|
WE HAVE MOVED. Please see our NEW Computer Forums |
11-9-2009: Sorry for the inconvenience. We finally upgraded to vBulletin 3 !! See you there, Larry TopAntiSpyware infected computer hijack this logGo to the Tech-Forums Discussion Home PagePosted by: Opaque I scanned and found 29 spyware things deleted em all and its till there someone please help!!! Here is my hijack this log Logfile of HijackThis v1.99.1 Scan saved at 9:00:35 PM, on 05/04/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\mcafee.com\VSO\mcshield.exe C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\WildTangent\Apps\GameChannel.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\WINDOWS\System32\RUNDLL32.exe C:\Program Files\Zero Knowledge\Freedom\Freedom.exe C:\Program Files\hp center\137903\Program\BackWeb-137903.exe C:\Program Files\Microsoft Office\Office\OSA.EXE C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.hotmail.com/[/url] O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\mcafee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\mcafee.com\Agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\Program Files\mcafee.com\Agent\mcupdate.exe /embedding O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe" /background O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Microsoft AntiSpyware helper - {038A0246-40AD-42E9-AB47-8CE0D5B6047A} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {038A0246-40AD-42E9-AB47-8CE0D5B6047A} - (no file) (HKCU) O9 - Extra button: Microsoft AntiSpyware helper - {298359D2-F12D-4594-A996-BC1F776F6E74} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {298359D2-F12D-4594-A996-BC1F776F6E74} - (no file) (HKCU) O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com O15 - Trusted Zone: [url]http://www.neopets.com[/url] O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab[/url] O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url] O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - [url]http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab[/url] O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\mcafee.com\VSO\mcshield.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Posted by: Opaque Someone .. Please!!! Posted by: MicroBell Hi: Please consider updating both XP and IE6 with the lastest service packs as this is a big part of your problem!! [color=blue][b]Before attacking an adware/spyware problem with hijackthis make sure you have already run[color=red] ad-aware SE[/color] with [color=red]VX2[/color] add-on cleaner, [color=red]Spybot Search & Destroy[/color] (with updated database) and [color=red]CWShredder[/color] as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..[/color][/b] If you have a highspeed connection please Run an online virus scan from [URL=http://housecall.trendmicro.com/housecall/start_corp.asp ][b]TrendMicro[/b][/URL] Please select the “autoclean” option when prompted to do so. Download and install [b]CleanUp[/b] [url]http://cleanup.stevengould.org/[/url] Download [URL=http://www.mvps.org/winhelp2002/DelDomains.inf][b]DelDomains.inf[/b][/URL] Right-click and select..... Save Target As [b]To use:[/b] Right-click and select....... Install (no need to restart) [b]**Note**[/b] This will remove all entries in the [b][color=red]"Trusted Zone"[/b][/color] Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove the following if listed. [b]WildTangent Security iGuard[/b] Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure) [b]C:\Program Files\WildTangent\Apps\GameChannel.exe[/b] Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) [b]O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Microsoft AntiSpyware helper - {038A0246-40AD-42E9-AB47-8CE0D5B6047A} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {038A0246-40AD-42E9-AB47-8CE0D5B6047A} - (no file) (HKCU) O9 - Extra button: Microsoft AntiSpyware helper - {298359D2-F12D-4594-A996-BC1F776F6E74} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {298359D2-F12D-4594-A996-BC1F776F6E74} - (no file) (HKCU) O15 - Trusted Zone: [url]http://www.neopets.com[/url][/b] Delete the following Files/Folders in [color=red][b]RED[/color][/b] (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS) [b]C:\Program Files\[color=red]WildTangent\Apps\GameChannel.exe[/color] C:\Program Files\[color=red]Security iGuard\Security iGuard.exe[/color] C:\WINDOWS\System32\[color=red]srvc32.exe[/color] C:\WINDOWS\System32\[color=red]spoolsrv32.exe[/b][/color] Now run the cleanup utility and reboot/logoff when prompted. Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not Posted by: Opaque Ok I did some of it untill I recignized a huge problem!! Ok Afte I did cleanup I opened internet explorer to see your next Thoughts and I realized the top bar thing wa missing. I mean the thing with file and such on it. If i scrolled over it the options would come up but the words dissapeared!!! Help me please!! And if it helps every once and a while my computer opens a file called Hi I cant find out what it does. Posted by: Opaque Also It will not let me run my hijack this log's clean up messed up my comp! Posted by: MicroBell Did you delete ONLY the files I listed?? None of them were system critical files that could cause the issue your describing. Cleanup only deletes files in the TEMP directorys..and there are no system critical files located in them. Try downloading and install TDS-3 [url]http://tds.diamondcs.com.au/[/url] update it's database and do a FULL system scan. When it's finished delete any positive trojans fround in the bottom window. Also click start...run...type in [b]sfc /scannow[/b] This will scan for corrupt and/or missing windows files. You will need your XP CD if any are found. Did the online virus scan find anything?? The HI message sounds like one of the MSN worms out there. I also want to look deeper. Download the following tools and post the logs... Download: [URL=http://www.niksoft.at/php/dl.php?f=startdreck.zip ][b]StartDreck[/b][/URL] Unzip to its own folder and start the program: Press 'Config' Press 'Mark All' UN-Check the 'NT-Services & NT-Kernel...' boxes only: Press 'Ok' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread Download [b]Silent runners.Vbs[/b] [url]http://www.silentrunners.org/[/url] 1. Make sure you have any script blocking software disabled 2. Run the program. It will take a few minutes to complete. 3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post. Posted by: Opaque BEcause the day after the symptoms i described caused my screen to go black even in safe mode I rebooted comp/ reinstalled windows. No more virus now:D Posted by: Warez Monster Remove entries at your own risk C:\HP\KBD\KBD.EXE This is a unknown process. C:\Program Files\WildTangent\Apps\GameChannel.exe This is a unknown process. C:\Program Files\hp center\137903\Program\BackWeb-137903.exe Based upon HPs own description from here - "With the My HP Center, consumers have access directly from the desktop to Internet sites featuring special offers for HP customers ranging from personal finance and shopping to digital imaging and music" I have classified this as adware. The number may change - if yours is different let me know This is a nasty process! You should fix it and try to delete it manually! O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE Unknown application. O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe Unknown application. O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe Unknown application. O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe Found in the HPSelectFrontend directory on a HP machine. What is its purpose and is it required? O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe Based upon HP's own description from here - "With the My HP Center, consumers have access directly from the desktop to Internet sites featuring special offers for HP customers ranging from personal finance and shopping to digital imaging and music" I have classified this as adware. The number may change - if yours is different let me know Must be fixed! O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe User Interface for HP Center Must be fixed! O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE Complete utter waste of space! Part of MS Office - searches disk drives for Office file types and creates an index to make opening them easier Must be fixed! O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe Unknown application. O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe Unknown application. Please Visit the Online Configurator, Email Hosting, Internet Marketing , Computer Schools , Software for Real Estate , AAOutlook , Search Engine Site |