Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis - Scvshost.exe


  • This topic is locked This topic is locked
51 replies to this topic

#1 anjo03

anjo03

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 06 November 2007 - 11:16 AM

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:43:21 PM, on 11/6/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\svchost.exeC:\WINDOWS\system32\wmiprvse.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.yahoo.com/"]http://www.yahoo.com/[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com"]http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url="http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html"]http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com"]http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url="http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com"]http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com[/url]F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system\svchost.exeO2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKCU\..\Run: [scApp] C:\WINDOWS\system32\wmiprvse.exeO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quietO4 - HKLM\..\Policies\Explorer\Run: [PolicyRun] C:\WINDOWS\svchost.exeO7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htmO8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - [url="https://my.levelupgames.ph/keycrypt/npkcx.cab"]https://my.levelupgames.ph/keycrypt/npkcx.cab[/url]O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe--End of file - 3769 bytes

Think anyone can help?.

and please tell me other problems in my computer

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 06 November 2007 - 04:14 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum anjo03 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

It appears you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/


Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*NOTE*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.

*Note*
Copy and paste all reports/logs directly into this topic,thanks.
Posted Image
Posted Image

#3 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 07 November 2007 - 04:13 AM

Sir sorry for my correction but i do have an anti-virus.
ZoneAlarm internet suite.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 07 November 2007 - 04:44 AM

Sir sorry for my correction but i do have an anti-virus.
ZoneAlarm internet suite.

Ok then, please carry on with the rest of the instructions starting at SDFix.
Posted Image
Posted Image

#5 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 07 November 2007 - 07:41 AM

including ComboFix?.

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 07 November 2007 - 07:44 AM

Yes if you will please :thumbsup:
Posted Image
Posted Image

#7 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 07 November 2007 - 07:55 AM

ok

#8 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 07 November 2007 - 08:27 AM

sir may i ask if it is safe to?.

#9 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 07 November 2007 - 08:53 AM

SDFix!

SDFix: Version 1.113

Run by user on Wed 11/07/2007 at 09:38 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services: 


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files: 

Trojan Files Found:

C:\WINDOWS\SYSTEM32\TEST3.EXE - Deleted
C:\WINDOWS\hinhem.scr  - Deleted
C:\WINDOWS\system32\blastclnnn.exe  - Deleted
C:\WINDOWS\system32\scvhsot.exe  - Deleted
C:\WINDOWS\system32\SCVHSOT.exe  - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found. 

C:\WINDOWS\system32
No streams found. 

C:\WINDOWS\system32\svchost.exe
No streams found.
 
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
 


								 Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 21:43:53
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  scApp = C:\WINDOWS\system32\wmiprvse.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 23 Aug 2001		14,848 ..SHR --- "C:\ntde1ect.com"
Thu 23 Aug 2001		14,848 ..SHR --- "C:\WINDOWS\system32\avpo.exe"
Wed 17 Oct 2007		33,068 ..SHR --- "C:\WINDOWS\system32\avpo1.dll"
Tue  3 Aug 2004		87,684 A.SH. --- "C:\WINDOWS\system32\wmiprvse.exe"
Tue  3 Aug 2004		87,684 A.SH. --- "C:\WINDOWS\system32\mgrShell.exe"
Thu 14 Oct 2004	 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed  4 Aug 2004		60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Thu  2 Aug 2007		 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Finished!

Combo Fix

ComboFix 07-11-07.3 - user 2007-11-07 21:32:18.2 - [color=red][b]FAT32[/b][/color]x86 
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.214 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\svchost.exe
C:\WINDOWS\system\_sv_CMD_
C:\WINDOWS\system\_sv_CMD_\_U_.exe
C:\WINDOWS\system\svchost.exe
C:\WINDOWS\system32\autorun.ini
C:\WINDOWS\system32\setting.ini
D:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2007-10-07 to 2007-11-07  )))))))))))))))))))))))))))))))
.

