1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Im New and this is my hijack this log

Discussion in 'Windows - Virus and spyware problems' started by roxyholly, Apr 17, 2006.

  1. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Ok, sorry for the delay, I've been busy....

    @roxyholly

    You can fix these entries with HijackThis if you want to free your memory: (not required startups)

    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125413510\ee\AOLSoftware.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

    And that DVD burning problem, I'll suggest that you post that problem to here -> http://forums.afterdawn.com/forum_view.cfm/125

    @handsom

    Ok, post the logs when you're ready.
     
  2. handsom

    handsom Regular member

    Joined:
    Mar 29, 2006
    Messages:
    1,210
    Likes Received:
    0
    Trophy Points:
    46
    Ewido Scan:

    --------------------------------------------------------------------
    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 9:15:55 AM, 4/30/2006
    + Report-Checksum: B0164AA1

    + Scan result:

    :mozilla.14:C:\Documents and Settings\HanddsomeDan\Application Data\Mozilla\Firefox\Profiles\1v1xx4ts.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
    :mozilla.15:C:\Documents and Settings\HanddsomeDan\Application Data\Mozilla\Firefox\Profiles\1v1xx4ts.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
    :mozilla.23:C:\Documents and Settings\HanddsomeDan\Application Data\Mozilla\Firefox\Profiles\1v1xx4ts.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
    :mozilla.43:C:\Documents and Settings\HanddsomeDan\Application Data\Mozilla\Firefox\Profiles\1v1xx4ts.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.48:C:\Documents and Settings\HanddsomeDan\Application Data\Mozilla\Firefox\Profiles\1v1xx4ts.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.49:C:\Documents and Settings\HanddsomeDan\Application Data\Mozilla\Firefox\Profiles\1v1xx4ts.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.71:C:\Documents and Settings\HanddsomeDan\Application Data\Mozilla\Firefox\Profiles\1v1xx4ts.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.113:C:\Documents and Settings\HanddsomeDan\Application Data\Mozilla\Firefox\Profiles\1v1xx4ts.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.114:C:\Documents and Settings\HanddsomeDan\Application Data\Mozilla\Firefox\Profiles\1v1xx4ts.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.116:C:\Documents and Settings\HanddsomeDan\Application Data\Mozilla\Firefox\Profiles\1v1xx4ts.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.117:C:\Documents and Settings\HanddsomeDan\Application Data\Mozilla\Firefox\Profiles\1v1xx4ts.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.118:C:\Documents and Settings\HanddsomeDan\Application Data\Mozilla\Firefox\Profiles\1v1xx4ts.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
    :mozilla.168:C:\Documents and Settings\HanddsomeDan\Application Data\Mozilla\Firefox\Profiles\1v1xx4ts.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
    :mozilla.169:C:\Documents and Settings\HanddsomeDan\Application Data\Mozilla\Firefox\Profiles\1v1xx4ts.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
    :mozilla.170:C:\Documents and Settings\HanddsomeDan\Application Data\Mozilla\Firefox\Profiles\1v1xx4ts.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
    :mozilla.171:C:\Documents and Settings\HanddsomeDan\Application Data\Mozilla\Firefox\Profiles\1v1xx4ts.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
    :mozilla.179:C:\Documents and Settings\HanddsomeDan\Application Data\Mozilla\Firefox\Profiles\1v1xx4ts.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup


    ::Report End
    --------------------------------------------------------------------



    ----Hijackthis Scan:----



    --------------------------------------------------------------------
    Logfile of HijackThis v1.99.1
    Scan saved at 9:35:22 AM, on 4/30/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\HanddsomeDan\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geocities.com/rickianblaster/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geocities.com/rickianblaster/
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{44EA2125-1CE3-413D-B66D-A37925141D43}: NameServer = 192.168.1.1
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    --------------------------------------------------------------------

    Is it clean now? Or are there more traces?
     
  3. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Hi handsom, you're clean now =)
     
  4. handsom

    handsom Regular member

    Joined:
    Mar 29, 2006
    Messages:
    1,210
    Likes Received:
    0
    Trophy Points:
    46
    Thank you very much; that was a huge concern for me. I really appreciate the help.
     
