Orion Scorpio Posted October 7, 2005 Share Posted October 7, 2005 You should set up a charging account... ..after you finish off with me. Logfile of HijackThis v1.99.1Scan saved at 11:18:33 PM, on 7/10/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\System32\CTSVCCDA.EXEC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\wdfmgr.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\WINDOWS\System32\wbem\wmiprvse.exeC:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Winamp\winampa.exeC:\Program Files\Ahead\InCD\InCD.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\QuickTime\qttask.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\Sony\OpenMG Jukebox\Omgtray.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\wuauclt.exeC:\Documents and Settings\Adam\Desktop\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exeO4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exeO4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exeO4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXEO4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [pmdvsmaj] C:\WINDOWS\System32\pmdvsmaj.exeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startguiO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [pmdvsmaj] C:\WINDOWS\System32\pmdvsmaj.exeO4 - Global Startup: OpenMG Jukebox Startup.lnk = C:\Program Files\Sony\OpenMG Jukebox\Omgtray.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cabO21 - SSODL: SysTray.Excn - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\System32\ghbhgmko.dll (file missing)O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSVCCDA.EXEO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exeO23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted October 7, 2005 Author Share Posted October 7, 2005 OK, looking good now. Check off these items in HijackThis: - O4 - HKLM\..\Run: [pmdvsmaj] C:\WINDOWS\System32\pmdvsmaj.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKCU\..\Run: [pmdvsmaj] C:\WINDOWS\System32\pmdvsmaj.exeO21 - SSODL: SysTray.Excn - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\System32\ghbhgmko.dll (file missing) Make sure you close ALL other windows, then hit Fix Checked. Reboot once you've done that. Start Internet Explorer and hit Tools, then Internet Options. Click the Programs tab, then the Reset Web Settings button. Click the General tab and type in the homepage you want to use and hit Apply then OK. Job done! I strongly suggest installing Service Pack 2 for XP as soon as possible along with any other critical updates from the Windows Update site: - http://windowsupdate.microsoft.com/ Also, you might wanna start over in Sygate. Double click the little arrows icon next to the clock to open it and hit the Applications button. Click Remove All and then hit Yes. Each time a program needs to access the Internet, a message from Sygate will pop up asking you if this is OK. If you want to allow it then check the box not to ask again and hit Yes. If a program name pops up trying to access the web and you don't know what it is then Google the filename and it should tell you. If you get no results (as in the case of pmdvsmaj.exe) then assume it's bad and say No. You can always change it later. Better to be safe than sorry. Once one infected file has a connection to the web, it'll usually download others and that's how you end up in a mess. Post back if you have any other problems, but you should be OK now. That'll be £75 please. Quote Link to comment Share on other sites More sharing options...
Steve Posted October 7, 2005 Author Share Posted October 7, 2005 One other thing. If your PC is running nicely after following these steps, then disable System Restore, reboot, then enable it again and create a new restore point. Viruses and spyware can hide in a restore point and if you ever have to use it, it'll not only restore all your settings, but the viruses too. Right click My Computer on the Desktop and choose Properties. Hit the System Restore tab, then check the box that says "Turn off System Restore on all drives" and hit Apply then OK. Reboot, then go back and uncheck the same box. Quote Link to comment Share on other sites More sharing options...
Orion Scorpio Posted October 7, 2005 Share Posted October 7, 2005 Shit, I'm broke..should I put the virus back on? Quote Link to comment Share on other sites More sharing options...
