Page 3 of 3 FirstFirst 123
Results 21 to 27 of 27
  1. #21
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005

    To highlight xierox's comments, go to this site and read about How did I get infected it has a lot of useful tips on keeping your PC healthy........
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  2. #22
    Member Godly Soup's Avatar
    Join Date
    Dec 2005
    In utter and endless vanity. Humbleness, oh how I miss thee.
    Okay, here you go. And of course I'm gonna learn about that, that's why I joined this site. lol
    It won't let me attach it as a file so I'm just gonna paste it:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:19:13 PM, on 12/18/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

    Running processes:
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\Common Files\AOL\1133064900\ee\AOLSoftware.exe
    C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\Program Files\a-squared\a2guard.exe
    C:\Program Files\Logitech\Video\LowLight.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\Dustin\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.antionline.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133064900\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
    O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxmk772DGUS
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...up1.0.0.15.exe
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    There you go .
    This is our world now. The world of the electron and the switch. The beauty of the baud. We exist without nationality, skin color, or religious bias. You wage wars, murder, cheat, lie to us and try and make us think it's for our own good, yet we are the criminals. Yes I am a criminal. My crime is that of curiosity. I am a hacker and this is my manifesto. You may stop me but you can't stop us all.

    That's right. I'm 10100111001.

  3. #23
    Senior Member
    Join Date
    Dec 2003
    Pacific Northwest
    Might have some work to do they mate.

    Possible crap that needs removed:

    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba...?p=ZNxmk772DGUS

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...tup1.0.0.15.exe


    Edit: On the line: O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printra

    I'm assuming it should read: /printray.exe

    If not the y.exe is a trojan that needs removed.

    Process File: y or y.exe
    Process Name: w32.small Virus

    y.exe is a process which is registered as the w32.small Trojan. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.

    Connection refused, try again later.

  4. #24
    Senior Member Godsrock37's Avatar
    Join Date
    Jan 2005
    for a while i looked for adware and spyware etc. but after a while i noticed most of it was legitimate programs that you may just not need in start up. i have close to 2/3 what you have and almost all of mine is security apps and system stuff or apps for hardware installed. it looks like a lot of yours are extra programs like:

    mm_tray.exe, mmtask.exe - music match

    qttask.exe - quick time

    EngUtil.exe, DrgToDsc.exe,RxMon.exe - roxio

    ISStart.exe, LogiTray.exe - do you really need these, i dont know, it may be for hardware specific to your machine, you might actually need it, looks like something to do with your video card maybe?)

    AOLSoftware.exe - i dont use AOL so i dont know if you need this, i know for a fact its not aim, i did use that before switching to trillian

    DataLayer.exe - what is this?

    LaunchApplication.exe, PcSync2.exe - nokia, for your phone im assuming, or something like that

    winampa.exe - winamp

    msmsgs.exe - microsoft messanger, if you dont use it, its really easy to get rid of it (ive never used it and remove it from every box i have Start->Contol Panel click Add remove programs
    click add remove windows components find it and remove, but its a personal choice (if that doesnt work for whatever reason, you can remove it manually by searching msmsgs and delete everything that comes up, but thats messier and im not sure it gets everything, HJT will remove the registry keys for you)

    thats about it, those are just the ones that while reading i asked myself does he really need those? you have to ask yourself do you use those on a daily basis, i find its a lot easier to just start up the application myself rather than have windows do it at boot. the first 3 i would bet you dont use daily and even if you did is it worth it to have them in startup. the others im assuming you need but do they need to be in start up. many apps you can start when you need them.

    thats it, and btw i like your name
    if God was willing to live all out for us, why aren't we willing to live all out for Him? God bless,
    my home my forum

  5. #25
    Join Date
    Apr 2004
    Might have some work to do they mate.

    Possible crap that needs removed:

    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba...?p=ZNxmk772DGUS

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...tup1.0.0.15.exe
    I agree with relyt... Surprisingly your HJT log looks pretty clean, there are some things that you don't need, but as far as security risks, your pretty clean...

