Hijackthis Log: Please Help Diagnose

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Hijackthis Log: Please Help Diagnose, HijackThis Log: Please help Diagnose

Options

eragoneragon View Member Profile	Mar 28 2007, 07:46 AM Post #1
Member Group: Members Posts: 15 Joined: 28-March 07 Member No.: 120,488	Hello can someone please help me HijackThis Log: Please help Diagnose ? Logfile of HijackThis v1.99.1 Scan saved at 10:33:29 PM, on 28/03/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\PROGRA~1\NORTON~2\NSR\Agent\VProSvc.exe C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\sm56hlpr.exe C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\NORTON~2\NSR\Agent\NSRTray.exe C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\ctfmon.exe C:\unzipped\hijackthis\HijackThis.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BigPond Dial-Up Residential Internet Explorer O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [NSRKey] C:\PROGRA~1\NORTON~2\NSR\Agent\NSRTray.exe O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKLM\..\Run: [EPSON Stylus CX4700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADP.EXE /P26 "EPSON Stylus CX4700 Series" /O6 "USB001" /M "Stylus CX4700" O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [mm_server] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe" O4 - HKLM\..\RunOnce: [PrivacyGuardianIndex] C:\Program Files\Privacy Guardian\PgIndex.exe O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [SP2ConnPatcher] "C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe" -n=200 O4 - HKCU\..\Run: [warez] "G:\Otsa's File\Warez P2P Client\warez.exe" -h O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Privacy Guardian] C:\Program Files\Privacy Guardian\pg.exe /clean O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier\Norton Cleanup\WCQuick.lnk O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing O11 - Options group: [INTERNATIONAL] International* O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/ O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton Save and Restore - Symantec Corporation - C:\PROGRA~1\NORTON~2\NSR\Agent\VProSvc.exe O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

eragoneragon View Member Profile	Mar 28 2007, 07:53 AM Post #2
Member Group: Members Posts: 15 Joined: 28-March 07 Member No.: 120,488	I think I have a spyware problem

kairis View Member Profile	Mar 30 2007, 03:25 AM Post #3
Forum Regular Group: HJT Team Posts: 327 Joined: 18-June 06 From: Finland Member No.: 72,497	Hi and welcome. My name is Kairis and I will be helping you. Please follow my steps in the right order... We'll start with this: Let's run some cleaning and diagnostic scans: Download NoLop.exe to your desktop from: http://www.greyknight17.com/spy/NoLop.exe Close any other programs you have running as this will require a reboot. Double click NoLop.exe to run it. Now click the button labeled 'Search and Destroy'. When scanning is finished you will be prompted to reboot only if infected. Click OK. Now click the 'Reboot' button. A message should pop up from NoLop. If not, double click the program again and it will finish. Post the contents of C:\NoLop.log here. If you receive an error 'mscomctl.ocx or one of its dependencies are not correctly registered', then download the mscomctl.ocx file from http://www.boletrice.com/downloads/mscomctl.ocx to your system32 folder then rerun the NoLop. ¨''¨¨''¨¨''¨¨''¨¨''¨¨''¨¨''¨¨''¨¨''¨¨''¨¨''¨¨''¨¨''¨¨''¨¨''¨¨''¨¨''¨¨''¨¨''¨ Please follow the instructions provided, you may want to print out these instructions and use them as a reference: AVG Anti-Spyware only works on Windows 2000 and Windows XP (32-Bit) First download AVG Anti-Spyware 7.5 from HERE and save that file to your desktop. This is a 30 day trial of the program Once you have downloaded AVG Anti-Spyware 7.5, locate the icon on the desktop and double-click it to launch the set up program. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files. On the main screen select the icon "Update" then select the "Update now" link. * Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" * Select "Automatically generate report after every scan" * Un-Select "Only if threats were found" Close AVG Anti-Spyware, Do Not run a scan yet! Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter. IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess: Lauch AVG Anti-Spyware by double-clicking the icon on your desktop. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Next select the "Reports" icon at the top. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important). Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

eragoneragon View Member Profile	Mar 30 2007, 07:12 AM Post #4
Member Group: Members Posts: 15 Joined: 28-March 07 Member No.: 120,488	i run the Noloop, no infections was found I didn't get ask to reboot. there was no log. I'm still updating the avg spyware.

kairis View Member Profile	Apr 1 2007, 04:04 AM Post #5
Forum Regular Group: HJT Team Posts: 327 Joined: 18-June 06 From: Finland Member No.: 72,497	Hi. Are You still updating AVG?? Please send AVG report.

eragoneragon View Member Profile	Apr 3 2007, 06:05 AM Post #6
Member Group: Members Posts: 15 Joined: 28-March 07 Member No.: 120,488	I stopped trying to update AVG, because it took too long. so I used norten internet security 2007 instead, nothing no spyware was found. Can you please tell me what you discovered in my hijacklog? regards,

kairis View Member Profile	Apr 3 2007, 06:11 AM Post #7
Forum Regular Group: HJT Team Posts: 327 Joined: 18-June 06 From: Finland Member No.: 72,497	Please go to add/remove programs and uninstall NewdotNet. If you don't have that option or if you have difficulties then please follow the instructions on this site Otherwise your log is clean.

eragoneragon View Member Profile	Apr 14 2007, 01:24 AM Post #8
Member Group: Members Posts: 15 Joined: 28-March 07 Member No.: 120,488	is newdonet a spyware? i will uninstall it now, thank you , eragon

kairis View Member Profile	Apr 14 2007, 01:48 AM Post #9
Forum Regular Group: HJT Team Posts: 327 Joined: 18-June 06 From: Finland Member No.: 72,497	Hi. Yes please uninstall NewdotNet and send a fresh HijackThis log, thanks. Download LSPFix from here. You may not need it, but download it just incase you do. Go to Start > Settings > Control Panel > Add/Remove Programs. Look for and remove New.Net or NewDotNet. If it is not listed, then go here and follow the removal instructions in Procedure 4 at the bottom of the page. If you loose internet connection after removal run LSPFix, otherwise you may delete it. NewDotNet is adware: Adware, also known as advertising software, displays third-party advertising on the computer. The ads can take several forms, including pop-ups, pop-unders, banners, or links embedded within web pages or parts of the Windows interface. Some adware advertising might consists of text ads shown within the application itself or within side bars, search bars, and search results. Adware is often contextually or behaviorally based and tracks browsing habits in order to display ads that are meant to be relevant to the user.

kairis View Member Profile	Apr 23 2007, 02:12 AM Post #10
Forum Regular Group: HJT Team Posts: 327 Joined: 18-June 06 From: Finland Member No.: 72,497	Due to lack of feedback, this topic has been closed. If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

« Next Oldest · HijackThis Logs and Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 7th September 2008 - 05:20 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides