-
December 16th, 2005, 01:15 PM
#21
Hi
To highlight xierox's comments, go to this site and read about How did I get infected it has a lot of useful tips on keeping your PC healthy........
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
Claude Swanson
-
December 18th, 2005, 07:26 PM
#22
Okay, here you go. And of course I'm gonna learn about that, that's why I joined this site. lol
It won't let me attach it as a file so I'm just gonna paste it:
Logfile of HijackThis v1.99.1
Scan saved at 12:19:13 PM, on 12/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\sj650\hpupdate.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\AOL\1133064900\ee\AOLSoftware.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\a-squared\a2guard.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Dustin\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.antionline.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133064900\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxmk772DGUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...up1.0.0.15.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
There you go .
This is our world now. The world of the electron and the switch. The beauty of the baud. We exist without nationality, skin color, or religious bias. You wage wars, murder, cheat, lie to us and try and make us think it's for our own good, yet we are the criminals. Yes I am a criminal. My crime is that of curiosity. I am a hacker and this is my manifesto. You may stop me but you can't stop us all.
That's right. I'm 10100111001.
-
December 18th, 2005, 07:41 PM
#23
Might have some work to do they mate.
Possible crap that needs removed:
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba...?p=ZNxmk772DGUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...tup1.0.0.15.exe
cheers
Edit: On the line: O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printra
y.exe
I'm assuming it should read: /printray.exe
If not the y.exe is a trojan that needs removed.
Process File: y or y.exe
Process Name: w32.small Virus
Description:
y.exe is a process which is registered as the w32.small Trojan. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.
SOURCE
Connection refused, try again later.
-
December 18th, 2005, 11:58 PM
#24
for a while i looked for adware and spyware etc. but after a while i noticed most of it was legitimate programs that you may just not need in start up. i have close to 2/3 what you have and almost all of mine is security apps and system stuff or apps for hardware installed. it looks like a lot of yours are extra programs like:
mm_tray.exe, mmtask.exe - music match
qttask.exe - quick time
EngUtil.exe, DrgToDsc.exe,RxMon.exe - roxio
ISStart.exe, LogiTray.exe - do you really need these, i dont know, it may be for hardware specific to your machine, you might actually need it, looks like something to do with your video card maybe?)
AOLSoftware.exe - i dont use AOL so i dont know if you need this, i know for a fact its not aim, i did use that before switching to trillian
DataLayer.exe - what is this?
LaunchApplication.exe, PcSync2.exe - nokia, for your phone im assuming, or something like that
winampa.exe - winamp
msmsgs.exe - microsoft messanger, if you dont use it, its really easy to get rid of it (ive never used it and remove it from every box i have Start->Contol Panel click Add remove programs
click add remove windows components find it and remove, but its a personal choice (if that doesnt work for whatever reason, you can remove it manually by searching msmsgs and delete everything that comes up, but thats messier and im not sure it gets everything, HJT will remove the registry keys for you)
thats about it, those are just the ones that while reading i asked myself does he really need those? you have to ask yourself do you use those on a daily basis, i find its a lot easier to just start up the application myself rather than have windows do it at boot. the first 3 i would bet you dont use daily and even if you did is it worth it to have them in startup. the others im assuming you need but do they need to be in start up. many apps you can start when you need them.
thats it, and btw i like your name
if God was willing to live all out for us, why aren't we willing to live all out for Him? God bless,
Godsrock37
my home my forum
-
December 19th, 2005, 12:46 AM
#25
I agree with relyt... Surprisingly your HJT log looks pretty clean, there are some things that you don't need, but as far as security risks, your pretty clean...
Since your booting up very slow I'd like to recommend typing "msconfig" in the Run prompt. Click the "start up" tab and look through the list. This list is a list of programs set to run on start up. Look for anything suspicious or any programs you don't think you need running at start up, uncheck it and click ok. If your not sure what a particular program is, try googling it or post it here and we'll take a look at it.
-
December 19th, 2005, 01:06 AM
#26
DataLayer.exe - what is this?