    Since your booting up very slow I'd like to recommend typing "msconfig" in the Run prompt. Click the "start up" tab and look through the list. This list is a list of programs set to run on start up. Look for anything suspicious or any programs you don't think you need running at start up, uncheck it and click ok. If your not sure what a particular program is, try googling it or post it here and we'll take a look at it.
    I am the uber duck!!1
    Proxy Tools

  6. #26
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    DataLayer.exe - what is this?

    You can use this free program to manage your startups, which may help free up some resources:
    Start up Control Panel

    Looks like you may have too many chat programs running at startup ICQ, AIM and MSN Messanger.
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

    nwiz.exe is a part of NVidia's Nview features installable alongside it's graphics hardware products. This application will give the user access to additional features which allow the configuration of up to 32 monitors on a host, or to expand the desktop across many monitors. This is a non-essential process. Disabling or enabling this is down to user preference.
    Source is http://www.processlibrary.com/notfound/index.php

    unless you are using more then one monitor, you can disable this item in the startups

    Most of the 04's can be edited by using the Start Up Control Panel (see link above)

    To find out what these CLSID's
    FB5F1910-F110-11d2-BB9E-00C04F795683 refer to.... go to this site Castle Cops copy and paste into the search field, if nothing comes up then try googling the CLSID, 9 time out of 10 you will be directed to Castle Cops.O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com This looks like a highjack of IE....

    Internet Reset Hijack (iereset.inf hijack)

    It's possible to reset your browser settings in Internet Explorer. You can do this by going to "internet options" then the programs tab.

    When you click reset Internet Explorer reads it's default settings from a file called iereset.inf. This file basically carries out a few registry changes on the system like altering the StartPage and DefaultSearchPage. Unfortunately some Hijackers know that users may want to get rid of their hijack and that many users just click reset to undo the changes the hijacker made. Therefore some browser hijackers even go as far as to alter this file as well, so when the user clicks reset it just resets with the values the hijacker already has made.

    HKLM,"Software\Microsoft\Internet Explorer\Main","Default_Page_URL",0,%START_PAGE_URL%
    HKLM,"Software\Microsoft\Internet Explorer\Main","Default_Search_URL",0,%SEARCH_PAGE_URL%
    HKLM,"Software\Microsoft\Internet Explorer\Main","Search Page",0,%SEARCH_PAGE_URL%
    HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","1",0,"www.%s.com"
    HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","2",0,"www.%s.org"
    HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","3",0,"www.%s.net"
    HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","4",0,"www.%s.edu"
    HKCU,"Software\Microsoft\Internet Explorer\Main","Search Page",0,%SEARCH_PAGE_URL%

    Above is a small portion of the file. You can see that this file is just text and it's possible to alter any one of these values. The searchalot.com hijack was known to alter these value in the iereset.inf file.
    Source O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...tup1.0.0.15.exe Have HJT fix this one....O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...pDownloader.cab Safe to remove this as well...

    To check your .exe's go to this site and copy and paste the exe into the search field Process Library

    Be careful of what you have HJT fix, (make sure you have a backup made, before checking the items to be fixed), if unsure, I would recommend you submit your HJT log to either:

    AumHa Forums

    Tomcoyote Forums

    Someone at these sites will analyse your HJT log and give you clear instructions on how to clean up your PC.

    Otherwise as was mentioned, you don't show any Malware/Spyware as such (I consider Messenger Plus as Crapware, just my HO), but with all of these chat programs, you will be susceptible to crap, basically reorganise your startups

    (little plug for me, I am currently learning how to do this at TomCoyotes)....
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  7. #27
    Originally posted here by Godly Soup
    How did you know that though? That specific code to get it to work?
    When you have skiddiot's coming in and trying to install unwanted app's on your Internet Cafe computers, you need to have a few tricks up your sleeve.. .
    If only i realised that this would be an ongoing thing..

    Originally posted here by ech0
    front2back is ub3r 1337, eather that or hes seen it before, or googled it. Dont discount the 1337 tho.
    I wouldn't say that, but i do feel kind of l337 when i'm able to pull something amazing from the magical hat.
    It's kind of funny to see the extreme ways these skiddies go to try and own my network..
    And you can always pick the skiddiot from the normal user, as they look suspicious the minute they walk in the door..
    + they fumble when they go to insert there Cd, and they keep looking over there shoulder to see what i or the other employees are doing..


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts