TechSpot

[Inactive] Hijackthis log

By FastTaco
Mar 10, 2010
Topic Status:
Not open for further replies.
  1. Hi this is a small 20 something line log, I'm not sure what most of it is so I was hoping someone with experience can go over it.

    Thankyou.


    Logfile of HijackThis v1.99.1
    Scan saved at 2:17:27 AM, on 3/10/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16981)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis\yadayada.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=15187&l=dis
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: FLockObj Class - {97F4988F-6D68-4abc-9F18-7B5AAFFDACE4} - C:\Program Files\GiliSoft\File Lock 3.2\FolderLockPlugin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265644587531
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3B22EBD0-950C-4025-AEBD-E71C6C06269D}: NameServer = 68.105.29.11,68.105.28.11
    O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: M - Unknown owner - C:\DOCUME~1\RyanS\LOCALS~1\Temp\M.exe (file missing)
    O23 - Service: NVIDIA-OMEGA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    FastTaco, in order for us to check the system for malware, please do the following:

    1. Tell us what problem(s) you are having.
    2. Follow the preliminary virus and malware removal steps HERE.
    3. Attach the 3 logs from the scans to you next reply. We will review them and go from there.

    A HijackThis log alone is not sufficient and we have to know what the problem is.

    Edit: I checked the HJT log and would like you to do the following:
    Click on Start> Run> type in services.msc> scroll down to M.exe and double click on it> Change the Startup type to Disabled> Stop the Service.

    NOTE: You might not find this Service listed as 'M' because it can have a random name. So if it's not there, don't worry- we'll find it elsewhere.

    And a note about the log: The size doesn't matter- it's what's in it. Most of the entries you see will be legitimate, so do not remove entries from a HJT log unless specifically told to.
  3. FastTaco

    FastTaco Newcomer, in training Topic Starter

    'M' service was found and disabled. Weird I never saw that before.

    My problem was from last week when I did a scan with Malware bytes I had a few trojans, mal/spyware, and a keylogger named Winvestigator. Sorry I don't have the log from last week but heres the new logs - they are clean btw.


    I just want to make sure its all gone now. thanks. :)

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Recovery Console, please do so.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    .
    Then Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Follow with rescan using HijackThis. Attach Combofix report and logs from the Eset scan and HJT in your next reply.
  5. FastTaco

    FastTaco Newcomer, in training Topic Starter

    Thanks, heres the logs.

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I missed this first time around. you are running an outdated version of HijackThis. Please remove it and any logs it created. Download the current version, v1.2.2 HERE.

    You also did not disable the security when running Combofix:
    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}


    Please delete the Combofix log on your desktop. Rescan after following this:
    Please disable all security programs, such as antiviruses, antispywares, and firewalls.

    Running the scans correctly assures us that we get the most accurate results available. And we ask this:
    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!! DO NOT make any Registry Changes. And it is recommended that if you are running any Registry editing program, that you either uninstall or disable while we are in the cleaning process

    You have downloaded several programs, visited the 'torrentpirateer' on the same date, and accumulated data for the programs. 3/13-3/14/2010.

    You're using file sharing: Azureus, torrentpirateer. You've let uTorrent through the firewall.

    You have malware called Trunlow and also known as Psyme, which is a Trojan designed to steal user passwords. It is distributed through specific links found in malicious web. I can help to remove that- but it isn't worth my time if you've got P2P incoming while I'm trying!

    You've also got some locked Registry keys that need to be checked.

    So the burden is on you- clean the system up and stop changing it by downloading and installing.
    Follow the specific instructions when running scans- or keep and keep getting the malware.

    I do suggest you run this online scan right off and leave the log:
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.