=Nokia
You can use this free program to manage your startups, which may help free up some resources:
Start up Control Panel
Looks like you may have too many chat programs running at startup ICQ, AIM and MSN Messanger.
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
nwiz.exe is a part of NVidia's Nview features installable alongside it's graphics hardware products. This application will give the user access to additional features which allow the configuration of up to 32 monitors on a host, or to expand the desktop across many monitors. This is a non-essential process. Disabling or enabling this is down to user preference.
Source is http://www.processlibrary.com/notfound/index.php
unless you are using more then one monitor, you can disable this item in the startups
Most of the 04's can be edited by using the Start Up Control Panel (see link above)
To find out what these CLSID's
FB5F1910-F110-11d2-BB9E-00C04F795683 refer to.... go to this site Castle Cops copy and paste into the search field, if nothing comes up then try googling the CLSID, 9 time out of 10 you will be directed to Castle Cops.O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com This looks like a highjack of IE....
Internet Reset Hijack (iereset.inf hijack)
It's possible to reset your browser settings in Internet Explorer. You can do this by going to "internet options" then the programs tab.
When you click reset Internet Explorer reads it's default settings from a file called iereset.inf. This file basically carries out a few registry changes on the system like altering the StartPage and DefaultSearchPage. Unfortunately some Hijackers know that users may want to get rid of their hijack and that many users just click reset to undo the changes the hijacker made. Therefore some browser hijackers even go as far as to alter this file as well, so when the user clicks reset it just resets with the values the hijacker already has made.
[RestoreBrowserSettings.reg]
HKLM,"Software\Microsoft\Internet Explorer\Main","Default_Page_URL",0,%START_PAGE_URL%
HKLM,"Software\Microsoft\Internet Explorer\Main","Default_Search_URL",0,%SEARCH_PAGE_URL%
HKLM,"Software\Microsoft\Internet Explorer\Main","Search Page",0,%SEARCH_PAGE_URL%
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","1",0,"www.%s.com"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","2",0,"www.%s.org"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","3",0,"www.%s.net"
HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","4",0,"www.%s.edu"
HKCU,"Software\Microsoft\Internet Explorer\Main","Search Page",0,%SEARCH_PAGE_URL%
Above is a small portion of the file. You can see that this file is just text and it's possible to alter any one of these values. The searchalot.com hijack was known to alter these value in the iereset.inf file.
Source O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...tup1.0.0.15.exe Have HJT fix this one....O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...pDownloader.cab Safe to remove this as well...
To check your .exe's go to this site and copy and paste the exe into the search field Process Library
Be careful of what you have HJT fix, (make sure you have a backup made, before checking the items to be fixed), if unsure, I would recommend you submit your HJT log to either:
AumHa Forums
Or
Tomcoyote Forums
Someone at these sites will analyse your HJT log and give you clear instructions on how to clean up your PC.
Otherwise as was mentioned, you don't show any Malware/Spyware as such (I consider Messenger Plus as Crapware, just my HO), but with all of these chat programs, you will be susceptible to crap, basically reorganise your startups
(little plug for me, I am currently learning how to do this at TomCoyotes)....
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
Claude Swanson
-
December 19th, 2005, 10:32 AM
#27
Originally posted here by Godly Soup
How did you know that though? That specific code to get it to work?
When you have skiddiot's coming in and trying to install unwanted app's on your Internet Cafe computers, you need to have a few tricks up your sleeve.. .
If only i realised that this would be an ongoing thing..
Originally posted here by ech0
front2back is ub3r 1337, eather that or hes seen it before, or googled it. Dont discount the 1337 tho.
I wouldn't say that, but i do feel kind of l337 when i'm able to pull something amazing from the magical hat.
It's kind of funny to see the extreme ways these skiddies go to try and own my network..
And you can always pick the skiddiot from the normal user, as they look suspicious the minute they walk in the door..
+ they fumble when they go to insert there Cd, and they keep looking over there shoulder to see what i or the other employees are doing..
cheers
front2back
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|