Steve Posted October 7, 2005 Author Share Posted October 7, 2005 lol. You better had. Quote Link to comment Share on other sites More sharing options...
dissonance Posted October 17, 2005 Share Posted October 17, 2005 gotta log... canya give it a look see? Logfile of HijackThis v1.99.1Scan saved at 6:20:35 PM, on 10/17/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\jre1.5.0_04\bin\jusched.exeC:\Program Files\PeerGuardian2\pg2.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\hijackthis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startguiO4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimizeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exeO4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exeO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted October 17, 2005 Author Share Posted October 17, 2005 Looks good mate. There's nothing to worry about at all in there. You can fix these optional items if you want to: - The updater for Sun's Java. Doesn't appear to work and you can check for new versions manually by visiting the site: - O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe These 3 provide a taskbar icon for your graphics card to enable fast access to the settings. You can change the settings via Control Panel or by right clicking the desktop: - O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit "Adobe Gamma Loader.exe is installed alongside Adobe Creative Studio products and allows the colour calibration of your video output device." I've always told people to disable this item as it has little use. That seems to be the general advice given on most HijackThis forums: - O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe If you choose to fix anything, close all other windows before hitting Fix Checked. A backup is made anyway if you want to see what the PC runs like without these items. You can also disable an unnecessary service. Hit Start then Run and type "services.msc" without quotes and hit Enter. Scroll down to the NVIDIA Display Driver Service, left click to select, right click and choose Properties. Set the "Startup type:" box to Disabled and hit Apply then OK. The changes take effect on the next reboot. If you decide not to fix the 3 entries above relating to the graphics card, then leave this service alone. That's basically it mate. If you're having any particular problem then post back. Quote Link to comment Share on other sites More sharing options...
flowerpot Posted October 17, 2005 Share Posted October 17, 2005 BTW diss,what Nvidia card you running? Quote Link to comment Share on other sites More sharing options...
dissonance Posted October 17, 2005 Share Posted October 17, 2005 its the GEforce MX4000 128MB Quote Link to comment Share on other sites More sharing options...
chile Posted October 25, 2005 Share Posted October 25, 2005 yo steve could you skim through this log please if you have the time, i think i may have just picked up a virus of some sort off msn messenger.. a mate sent me a message sayin "wow this is you?" then a link which contained my email address.. i sort of had a hunch that it was a virus but still clicked the link stupidly.. logged out straight after and ran crap cleaner and adaware, which turned up no results.. Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exeC:\Program Files\D-Tools\daemon.exeC:\WINDOWS\system32\DeltTray.exeC:\windows\system32\svchost32.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\PeerGuardian2\pg2.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\explorer.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Documents and Settings\chilean\Desktop\desktop\COMPUTER MED PACK\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.digitalvertigo.co.uk/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /iconO4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeO4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [DeltTray] DeltTray.exeO4 - HKLM\..\Run: [AuGust] C:\windows\system32\svchost32.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exeO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0O4 - Startup: PeerGuardian.lnk = C:\Program Files\PeerGuardian2\pg2.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cabO16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cabO16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cabO16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{328E0D13-1275-4916-BF3B-E448C016DDB4}: NameServer = 212.50.160.100 213.249.130.100O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Macromedia - (no file)O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exeO23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted October 25, 2005 Author Share Posted October 25, 2005 Yep, you gotta virus mate. Bring up Task Manager and end this process: - svchost32.exe Note the "32" on the end as there will be several regular ones called svchost.exe that are OK. Run HijackThis and check off the following: - O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [AuGust] C:\windows\system32\svchost32.exe Close all other windows and hit Fix Checked. Browse to the Windows\System32 folder and delete the svchost32.exe file. If you can't see it enable hidden and system files, but it should definitely be there. That should do it, but if you have any other problems post back. As long as you haven't allowed that file Internet access then it should be a straightforward removal. Quote Link to comment Share on other sites More sharing options...
Steve Posted October 25, 2005 Author Share Posted October 25, 2005 BTW, I don't see a firewall or any antivirus software on your PC. You should always have a decent firewall running even if you only use antivirus software as and when required. Quote Link to comment Share on other sites More sharing options...
chile Posted October 25, 2005 Share Posted October 25, 2005 thanks! yea i normally use a nod trial program and reinstall every 30 days after expiration.. uninstalled it a few days ago and forgot to reinstall it.. thanks again man, really apreciate it Quote Link to comment Share on other sites More sharing options...