2007-11-07 20:46	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-11-06 23:22	<DIR>	d--------	C:\Program Files\Trend Micro
2007-11-06 23:21	<DIR>	d--------	C:\TDDownload
2007-11-06 21:25	0	--a------	C:\WINDOWS\system32\test3.exe
2007-11-06 21:21	197,120	-rahs----	C:\WINDOWS\system32\SCVHSOT.exe
2007-11-06 21:21	197,120	-rahs----	C:\WINDOWS\system32\blastclnnn.exe
2007-11-06 21:21	197,120	-rahs----	C:\WINDOWS\hinhem.scr
2007-11-03 15:34	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\pdf995
2007-11-03 15:34	249,856	--a------	C:\WINDOWS\system32\pdfmona.dll
2007-11-03 15:34	51,716	--a------	C:\WINDOWS\system32\pdf995mon.dll
2007-10-24 19:14	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-10-23 13:47	<DIR>	d--------	C:\Documents and Settings\user\ChikkaDefault
2007-10-23 13:46	<DIR>	d--------	C:\Program Files\Chikka Messenger
2007-10-21 18:45	0	--a------	C:\WINDOWS\PowerReg.dat
2007-10-20 22:02	<DIR>	d--------	C:\Documents and Settings\user\keel
2007-10-20 21:59	<DIR>	d--------	C:\Documents and Settings\user\oni
2007-10-17 19:02	14,848	-r-hs----	C:\ntde1ect.com
2007-10-17 19:01	33,068	-r-hs----	C:\WINDOWS\system32\avpo1.dll
2007-10-17 19:01	14,848	-r-hs----	C:\WINDOWS\system32\avpo.exe
2007-10-17 13:05	<DIR>	d--------	C:\WINDOWS\RF Online
2007-10-14 21:51	<DIR>	d--------	C:\Program Files\Ocean Technology
2007-10-14 21:51	53,248	--a------	C:\WINDOWS\system32\ImageOle.dll
2007-10-14 21:50	<DIR>	d--------	C:\Documents and Settings\user\Application Data\InstallShield
2007-10-07 02:11	<DIR>	d--------	C:\Program Files\MSXML 4.0

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 10:53	32	--sha-w	C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-07 10:53	32	--sha-w	C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-07 10:53	32	--sha-w	C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-07 10:53	32	--sha-w	C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-05 12:05	65,536	----a-w	C:\WINDOWS\IFinst27.exe
2007-10-23 16:00	25,280	----a-w	C:\WINDOWS\system32\drivers\hamachi.sys
2007-09-22 11:26	---------	d-----w	C:\Program Files\Macromedia
2007-09-22 11:26	---------	d-----w	C:\Program Files\Common Files\Macromedia
2007-09-20 09:35	---------	d-----w	C:\Program Files\LimeWire
2007-09-09 17:55	294	--sh--w	C:\Documents and Settings\LocalService\PCTeamRulez.bat
2007-09-09 17:55	293	--sh--w	C:\Documents and Settings\NetworkService\PCTeamRulez.bat
2007-09-09 17:55	293	--sh--w	C:\Documents and Settings\Default User\PCTeamRulez.bat
2007-08-22 13:12	96,256	----a-w	C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12	658,944	----a-w	C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12	615,424	----a-w	C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12	55,808	----a-w	C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12	532,480	----a-w	C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12	474,112	----a-w	C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12	449,024	----a-w	C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12	39,424	----a-w	C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12	357,888	----a-w	C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12	3,058,176	----a-w	C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12	251,392	----a-w	C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12	205,312	----a-w	C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12	16,384	----a-w	C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12	151,040	----a-w	C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12	146,432	----a-w	C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12	1,494,528	----a-w	C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12	1,054,208	----a-w	C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12	1,022,976	----a-w	C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30	18,432	----a-w	C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15	683,520	----a-w	C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15	683,520	----a-w	C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-03 05:24	400	----a-w	C:\Documents and Settings\user\score.dat
2001-08-23 04:00:00	14,848	--sh--r	C:\WINDOWS\system32\avpo.exe
2004-08-03 14:56:50	87,684	--sha-w	C:\WINDOWS\system32\wmiprvse.exe
2004-08-03 14:56:50	87,684	--sha-w	C:\WINDOWS\system32\mgrShell.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-16 15:35]
"NvMediaCenter"="NvMCTray.dll" [2006-08-16 15:35 C:\WINDOWS\system32\nvmctray.dll]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-01-08 14:29]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 06:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"scApp"="C:\WINDOWS\system32\wmiprvse.exe" [2004-08-03 22:56]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\[u]0[/u]0PCTFW]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avpa]
C:\WINDOWS\system32\avpo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
C:\WINDOWS\VM_STI.EXE A4 Tech USB PC Camera

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChikkaDefault]
C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\\ChikkaLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvchost]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winlogon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo Messengger]
C:\WINDOWS\system32\SCVHSOT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PCToolsFirewallPlus"=2 (0x2)
"ray"=2 (0x2)

R1 BIOS;BIOS;\??\C:\WINDOWS\system32\drivers\BIOS.sys
S3 projectx1;projectx1;\??\D:\Project X\FelipeZe.sys
S4 ray;ray;C:\WINDOWS\systen.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 13:22:02 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\blastclnnn.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 21:33:36
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ... 

