss . exe) Systemprozess - Anwendung, die benutzt wird um Sitzungen zu starten, verwalten und löschen . C:\WINDOWS\system32\winlogon . exe Safe . running process . (winlogon . exe) Systemprozess - Windows Login Routine C:\WINDOWS\system32\services . exe Safe . running process . (services . exe) Systemprozess - Verwaltet die Systemdienste . C:\WINDOWS\system32\lsass . exe Safe . running process . (lsass . exe) Systemprozess C:\WINDOWS\system32\svchost . exe Safe . running process . (svchost . exe) Systemprozess - Allgemeiner Hostprozessname für Dienste . C:\WINDOWS\System32\svchost . exe Safe . running process . (svchost . exe) Systemprozess - Allgemeiner Hostprozessname für Dienste . C:\WINDOWS\Explorer . EXE Safe . running process . (Explorer . EXE) Systemprozess für Desktop und Taskleiste . C:\WINDOWS\system32\spoolsv . exe Safe . running process . (spoolsv . exe) Systemprozess C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr . exe Safe . running process . (avgamsvr . exe) Antivirensoftware Possibly nasty! According to our database this process runs normally in c:\program files\grisoft\avg free! Check if you know this process and arrange a viruscheck where required . C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc . exe Safe . running process . (avgupsvc . exe) Antivirensoftware Possibly nasty! According to our database this process runs normally in c:\progra~1\grisoft\avgfre~1! Check if you know this process and arrange a viruscheck where required . C:\windows\system\hpsysdrv . exe Safe . running process . (hpsysdrv . exe) C:\WINDOWS\System32\svchost . exe Safe . running process . (svchost . exe) Systemprozess - Allgemeiner Hostprozessname für Dienste . C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon . exe Safe . running process . (hpqcmon . exe) Hewlett-Packard Digital Imaging Possibly nasty! According to our database this process runs normally in c:\programme\hp\digital imaging\unload\! Check if you know this process and arrange a viruscheck where required . C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd . exe Safe . running process . (HPWuSchd . exe) Hewlett Packard Software Update Possibly nasty! According to our database this process runs normally in c:\programme\hp\hp software update\! Check if you know this process and arrange a viruscheck where required . C:\WINDOWS\System32\hphmon05 . exe Safe . running process . (hphmon05 . exe) Part of Hewlett-Packard C:\HP\KBD\KBD . EXE Unknown running process . (KBD . EXE) This is a unknown process . C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind . exe Safe . running process . (WkUFind . exe) C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask . exe Safe . running process . (mmtask . exe) C:\PROGRA~1\MyWay\bar\1 . bin\mwsoemon . exe Safe . running process . (mwsoemon . exe) C:\WINDOWS\system32\S3tray2 . exe Safe . running process . (S3tray2 . exe) S3 Video card task tray utility . C:\Program Files\ScanSoft\OmniPageSE\opware32 . exe Safe . running process . (opware32 . exe) C:\WINDOWS\ALCXMNTR . EXE Nasty running process . (ALCXMNTR . EXE) Realtek AC97 Audio - Event Monitor . "Sypware" file used surreptitiously monitor one's actions . It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers This is a nasty process! You should fix it and try to delete it manually! C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc . exe Safe . running process . (avgcc . exe) Antivirensoftware Possibly nasty! According to our database this process runs normally in c:\program files\grisoft\avg free! Check if you know this process and arrange a viruscheck where required . C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc . exe Safe . running process . (avgemc . exe) Antivirensoftware Possibly nasty! According to our database this process runs normally in c:\program files\grisoft\avg free! Check if you know this process and arrange a viruscheck where required . C:\PROGRA~1\MYPRES~1\Presario\XPHAPRF3EN\plugin\bi n\PCHButton . exe Safe . running process . (PCHButton . exe) Used by HP Instant Support Not dangerous, but unnecessary . C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576 . exe Unknown running process . (BackWeb-1940576 . exe) This is a unknown process . C:\Program Files\CreataCard\Gold\FMRemind . exe Unknown running process . (FMRemind . exe) This is a unknown process . C:\PROGRA~1\INCRED~1\bin\IMApp . exe Safe . running process . (IMApp . exe) Incredi Mail C:\Program Files\Internet Explorer\iexplore . exe Safe . running process . (iexplore . exe) Internet Explorer - Wir empfehlen einen sichereren alternativen Browser zu verwenden . (z . B . Firefox) C:\Documents and Settings\Owner\Desktop\New Folder\HijackThis . exe Safe . running process . (HijackThis . exe) Tool, mit dem sie dieses Logfile erzeugt haben . Remember that Hijackthis must be run in an own folder . Only if Hijackthis run in an own folder it will create backups! R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qau9 . hpwis . com/ Safe . This page has been identified as safe . R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = . xtra . co . nz/home" target="_blank">www . xtra . co . nz Safe . This page has been identified as safe . R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www . xtra . co . nz Safe . This page has been identified as safe . O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWay\SearchAt\1 . bin\MWSSRCAS . DLL Nasty Entries found in this registry zone are potentially nasty . This application ([00A6FAF1-072E-44cf-8957-5838F569A31D] - Result: 00A6FAF1-072E-44cf-8957-5838F569A31D) has been checked . Hit rate: 99 % Must be fixed! O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5 . 0\Reader\ActiveX\AcroIEHelper . ocx Safe . Entries found in this registry zone are potentially nasty . This application ([06849E9F-C8D7-4D59-B87D-784B7D6BE0B3] - Result: 06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) has been checked . Hit rate: 99 % O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWay\bar\1 . bin\MWSBAR . DLL Nasty Entries found in this registry zone are potentially nasty . This application ([07B18EA1-A523-4961-B6BB-170DE4475CCA] - Result: 07B18EA1-A523-4961-B6BB-170DE4475CCA) has been checked . Hit rate: 99 % Must be fixed! O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside . dll Nasty Entries found in this registry zone are potentially nasty . This application ([243B17DE-77C7-46BF-B94B-0B5F309A0E64] - Result: 243B17DE-77C7-46BF-B94B-0B5F309A0E64) has been checked . Hit rate: 99 % Must be fixed! O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) Unnecessarily Entries found in this registry zone are potentially nasty . This application ([FDD3B846-8D59-4ffb-8758-209B6AD74ACC] - Result: FDD3B846-8D59-4ffb-8758-209B6AD74ACC) has been checked . Hit rate: 99 % Must be fixed! Unnecessary (deactivated) entry that can be fixed . O3 - Toolbar: My &Way Speedbar - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWay\bar\1 . bin\MWSBAR . DLL Nasty Entries found in this registry zone are potentially nasty . This application ([07B18EA9-A523-4961-B6BB-170DE4475CCA] - Result: 07B18EA9-A523-4961-B6BB-170DE4475CCA) has been checked . If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed . Hit rate: 99 % Must be fixed! O4 - HKLM\ . . \Run: [IMJPMIG8 . 1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG . EXE" /Spoil /RemAdvDef /Migration32 Safe . Part of MS Input Method Editor which is used to ease the input of Asian characters in MS Office (Chinese, Korean and this one is Japanese) Hit rate: 61 % (result) Not dangerous, but unnecessary . O4 - HKLM\ . . \Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst . exe /SYNC Safe . Hit rate: 99 % (result) O4 - HKLM\ . . \Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP . EXE /SYNC Safe . Part of Microsofts Input Message Editor (IME) for translating Japanese/Chinese text in IE, Outlook and Word Hit rate: 82 % (result) Not dangerous, but unnecessary . O4 - HKLM\ . . \Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP . EXE /IMEName Safe . Part of Microsofts Input Message Editor (IME) for translating Japanese/Chinese text in IE, Outlook and Word Hit rate: 75 % (result) Not dangerous, but unnecessary . O4 - HKLM\ . . \Run: [hpsysdrv] c:\windows\system\hpsysdrv . exe Safe . Hewlett-Packard Hit rate: 99 % (result) O4 - HKLM\ . . \Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd . exe Safe . Application that implements the Intel Hotkey command . Hit rate: 99 % (result) O4 - HKLM\ . . \Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon . exe Safe . Part of