Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis log


  • Please log in to reply
7 replies to this topic

#1 compulan

compulan

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 10 February 2005 - 04:06 PM

I have removed the download.agent.as and my antivirus (AVG) protected my computer. The browser is having trouble going to several sits, mainly windowsupdate. I have attached the HiJackThis log. I still have trouble with any type of search from the browser or local disk. any healp would be of great help, as I would like not to have to reinstall win_xp. I have run spyware S&D and spybot with no help.

Ron

Logfile of HijackThis v1.99.0
Scan saved at 9:50:10 AM, on 2/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NovaStor\NovaBACKUP\NSENGINE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.horizonsurvey.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O1 - Hosts: 169.254.106.180 HP1055 # dESIGNjET 1055CM Plotter
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF7006F4-399E-468F-9FA8-9BCE0933CD78}: NameServer = 192.168.1.1,151.164.11.201
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NsEngine - Unknown - C:\Program Files\NovaStor\NovaBACKUP\NSENGINE.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 10 February 2005 - 04:35 PM

Hello, compulan and Welcome! :thumbsup:
Sorry you're having malware trouble.

Please close ALL open windows AND browsers and open HijackThis, click on “Do a system scan only” and put checks next to all the following, then click "Fix Checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - Startup: PowerReg SchedulerV2.exe


This is not malware, but an unneeded resource hog, it is safe to delete in HJT.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

NOTE: Unless you or an administrator set this entry, check this in HJT also:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
(Programs such as Spybot-S&D and others may have set this also)

Please delete the following files and/or folders:
Go to Start, Search, For Files or Folders, and type in each file or folder name.
C:\WINDOWS\satmat.exe <----Delete this file.
C:\WINDOWS\farmmext.exe <----Delete this file.

Now open HijackThis, click on "Do a system scan and save and save a logfile", copy and paste the entire contents of the logfile here for review.

#3 compulan

compulan
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 11 February 2005 - 06:07 PM

Thanks for the responce I will delete the suggested files and remove the suggested reg. items. I am out of town but will post a new HijackThis log on monday.

Ron

#4 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 11 February 2005 - 09:31 PM

Ok, we'll be here. :thumbsup:

#5 compulan

compulan
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 15 February 2005 - 07:01 AM

The attached HiJackThis log is after making the corrections. I am still having with any secure web sites. The login for my web email will not connect. I get a blank screen and the connection is never made. thanks for all the help.

Logfile of HijackThis v1.99.0
Scan saved at 8:54:21 AM, on 2/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\NovaStor\NovaBACKUP\NSENGINE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.horizonsurvey.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 169.254.106.180 HP1055 # dESIGNjET 1055CM Plotter
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF7006F4-399E-468F-9FA8-9BCE0933CD78}: NameServer = 192.168.1.1,151.164.11.201
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NsEngine - Unknown - C:\Program Files\NovaStor\NovaBACKUP\NSENGINE.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Ron

#6 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 15 February 2005 - 01:05 PM

You’ll have to disable your SpySubtract before using HJT to delete entries. You can right-click on the SpySubtract icon in the lower RH taskbar and select ‘close’ or ‘shutdown’ or reboot the PC into Safe Mode and use HJT from there.

After shutting down SpySubtract in Windows or rebooting into Safe Mode, close ALL open windows AND browsers and open HijackThis, click on “Do a system scan only” and put checks next to all the following, then click "Fix Checked"

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Open IE6 and go to Tools > Internet Options > Advanced > Security and make sure that Use SSL 2.0, SSL 3.0 and TLS 1.0 are all checked. Next look under Browsing and uncheck "Enable 3rd party browser extensions", now reboot the PC and try those sites again.

#7 compulan

compulan
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 16 February 2005 - 04:14 PM

The last fix resolved the problem. Thanks for all your help

Ron

#8 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 16 February 2005 - 04:40 PM

You're Welcome! :thumbsup:
Glad to see you got your PC back.

************************************************************
A few friendly :flowers: tips to tighten security:

1.) Keep your AVG Antivirus and your anti-spyware utilities up to date daily and run a hard drive scan with them once a week.

2.) STOP using Internet Explorer. Malware has gotten smarter these days and has the ability to change your IE security settings behind your back. Download and install Mozilla Firefox here Firefox weathers the storm of spyware better than IE because it is not integrated into Windows and does not support Active X.

3.) Download and install the free ZoneAlarm firewall here. For proper configuration click here. This program acts as a security gate and can help prevent the penetration of malware onto your system and prevent malware already present on your system from phoning home. A good 3rd party firewall always works better than the default Windows XP Service Pack 2 firewall.

4.) Always make sure you have the latest Windows critical updates installed on your PC. Go to the Start menu, and click on 'Windows Update', it will take you to the Microsoft Windows Update site. If there are new critical updates to install, download them immediately. Once the installation process has completed, reboot your computer.

5.) Are you wondering how you got infected in the first place? For information click here.

Glad I could help you Ron, Good Luck.

Edited by SirJon, 16 February 2005 - 04:42 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users