  5. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    You're welcome =)
     
  6. handsom

    handsom Regular member

    Joined:
    Mar 29, 2006
    Messages:
    1,210
    Likes Received:
    0
    Trophy Points:
    46
    One more question; I leave my computer on overnight for a variety of reasons. It's quite often for it to do 24 hour+ operation. But it seems to have a crash that causes it to become unresponsive. Sometimes I'll come home or wake up and turn on the monitor to find it restarted and has a 'non-system disk or disk error' message going for me. Other times, I'll notice incredibly sluggish repsonsiveness, and when I check the current processes, msmsgs.exe is taking 90%+ cpu... First off. I hate msn messenger, in all forms. Including the little default one that comes with windows. Secondly, I am wondering if it could be replaced or altered with anything malicious. Because that and ccapp.exe are always the first things having problems.

    Do you think this could be an issue? Do you know a way to get rid of msmsg.exe? I use office, but I would really like that messenger gone.

    Thanks again!
     
  7. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Last edited: May 2, 2006
  8. handsom

    handsom Regular member

    Joined:
    Mar 29, 2006
    Messages:
    1,210
    Likes Received:
    0
    Trophy Points:
    46
    Yes; msmsgs.exe, sorry for the confusion there. Thanks for the assist. CCapp.exe sound familiar to you?
     
  9. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Ok good. CCapp.exe belongs to your Norton Antivirus. It is responsible for the auto-protect and email checking facilities.



     
  10. handsom

    handsom Regular member

    Joined:
    Mar 29, 2006
    Messages:
    1,210
    Likes Received:
    0
    Trophy Points:
    46
    That was really helpful, I really appreciate the link with so much info; it was very convenient having all of the info and the little 'what ifs' already answered. Thanks! There is still a bit of a problem though...

    I have msmsgs.exe listed in my processes still; which is causing me a growing concern. I did the registry trick for 4.5 or later to get it off, and it's still running.... I even went through the trouble of uninstalling windows messenger through windows components...... My fear here has been that I might be looking at a trojan disguised as msmsgs; and now that I've disabled and unsinstalled it; yet still see it running, I am getting really concerned that I have a big problem here...

    Any suggestions?

    [bold]Edit:[/quote]It seems to be gone now that I've done the reg clean with ccleaner. Thanks!
     
    Last edited: May 3, 2006
  11. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    You're welcome =)
     
  12. handsom

    handsom Regular member

    Joined:
    Mar 29, 2006
    Messages:
    1,210
    Likes Received:
    0
    Trophy Points:
    46
    Well; it seems to come back on restart. And I don't know why..... But it really shouldn't be.
     
  13. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
  14. handsom

    handsom Regular member

    Joined:
    Mar 29, 2006
    Messages:
    1,210
    Likes Received:
    0
    Trophy Points:
    46
    Well; for some reason that link doesn't seem to work anymore;

    -I did the registry removal, by adding it specifically to NOT be run at startup.

    -I went through add/remove programs, clicked under windows components and actually uninstalled it.

    I ran Ccleaner on my registry as well (That took a bit of a while, wow.) So that element is all clean, hijackthis still has the same log a when I last posted it. So, having uninstalled windows messenger (msmsgs.exe) I am growing very concerned as to how it is still running, and how legitimate this process is...
     
  15. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Hi handsom.

    Try this tool -> http://www.majorgeeks.com/DisableRemove_Windows_Messenger_d2327.html

    Unzip it to your desktop.
    ->Run the file disablemessenger.exe
    ->Check the following options:

    Disable Winodws Messenger Machine Wide
    Hide Messenger from Outlook Express
    Uninstall Windows Messenger

    ->Press Apply
    ->Press OK
    ->Restart your computer
    ->Check if msmsgs.exe is still running
    ->Tell me the results :)
     
  16. handsom

    handsom Regular member

    Joined:
    Mar 29, 2006
    Messages:
    1,210
    Likes Received:
    0
    Trophy Points:
    46
    Thanks; I will run that ASAP when I get home; does this sort of difficulty happen often?
     
  17. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    I wouldn't count this as a difficulty yet :)
    When you're ready, please let me know if it is gone now...
     
  18. handsom

    handsom Regular member

    Joined:
    Mar 29, 2006
    Messages:
    1,210
    Likes Received:
    0
    Trophy Points:
    46
    Thank God. It's finally gone. All is clean now; I went around and found instructions to disable Creative's stupid startup video; and now my computer is how it should be.

    That should be all I need, I really do wish to thank you a lot. You have been more helpful than you can imagine.
     
  19. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    That is nice to hear and you're welcome :)
     

Share This Page