Hewlett-Packard Hit rate: 99 % (result) O4 - HKLM\ . . \Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05 . exe Unknown ? Hit rate: 99 % (result) Unknown application . O4 - HKLM\ . . \Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd . exe" Safe . Hewlett-Packard Softwre Update Hit rate: 99 % (result) O4 - HKLM\ . . \Run: [HPHmon05] C:\WINDOWS\System32\hphmon05 . exe Safe . Part of Hewlett-Packard Hit rate: 99 % (result) O4 - HKLM\ . . \Run: [KBD] C:\HP\KBD\KBD . EXE Unknown Hit rate: -1 % (result) Unknown application . O4 - HKLM\ . . \Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD . EXE Safe . Hewlett Packard Software Hit rate: 99 % (result) O4 - HKLM\ . . \Run: [NvCplDaemon] RUNDLL32 . EXE C:\WINDOWS\System32\NvCpl . dll,NvStartup Safe . Part of NVidia Hit rate: 99 % (result) O4 - HKLM\ . . \Run: [nwiz] nwiz . exe /installquiet /keeploaded /nodetect Safe . Application that allows a users to have 32 virtual desktops, get a desktop larger than the viewable area of the monitor, divide the display across more than one monitor, manage applications, and many more features . Hit rate: 99 % (result) O4 - HKLM\ . . \Run: [Reminder] "C:\Windows\Creator\Remind_XP . exe" Nasty Virus Hit rate: 99 % (result) Must be fixed! O4 - HKLM\ . . \Run: [PS2] C:\WINDOWS\system32\ps2 . exe Unknown Hit rate: -1 % (result) Unknown application . O4 - HKLM\ . . \Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind . exe Safe . Microsoft Works Shared Hit rate: 99 % (result) O4 - HKLM\ . . \Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask . exe Safe . Part of MusicMatch Jukebox - digital music player / CD burner and ripper / music organizer / playlist creator Hit rate: 99 % (result) O4 - HKLM\ . . \Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\1 . bin\mwsoemon . exe Nasty "My Web Search" malware Hit rate: 99 % (result) Must be fixed! O4 - HKLM\ . . \Run: [S3TRAY2] S3tray2 . exe Safe . S3 display configuration taskbar utility for S3 chipset based graphics cards . Can be run from Start-> Settings -> Control Panel -> Display Hit rate: 58 % (result) O4 - HKLM\ . . \Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray . exe" /r Safe . StorageGuard from Veritas (this version by Sonic) . Free utility that integrates with Backup MyPC (formerly Backup Exec Desktop), Simple Backup and MS Backup . Provides system tray access and background monitoring - warning you of files that havent recently been backed up . Required unless you backup manually on a regular basis or have scheduled backups Hit rate: 99 % (result) O4 - HKLM\ . . \Run: [BrowserBrand] C:\Program Files\ONLINE~1\XTRA\brand . exe Unknown Hit rate: 11 % (result) Unknown application . O4 - HKLM\ . . \Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32 . exe Safe . Omnipage Hit rate: 99 % (result) O4 - HKLM\ . . \Run: [AlcxMonitor] ALCXMNTR . EXE Nasty Realtek AC97 Audio - Event Monitor . "Sypware" file used surreptitiously monitor one's actions . It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers Hit rate: 57 % (result) Must be fixed! O4 - HKLM\ . . \Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc . exe /STARTUP Safe . AVG Anti-Virus 7 . 0 Control Center . Allows you to manage and control all AVG Anti-Virus components, settings and updates Hit rate: 71 % (result) O4 - HKLM\ . . \Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc . exe Safe . AVG Anti-Virus 7 . 0 Email Cleaner . Scans incoming and outgoing email for viruses Hit rate: 69 % (result) O4 - HKLM\ . . \Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u Safe . O4 - HKLM . . Run: [UserFaultCheck] %systemroot%system32dumprep 0 -u Hit rate: 99 % (result) O4 - HKCU\ . . \Run: [NVIEW] rundll32 . exe nview . dll,nViewLoadHook Safe . NVidia Nview Hit rate: 99 % (result) O4 - HKCU\ . . \Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr . exe" Safe . Microsoft Money Hit rate: 99 % (result) Not dangerous, but unnecessary . O4 - HKCU\ . . \Run: [Acme . PCHButton] C:\PROGRA~1\MYPRES~1\Presario\XPHAPRF3EN\plugin\bi n\PCHButton . exe Safe . Used by HP Instant Support Hit rate: 83 % (result) Not dangerous, but unnecessary . O4 - HKCU\ . . \Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail . exe /c Safe . Incredi Mail Hit rate: 99 % (result) O4 - Global Startup: Compaq Connections . lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576 . exe Unknown Hit rate: 2 % (result) Unknown application . O4 - Global Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon . lnk = C:\Program Files\CreataCard\Gold\FMRemind . exe Unknown Hit rate: 4 % (result) Unknown application . O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg . htm Safe . The entry &Add animation to IncrediMail Style Box has been identified as safe . If the entry '&Add animation to IncrediMail Style Box ' is not needed anymore, it should be fixed . O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava . dll Safe . The entry has been identified as safe . If the entry '' is not needed anymore, it should be fixed . O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava . dll Safe . The entry Sun Java Console has been identified as safe . If the entry 'Sun Java Console ' is not needed anymore, it should be fixed . O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside . dll Safe . The entry MoneySide has been identified as safe . If the entry 'MoneySide ' is not needed anymore, it should be fixed . O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe Safe . The entry Messenger has been identified as safe . If the entry 'Messenger ' is not needed anymore, it should be fixed . O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe Safe . The entry Windows Messenger has been identified as safe . If the entry 'Windows Messenger ' is not needed anymore, it should be fixed . O12 - Plugin for . spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox . dll Safe . Most of the entries present in this registry area are safe . Only OnFlow adds an unwanted plugins can be found here . OnFlow-Plugins have the following extension * . ofb . O14 - IERESET . INF: START_PAGE_URL=http://www . xtra . co . nz Possibly nasty This entry should be fixed if this address does not belong to your PC-manufacturer or your 'Internet-Service-Provider (ISP)' . This entry should be fixed if 'http://www . xtra . co . nz' is not your PC-manufacturer or your 'Internet-Service-Provider (ISP)' . O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - . imgfarm . com/images/nocache/funwebproducts/SmileyCentralInitialSetup1 . 0" target="_blank">ak . imgfarm . com . 0 . 6 . cab Nasty This entry is possibly nasty . Should be fixed . O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - . microsoft . com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site" target="_blank">update . microsoft . com . cab?1120903725781 Safe . This entry has been identified as safe . O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - . incredimail . com/contents/setup/downloader/imloader . cab" target="_blank">www2 . incredimail . com Nasty This entry is possibly nasty . Should be fixed . O17 - HKLM\System\CCS\Services\Tcpip\ . . \{CDA95F80-AC71-4A39-9747-5710542C8BAF}: NameServer = 202 . 27 . 184 . 3 202 . 27 . 184 . 5 Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed . 'SearchList' entries should be fixed too . Do you know the IP or Domain '202 . 27 . 184 . 3 202 . 27 . 184 . 5'? If not, fix this entry . O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc . dll Unknown O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr . exe Safe . These entries shows all services which are not from Microsoft . Often malware is starting as a systemservice and it's not easy to detect it . This service (avgamsvr . exe) was identified as a good one . O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc . exe Safe . These entries shows all services which are not from Microsoft . Often malware is starting as a systemservice and it's not easy to detect it . This service (avgupsvc . exe) was identified as a good one . O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32 . exe Safe . These entries shows all services which are not from Microsoft . Often malware is starting as a systemservice and it's not easy to detect it . This service (nvsvc32 . exe) was identified as a good one . O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC . exe Safe . These entries shows all services which are not from Microsoft . Often malware is starting as a systemservice and it's not easy to detect it . This service (SymWSC . exe) was identified as a good one . This log has been checked automatically . Check your log file automatically at www . hijackthis . de . |
