malganis Posted December 10, 2005 Report Share Posted December 10, 2005 Logfile of HijackThis v1.99.1Scan saved at 00:17:10, on 10/12/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\SOUNDMAN.EXEC:\PROGRA~1\NORTON~1\navapw32.exeC:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exeC:\WINDOWS\system32\GSICON.EXEC:\WINDOWS\system32\dslagent.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\Messenger\MSMSGS.EXEC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Documents and Settings\James.D\Desktop\HJT\HijackThis.exeO2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - C:\WINDOWS\System32\hpE4A3.tmpO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll (file missing)O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exeO4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\System32\khooker.exeO4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\sisUSBrg.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exeO4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe" -SelfLaunchO4 - HKLM\..\Run: [GSICONEXE] GSICON.EXEO4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USBO4 - HKLM\..\Run: [services] C:\WINDOWS\system32\1.tmpO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKCU\..\Run: [CD_Updater] C:\Program Files\Carpe Diem\magazine\CDUpdater.exe CD_UPDATERO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /backgroundO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dllO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133460107984O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba2218.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{CB9EC177-6293-4AEB-9A52-B12F7DDF46FE}: NameServer = 212.9.0.135 212.9.0.136O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe (file missing)O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe Link to post Share on other sites
therock247uk Posted December 10, 2005 Report Share Posted December 10, 2005 Download smitRem.exe and save the file to your desktop.Double click on the file to extract it to it's own folder on the desktop.Place a shortcut to Panda ActiveScan on your desktop.Please download the trial version of Ewido Security Suite here:http://www.ewido.net/en/download/Please read Ewido Setup InstructionsInstall it, and update the definitions to the newest files. Do NOT run a scan yet.If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:Ad-Aware SE SetupDon't run it yet!Next, please reboot your computer in SafeMode by doing the following:Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, press F8.Instead of Windows loading as normal, a menu should appearSelect the first option, to run Windows in Safe Mode.Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:===================================================O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - C:\WINDOWS\System32\hpE4A3.tmp===================================================Close HiJackThis.Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.Wait for the tool to complete and disk cleanup to finish.The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.Open Ad-aware and do a full scan. Remove all it finds.Run Ewido:Click on scannerClick on Complete System Scan and the scan will begin.NOTE: During some scans with ewido it is finding cases of false positives.You will need to step through the process of cleaning files one-by-one.If ewido detects a file you KNOW to be legitimate, select none as the action.DO NOT select "Perform action on all infections"If you are unsure of any entry found select none for now.When the scan is finished, click the Save report button at the bottom of the screen.Save the report to your desktopClose EwidoNext go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.Reboot back into Windows and click the Panda ActiveScan shortcut.- Once you are on the Panda site click the Scan your PC button - A new window will open...click the Check Now button - Enter your Country - Enter your State/Province - Enter your e-mail address and click send - Select either Home User or Company - Click the big Scan Now button - If it wants to install an ActiveX component allow it - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) - When download is complete, click on Local Disks to start the scan- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.Let us know if any problems persist. Link to post Share on other sites
Besttechie Posted January 9, 2006 Report Share Posted January 9, 2006 Inactive topic...If you still need help on this problem, contact me or one of the Moderators to re-open this up.Topic closed. Link to post Share on other sites
Recommended Posts