HT Log File...help please!

By Steve05
Jun 18, 2005
Topic Status:
Not open for further replies.
  1. I just wanna check my pc for infection.Please analyze my log file...
    Thanks

    Logfile of HijackThis v1.99.1
    Scan saved at 5:52:01 PM, on 6/18/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Nhksrv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\WINDOWS\DELLMMKB.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Netropa\OSD.exe
    C:\WINDOWS\System32\qttask.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
    C:\WINDOWS\system32\epx.exe
    C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\Common Files\Real\Update_OB\realevent.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Documents and Settings\Brian Walker\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jvhtrhgbdsrbc.net/f8hSem...aSyYWSS_p6.html
    O2 - BHO: (no name) - {8B1F6056-7DC8-37CE-FEE6-2EE70630097A} - C:\PROGRA~1\GLUEVI~1\meow barb.exe
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
    O4 - HKLM\..\Run: [rect bird] C:\PROGRA~1\AXISIN~1\ford eq window.exe
    O4 - HKLM\..\Run: [epx] C:\WINDOWS\system32\epx.exe
    O4 - HKLM\..\Run: [GplTypeMemoMeal] C:\Documents and Settings\All Users\Application Data\Pop Jump Gpl Type\Pure Rule.exe
    O4 - HKLM\..\Run: [Manager Team Scr Frag] C:\Documents and Settings\All Users\Application Data\Uploadballmanagerteam\jump chin.exe
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sh...bin/AvSniff.cab
    O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/301e78e80a83a2...tzip/RdxIE2.cab
    O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/..._1/axofupld.cab
    O16 - DPF: {D2C6BEF3-C41B-446F-B15E-AFD87027C9FD} (DellSoft.Client) - http://inside.us.dell.com/it/enterp...ft/DellSoft.cab
  2. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

  3. Steve05

    Steve05 Newcomer, in training Topic Starter Posts: 51

    But some experts told me to use that side only as a guide only.
  4. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    They showed you exactly what to get rid off.

    BTW, strange seeing you help other people with HJT problems, and you can't fix your own?
  5. Steve05

    Steve05 Newcomer, in training Topic Starter Posts: 51

    Is that means you can't analyse my log file?
  6. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Hey RBS. What a smashing bit of kit.

    Excellent find mate. Page is bookmarked.

    Regards Howard :) :)
  7. Steve05

    Steve05 Newcomer, in training Topic Starter Posts: 51

    ok guys, thanks for ou efforts, i'll go and try my luck at another forums i guess:)
  8. Spike

    Spike Newcomer, in training Posts: 2,371

    That is absolutely brilliant!!!

    One thing though....

    Why does it mark the Download Accelerator Plus executable as a nasty, and not give an explanation of what it is?
    It wonders if the cortona vrml viewer control is a possible nasty
    and It wonders if my dns servers are a possible nasty (nope! lol)

    I know the free DAP verion is ad-supported, so that possibly explains that - but I do wonder whether people with little experience could use this tool. Great if you know what you're doing though.
  9. Steve05

    Steve05 Newcomer, in training Topic Starter Posts: 51

    Hijack This Analysis - A note for Unexperienced! This site provides an online analysis of logs but be warned that it is not to be used soley when checking logs. It gives some false positives and should only be used in conjuction with other resources and tools - as a guide only.
  10. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

  11. Steve05

    Steve05 Newcomer, in training Topic Starter Posts: 51

    That's not helping...thanks anyway:)
     
  12. Spike

    Spike Newcomer, in training Posts: 2,371

    There's probably not a lot of use in asking for help unless you're going to help yourself.

    You know you're infected, because you've been told. You should know you're heavily infected by visiting the link you were given. These things alone should help. Youve been given instructions which have been proven time an time again. One of the instructions (how to post your HJT files) you should have read in the sticky at the top of the forum before posting.

    It's crazy. Nobody can help you if you're not prepared to take advice and do the work.
  13. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Absolutely spot on Spike. I couldn`t agree with you more.