nanpoly (8563) | ||
| 374870 | 2005-07-24 10:11:00 | Sorry. I am new to this .try tLogfile of HijackThis v1.99.1 Scan saved at 9:02:29 PM, on 24/07/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\windows\system\hpsysdrv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\PROGRA~1\MyWay\bar\1.bin\mwsoemon.exe C:\WINDOWS\system32\S3tray2.exe C:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\WINDOWS\ALCXMNTR.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\MYPRES~1\Presario\XPHAPRF3EN\plugin\bi n\PCHButton.exe C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe C:\Program Files\CreataCard\Gold\FMRemind.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\Desktop\New Folder\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qau9.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.xtra.co.nz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.xtra.co.nz O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWay\SearchAt\1.bin\MWSSRCAS.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWay\bar\1.bin\MWSBAR.DLL O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: My &Way Speedbar - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWay\bar\1.bin\MWSBAR.DLL O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\1.bin\mwsoemon.exe O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [BrowserBrand] C:\Program Files\ONLINE~1\XTRA\brand.exe O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\MYPRES~1\Presario\XPHAPRF3EN\plugin\bi n\PCHButton.exe O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe O4 - Global Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.xtra.co.nz O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - ak.imgfarm.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - www2.incredimail.com O17 - HKLM\System\CCS\Services\Tcpip\..\{CDA95F80-AC71-4A39-9747-5710542C8BAF}: NameServer = 202.27.184.3 202.27.184.5 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe his |
nanpoly (8563) | ||
| 374871 | 2005-07-24 10:37:00 | Tick these entries. And click on fix checked. Close all windows before u check the following. C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWay\SearchAt\1.bin\MWSSRCAS.DLL O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWay\bar\1.bin\MWSBAR.DLL O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file O3 - Toolbar: My &Way Speedbar - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWay\bar\1.bin\MWSBAR.DLL O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe Is SoftThinks CD Creator CD/DVD Writer installed? if not this is a trojan O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\1.bin\mwsoemon.exe 04 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - ak.imgfarm.com O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - www2.incredimail.com This entry may or may not be nasty. Since you're using Incredimail. Leave it for now. O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe Not too sure what this is. Leave it there for now... |
Speedy Gonzales (78) | ||
| 374872 | 2005-07-24 10:51:00 | You should run Spybot and Adawere or other anti-spyware apps of choice, remove unknown and unwanted entries from the startup,remove all BHO's and Active X controls, run crapcleaner and a regcleaner(all this takes about 15 minutes on a moderish computer) BEFORE doing a Hijackthis log,90 percent of that crapola would be gone already. Hijack should be one of the last steps, to ensure nothing has been left behind,or used in the case where your having trouble removing something, Not the tool to use first. Even at the forums that specialise in suporting Hijackthis they wont look at your log untill you confirm you have done the above. |
Metla (12) | ||
| 374873 | 2005-07-24 10:55:00 | ps2 . exe is required to run useless keys on keyboards shipped with brand name comps, I would kill it,no need for bloat in the startup, though if your not the only one using the comp then expect Ma to tell everyone that you broke the computer while insisting you were fixing it and now her Yahoo Mail button doesn't work . . . . . . . . . . Muhahahahaha . |
Metla (12) | ||
| 374874 | 2005-07-24 11:42:00 | Any app that says MSIE <whatever version> is safe has got to be joking. | Myth (110) | ||
| 1 | |||||