2tall Posted October 29, 2005 Share Posted October 29, 2005 ok my pc hangs under load, but randomly only when under load but not necessarily using CPU, i.e. when just idle in cubae even, i tried replacing my RAM, i have 2gb, still the same thing happens. Logfile of HijackThis v1.99.1Scan saved at 03:26:42, on 29/10/2005Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeC:\WINDOWS\system32\pctspk.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\shnlog.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\WINDOWS\System32\DeltTray.exeC:\WINDOWS\System32\rmctrl.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exeC:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exeC:\Program Files\VoyagerTest\fts.exeC:\Program Files\Common Files\AOL\ACS\AOLDial.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\Program Files\Java\jre1.5.0_03\bin\jusched.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\System32\ctfmon.exeC:\WINDOWS\System32\intmon.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\AOL 9.0\waol.exeC:\Program Files\AOL 9.0\shellmon.exeC:\WINDOWS\System32\DeltaPnl.EXEC:\WINDOWS\System32\wuauclt.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\WinRAR\WinRAR.exeC:\DOCUME~1\2TALL~1.LOV\LOCALS~1\Temp\Rar$EX00.172\HijackThis.exe O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp6F73.tmpO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [DeltTray] DeltTray.exeO4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe iconO4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exeO4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exeO4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exeO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exeO8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTMLO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25d4449a8db01f...ip/RdxIE601.cabO16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{4D11BAC4-D4CD-427F-9B69-C87ADA96175F}: NameServer = 205.188.146.145O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeO23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted October 29, 2005 Author Share Posted October 29, 2005 Right mate, you've managed to get a program on your machine called PS Guard from somewhere. It's a fake spyware removal program that's actually a trojan. It probably installed just by visiting a web page. Before you begin with HijackThis, look in Add or Remove Programs to see if PS Guard is listed. If it is, uninstall it and reboot before continuing. Chances are it won't be though. Download CCleaner from THIS site and install it, but don't run it yet. Put HijackThis into a folder of it's own rather than running it from the zip file. If you don't do that it won't create any undo files. Press Control/Alt/Delete to bring up Task Manager and end the following processes if they are running: - shnlog.exeintmon.exe They are both trojans. Now run HijackThis and check off all of the following: - O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp6F73.tmpO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exeO4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25d4449a8db01f...ip/RdxIE601.cabO16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab Close all other windows and then hit Fix Checked. Reboot your PC into Safe Mode by tapping F8 as it starts and selecting it from the menu that appears. Start Windows Explorer and hit Tools then Folder Options. Click on the View tab and make sure the following are set like this: - Show hidden files and folders (Selected)Hide extensions for known file types (NOT selected)Hide protected operating system files (Recommended) (NOT Selected) Then hit Apply then OK. Now, you must browse to these files and folders and delete them all if they exist: - C:\WINDOWS\System32\hp6F73.tmp C:\WINDOWS\System32\shnlog.exe C:\WINDOWS\System32\intmon.exe c:\eied_s7.cab C:\Program Files\P.S.Guard At this point run CCleaner and it'll clear out any other temp files. Reboot the PC into regular Windows. Start Internet Explorer and hit Tools then Internet Options. Click on the Programs tab and hit Reset Web Settings, then hit the General tab and re-enter your desired homepage. Finally, click on the Security tab, Internet Zone icon, then make sure it's not been set to low - if it has, click on Default Level. Then hit Apply then OK. Hopefully that should be it. The particular trojans you have are about as nasty as you can get, so chances are they may reappear. It's probably a good idea to post a new HijackThis log at this point to make sure everything is OK. Quote Link to comment Share on other sites More sharing options...
Steve Posted October 29, 2005 Author Share Posted October 29, 2005 This is the trojan you have: - http://www.sophos.com/virusinfo/analyses/trojpuperd.html Furthermore, intmon.exe monitors the main process, and restarts it if it is terminated. Meanwhile the main process restarts the monitoring process if it is terminated, and recreates the file intmon.exe if it is deleted.Could be a pain in the arse to remove, but I think this is probably what's eating your CPU. Quote Link to comment Share on other sites More sharing options...
