My grandfather is getting a trojan infection warning from AVG almost every day, so he wanted some help. Logfile of HijackThis v1.99.1 Scan saved at 19:29:03, on 6/2/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\RunDll32.exe C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\pctspk.exe C:\windows\system\sysmod.exe C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\sistray.exe C:\Arquivos de programas\Internet Explorer\iexplore.exe C:\Arquivos de programas\MSN Messenger\usnsvc.exe C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Arquivos de programas\Canon\Easy-WebPrint\EWPBrowseLoader.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - (no file) O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Arquivos de programas\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Arquivos de programas\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [C-Media Mixer] C:\Arquivos de programas\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [volume] C:\windows\system\sysmod.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Arquivos de programas\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Arquivos de programas\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Arquivos de programas\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Arquivos de programas\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (file missing) O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - https://imagem.caixa.gov.br/cab/gbpdist.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe (file missing) Thank you!
Moderators, should i click on the link silk 42 posted above?? Seems a little bit strange to not give me a direct answer...
Since you're too lazy to click on the link, here's what the link says. I could read through the log and see if anything stands out, but I think it's more useful for you to learn how to understand the log yourself. I recommend reading the following to help you understand what's in the log. http://forums.majorgeeks.com/showthread.php?t=38752 Then if you have a question about a particular line in the log, come back and post it. For those of you too lazy to read, you can have your logs analyzed at the following sites. Help2Go HijackThis Analysis Just a little rant. We're here to help, but we're not paid to do so. Don't expect us to come to your house and fix your problems for you. Our advice will help, but you must take some initiative to read.
WOOOOOOWW, CALM DOWN, you don't even know me and allready you accuse me...?? First of all, i'm not at all lazy to read!!!!!! I had in the past on another forum big problems by clicking on a link and that brought me a lot of unwanted things... Yes i'm a newbie and i want to learn more about computers, but if this is the treatment for a new member...??? I know that you guys are not payed to help other persons, i'm not stupid. I know a little about computers and that's why i preferred to post my answer here, i think it's the best forum! I understand that there are a lot of people out there who are lazy, but do not think that everybody is the same!! Thank you for your answer, i will look and learn. Tom
Fair enough. We'll make a deal. You don't assume that every link that someone gives is going to lead to a virus and I won't assume that people that question my attempts to help are simply too lazy to read.
Silk42, ok, did the read on the log, learned a lot and i have a few questions. This is the new Hijack log: Logfile of HijackThis v1.99.1 Scan saved at 12:21:10, on 13/2/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\pctspk.exe C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\sistray.exe C:\WINDOWS\system32\wuauclt.exe C:\Arquivos de programas\MSN Messenger\usnsvc.exe C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globo.com/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Arquivos de programas\Canon\Easy-WebPrint\EWPBrowseLoader.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - (no file) O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Arquivos de programas\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Arquivos de programas\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [AdobeUpdater] C:\Arquivos de programas\Arquivos comuns\Adobe\Updater5\AdobeUpdater.exe O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Arquivos de programas\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Arquivos de programas\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Arquivos de programas\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Arquivos de programas\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - https://imagem.caixa.gov.br/cab/gbpdist.cab O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe (file missing) Here are the questions: O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll Do i really need this one, as it is just a link helper? O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - (no file) This one i didn't found because the number is different, ends with 0003 in stead of 0000?? Delete it? O4 - HKCU\..\Run: [AdobeUpdater] C:\Arquivos de programas\Arquivos comuns\Adobe\Updater5\AdobeUpdater.exe Leave it or not? Seems like an automatic updater, so i think its safe. O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent On the site they are not sure if its required? What do you think? O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll What about these 2? On the site they say they are mostly used by trojans or hijackers, delete them? O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll To delete or not? They say to handle with extreme care. O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\ARQUIV~1\GbPlugin\GbpSv.exe (file missing) I tried to delete it but it'c coming back... In general, if the note (file missing)appears, does this mean that you can be almost sure to delete it?? I'm sorry for the amount of questions, but i wanted to be sure before deleting! Thanks.
First of all, before making any changes, it's always a good idea to create a restore point. You can do this by going to Start, All Programs, Accessories, System Tools, and then select System Restore. From there, follow the steps to create a Restore Point. This will be useful in case any of the changes causes problems, you can simply restore your computer to this point and try again. With that being said, it looks safe to remove some of those items. The Adobe Link Helper allows you to click on a web link inside a PDF and it will launch your default browser. I find this to be useful, but if you don't read PDF's often, then it's safe to remove. If you ever want to go to a link that's in a PDF, you'll simply have to copy and paste the address into a browser address bar. The AdobeUpdater allows Adobe Acrobat to check for new updates. This too can be useful, as there are exploits that come out for this product that can cause serious issues. However, you can also manually check for updates within Adobe Acrobat by selecting Help from the File Menu and then selecting Check for Updates. The SiSPower line most likely pertains to your motherboard's power management. You can read about it here.While there is no guarantee that someone could have created a exploit and used this same file name, it's probably safe to leave alone. Again, this is where the Restore Point comes in handy, because you can try testing it and if it causes problem, you can restore it. WgaLogon.dll is part of Microsoft's Windows Genuine Advantage program. It's safe to leave alone, assuming you have a legitimate copy of Windows. WPDShServiceObj.dll is part of Windows as well. It helps with connecting Windows Portable Devices. It's safe to leave alone. From what I can tell, everything that I didn't mention can be removed. I hope this helps.
ok, thanks silk42! The Adobe link helper is very usefull as you said, so better leave it. The AdobeUpdater, if it does the updates automatic, better leave it where it is. The SIS came from a motherboard instalation cd, so it's ok. The WgaLogon.dll, there's not a legitimate copy of Windows on this computer... every time it gives a warning that it isn't. So better remove it...? Thanks, Tom