    Steve05. Just follow the instructions it`s all there for you. If you can be bothered. :cool:

    Regards Howard :grinthumb
  14. Steve05

    Steve05 Newcomer, in training Topic Starter Posts: 51

    It's doesn't makes any different isn't it? Even if i attach the log file i bet no one here are able to analyse it...sigh! Now i know why they told me not to ask for help in here...;)
  15. Spike

    Spike Newcomer, in training Posts: 2,371

    It makes a lot of difference. Firstly, the how to remove begintosearch thread gets rid of a lot of rubbish.

    Secondly, attaching the file makes the thread easier and quicker to read, and looks far less untidy.

    Many of us even find that it takes less effort to read it in notepad tan on the forum.

    If 'they' told you not to come here though, what I want to know is why 'they' haven't analysed it for you. All you've acctually shown here is that you don't want to do anything. If you follow BOTH sets of instructions, we'll do our best to help.

    Almost all of those people who have followed them before now have been succesfully helped.
  16. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Originally posted By RBS.
    Does that sound to you like no one is going to look at your log?

    It`s upto you whether you follow the advice given. If you don`t want to, then of course, that`s your prerogative.

    Regards Howard :suspiciou
  17. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    OK, Mr Drama Queen. I have only about 5'000 posts because I don't help anyone, I just love to boost my number of posts. And they only made me a moderator, because I have such good looks.
    My post about getting rid of Websearch nasties has only been read well over 50'000 times, because it is so bad, and nobody knows what to do.
    Really? Then go get your help somewhere else...
  18. Steve05

    Steve05 Newcomer, in training Topic Starter Posts: 51

    As expected..;)
    Why don't you just tell me the fixes...i prefer that way instead of reading all those spamming posts.

    heh..:) no heart feeling dude...chill, out! It doesn't mean this forum is lousy, it's good actually...just the ettiquette...
  19. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Other than *****, moan and complain, what have you done? Did you get the analysis done at that website I gave you?
    As for etiquette, you getz advise, you followz up. If not, you sufferz...
  20. Spike

    Spike Newcomer, in training Posts: 2,371

    Spamming posts? 50,000 people didn't think so! (nor the people of this board!)

    You don't like the way we do things? well, you have your options - take it or leave it.

    If you'd followed the advise in the first place, you'd have it all done and dusted by now. I could sit here replying for hours. Doesn't bother me - I'm not the one with an infected machine, and neither is Howard or RBS.
  21. Steve05

    Steve05 Newcomer, in training Topic Starter Posts: 51

    C:\WINDOWS\DELLMMKB.EXE - This is a unknown process.
    C:\Program Files\Dell AIO Printer A940\dlbabmon.exe - This is a unknown process.
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jvhtrhgbdsrbc.net/f8hSem...aSyYWSS_p6.html - This is safe? :dead:
    O2 - BHO: (no name) - {8B1F6056-7DC8-37CE-FEE6-2EE70630097A} - C:\PROGRA~1\GLUEVI~1\meow barb.exe - Unknown too??? :bounce:
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab - Possibly nasty huh?

    c'mon! You can do better than that can't you? :rolleyes:
  22. shimmer

    shimmer Newcomer, in training

    steve05 if you didnt have any intentions of using the advice you got here then why bother asking and wasting others ppls time ..oh and as for you real black stuff good lookin huh :rolleyes: :p
  23. Steve05

    Steve05 Newcomer, in training Topic Starter Posts: 51

    shimmer, you don't have to flattering for the promoted, i understand your situation. This is my thread and i really don't need your spamming in here. Save your friendly advise for another pal.And i already attached the log file...still waiting for the response...
  24. shimmer

    shimmer Newcomer, in training

    reply

    magentayikes what side of the bed did you get out off :p ..who says anything about spamming get your facts right before you reply to me and as for flattering the promoter i couldnt give a monkeys toss cos hes got nothing id want lol..well ok maybe some advice ;)
  25. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    This is turning into a farce.

    Steve05, please take your bad attitude somewhere else.

    Thread closed.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.