2tall Posted October 29, 2005 Share Posted October 29, 2005 the shit hit the fan this morning. last night i left windows running and i heard the pc speaker beep, nothing seemed unusual, but i switched it off. this mornigng booted up, windows reboots continously, i've come to the office to make rescue disks and get some tools and try and even locate a copy of windows in case its a full clear out. thanks for your help, i will follow the steps and take all the goodies home too. i think it reboots when trying to load a system file. Quote Link to comment Share on other sites More sharing options...
Frost Posted October 29, 2005 Share Posted October 29, 2005 yo steve, cud u have a goosey gander at this for me pleesh. > Logfile of HijackThis v1.99.1Scan saved at 16:23:15, on 29/10/2005Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVG6\avgserv.exeC:\WINDOWS\System32\CTsvcCDA.EXEC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\carpserv.exeC:\WINDOWS\System32\ctfmon.exeC:\WINDOWS\System32\devldr32.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\mozilla.org\Mozilla\mozilla.exeC:\Program Files\DAP\DAP.exeC:\Documents and Settings\Administrator\Desktop\hijacdis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.karoo.co.uk/searchpage.aspR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.karoo.co.ukR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.karoo.co.uk:8080R3 - URLSearchHook: (no name) - _{D7CD08F0-D691-11D8-9669-0800200C9A66} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg_0f37.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [CARPService] carpserv.exeO4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0f37.dll"O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXEO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXEO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0f37.dll"O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htmO8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.ukO16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cabO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cabO16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126560119388O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126971645596O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cabO16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cabO16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cabO16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://sea1fd.sea1.hotmail.msn.com/activex/HMAtchmt.ocxO16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/rssoft.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{0C763376-077D-41A7-B1A3-943EBCD5D9A9}: NameServer = 212.50.160.100 213.249.130.100O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O23 - Service: AVG6 Service (AvgServ) - GRISOFT© SOFTWARE s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXEO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe im sure ive got some crazy shit in there. fo' sho'and can sumone recommend a good firewall that isnt zonealarm, its whack. Quote Link to comment Share on other sites More sharing options...
Steve Posted October 29, 2005 Author Share Posted October 29, 2005 You have one piece of malware on your system. Go to Add or Remove Programs and look for SafeGuard Protect PCShield. It may just be called PCShield. If it's there, uninstall it and reboot the PC before continuing. Download CCleaner from THIS page and install it, but don't run it yet. Start HijackThis and do a scan. Check off the following items: - R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.karoo.co.uk/searchpage.aspR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.karoo.co.ukR3 - URLSearchHook: (no name) - _{D7CD08F0-D691-11D8-9669-0800200C9A66} - (no file)O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg_0f37.dllO4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0f37.dll"O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXEO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXEO4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_0f37.dll"O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.ukO16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/rssoft.cab If you don't use Adobe Gamma Loader (allows you to calibrate your monitor for use with programs like Photoshop) then also check off these two: - O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Close all other windows and hit Fix Checked. Reboot your PC into Safe Mode by tapping F8 as it starts and selecting it from the menu that appears. Start Windows Explorer and hit Tools then Folder Options. Click on the View tab and make sure the following are set like this: - Show hidden files and folders (Selected)Hide extensions for known file types (NOT selected)Hide protected operating system files (Recommended) (NOT Selected) Then hit Apply then OK. Now, you must browse to this file and delete it if it still exists: - C:\WINDOWS\System32\sfg_0f37.dll If it won't delete, then hit Start then Run and type "cmd" without quotes and hit Enter. Type the following commands pressing enter after each one: - cd c:\windows\system32regsvr32 /u sfg_0f37.dll There's a single space in the first command after "cd" and two spaces in the second command, either side of "/u". Once you've done that, exit out of that screen and you should be able to delete the dodgy dll file. At this point run CCleaner and it'll clear out any other temp files. Reboot the PC into regular Windows. Start Internet Explorer and hit Tools then Internet Options. Click on the Programs tab and hit Reset Web Settings, then hit the General tab and re-enter your desired homepage. Finally, click on the Security tab, Internet Zone icon, then make sure it's not been set to low - if it has, click on Default Level. Then hit Apply then OK. You need to update to Service Pack 2 for XP as soon as possible really. You got infected via an object that downloaded by just visiting a certain web page. SP2 makes some changes that will stop this happening (in nearly all cases anyway). If you haven't used Windows Updates in a while then there will be a lot of critical updates that you need. If you want to get rid of ZoneAlarm, then try Sygate instead. You download the free version from THIS page. Let me know if you have any further problems. Quote Link to comment Share on other sites More sharing options...
Steve Posted October 29, 2005 Author Share Posted October 29, 2005 You might wanna consider switching from AVG to something a bit better. It totally missed the malware you have and so did Avast (the other commonly used free option). Quote Link to comment Share on other sites More sharing options...
Frost Posted October 29, 2005 Share Posted October 29, 2005 wicked. ill do this now. i tried getting SP2 but it sed something was wrong likea serialnubmer or something, my windows xp is a copy ya see. any way round this? Quote Link to comment Share on other sites More sharing options...
Steve Posted October 29, 2005 Author Share Posted October 29, 2005 http://download.microsoft.com/download/1/6...935-SP2-ENU.exe Try that. Quote Link to comment Share on other sites More sharing options...
2tall Posted October 31, 2005 Share Posted October 31, 2005 and the results are.... (yeah i know zonealarm and avg arent ideal, what do you reccomend though?) Logfile of HijackThis v1.99.1Scan saved at 09:33:57, on 31/10/2005Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\system32\pctspk.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\WINDOWS\System32\DeltTray.exeC:\WINDOWS\System32\rmctrl.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exeC:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exeC:\Program Files\VoyagerTest\fts.exeC:\Program Files\Common Files\AOL\ACS\AOLDial.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\AOL 9.0\waol.exeC:\Program Files\AOL 9.0\shellmon.exeC:\WINDOWS\System32\wuauclt.exeC:\WINDOWS\System32\DeltaPnl.EXEC:\Documents and Settings\2tall.LOVETRUNCHEON\Desktop\rescue\hijackthis\HijackThis.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [DeltTray] DeltTray.exeO4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exeO4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeO4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe iconO4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exeO4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exeO4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exeO8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTMLO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{4D11BAC4-D4CD-427F-9B69-C87ADA96175F}: NameServer = 205.188.146.145O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeO23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted October 31, 2005 Author Share Posted October 31, 2005 Looks good man. All the nasty stuff is gone. Fix just this one item: - O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k ZoneAlarm works well as a firewall, but some people have problems with it. If it's not causing you any trouble then I'd stick with it. If it is, then give Sygate a try: - http://smb.sygate.com/products/spf_standard.htm I'll PM you later with a different antivirus option. Quote Link to comment Share on other sites More sharing options...
Nimrod Posted November 17, 2005 Share Posted November 17, 2005 yo steve could you have a look at this? had a prog on there this morning that was causing 100% cpu usage. clicked end process but just posting a quick log if thats cool Logfile of HijackThis v1.98.2Scan saved at 13:00:30, on 17/11/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Java\jre1.5.0_02\bin\jusched.exeC:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exeC:\WINDOWS\System32\DeltTray.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Java\jre1.5.0_02\bin\jucheck.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exeC:\Program Files\Common Files\Ahead\lib\NMIndexStoreSvr.exeC:\PROGRA~1\MOZILL~1\firefox.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\WINDOWS\explorer.exeC:\Documents and Settings\Matt\My Documents\INSTALLS\hijack this\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nutrider.com/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/broadbandO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exeO4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0O4 - HKLM\..\Run: [DeltTray] DeltTray.exeO4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimizeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -hO4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"O4 - Startup: AMSN.lnk = C:\Program Files\AMSN\amsn.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{72ED4BB2-D4EA-4140-A4FF-239980244C8B}: NameServer = 192.168.1.1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.