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  scApp = C:\WINDOWS\system32\wmiprvse.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-11-07 21:34:04
.
	--- E O F ---

HJT SCAN!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:51 PM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [scApp] C:\WINDOWS\system32\wmiprvse.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupgames.ph/keycrypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{43D019DA-BA4E-4099-BB20-AB32EB611E4C}: NameServer = 202.78.97.41 210.4.2.61
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 3568 bytes

Here It Is. Am I Infected?... :thumbsup:

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 07 November 2007 - 11:13 AM

You have a Backdoor Trojan present on your pc
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to be used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

Since your computer was compromised read:
How to report ID theft, fraud, drive-by installs, hijacking and malware:
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall:
http://www.dslreports.com/faq/10063

If you want us to go ahead and clean up your system then fair enough,but there’s no way I can guarantee your pc will be 100% safe once we’ve finished.
Let me know how you wish to proceed.
Posted Image
Posted Image

#11 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 08 November 2007 - 05:12 AM

SIR THIS COMPUTER IS JUST FOR GAMES AND PROJECTS FOR SCHOOL.
SO THERE IS NO CONFIDENTIAL ACCOUNTS.


I WISH TO PROCEED WITH THE CLEANING FOR MY PC.
AND I WISH TO KNOW WHAT ARE THE SUSPICIOUS THREATS SO THAT MAY AVOID THEM.

I GREATLY APPRECIATE YOUR HELP.

SO LETS GET ON WITH IT SHALL WE?.

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 08 November 2007 - 07:12 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\ntde1ect.com
C:\WINDOWS\hinhem.scr
C:\WINDOWS\IFinst27.exe
C:\WINDOWS\system32\test3.exe
C:\WINDOWS\system32\SCVHSOT.exe
C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\avpo1.dll
C:\WINDOWS\system32\avpo.exe
C:\WINDOWS\system32\mgrShell.exe
C:\WINDOWS\system32\ImageOle.dll
C:\WINDOWS\Tasks\At1.job
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00PCTFW]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avpa]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvchost]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo Messengger]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"scApp"=-
Driver::
ray

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#13 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 08 November 2007 - 07:34 AM

ComboFix 07-11-07.3 - user 2007-11-07 21:32:18.2 - [color=red][b]FAT32[/b][/color]x86 
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.214 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\svchost.exe
C:\WINDOWS\system\_sv_CMD_
C:\WINDOWS\system\_sv_CMD_\_U_.exe
C:\WINDOWS\system\svchost.exe
C:\WINDOWS\system32\autorun.ini
C:\WINDOWS\system32\setting.ini
D:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2007-10-07 to 2007-11-07  )))))))))))))))))))))))))))))))
.

2007-11-07 20:46	51,200	--a------	C:\WINDOWS\NirCmd.exe
2007-11-06 23:22	<DIR>	d--------	C:\Program Files\Trend Micro
2007-11-06 23:21	<DIR>	d--------	C:\TDDownload
2007-11-06 21:25	0	--a------	C:\WINDOWS\system32\test3.exe
2007-11-06 21:21	197,120	-rahs----	C:\WINDOWS\system32\SCVHSOT.exe
2007-11-06 21:21	197,120	-rahs----	C:\WINDOWS\system32\blastclnnn.exe
2007-11-06 21:21	197,120	-rahs----	C:\WINDOWS\hinhem.scr
2007-11-03 15:34	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\pdf995
2007-11-03 15:34	249,856	--a------	C:\WINDOWS\system32\pdfmona.dll
2007-11-03 15:34	51,716	--a------	C:\WINDOWS\system32\pdf995mon.dll
2007-10-24 19:14	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-10-23 13:47	<DIR>	d--------	C:\Documents and Settings\user\ChikkaDefault
2007-10-23 13:46	<DIR>	d--------	C:\Program Files\Chikka Messenger
2007-10-21 18:45	0	--a------	C:\WINDOWS\PowerReg.dat
2007-10-20 22:02	<DIR>	d--------	C:\Documents and Settings\user\keel
2007-10-20 21:59	<DIR>	d--------	C:\Documents and Settings\user\oni
2007-10-17 19:02	14,848	-r-hs----	C:\ntde1ect.com
2007-10-17 19:01	33,068	-r-hs----	C:\WINDOWS\system32\avpo1.dll
2007-10-17 19:01	14,848	-r-hs----	C:\WINDOWS\system32\avpo.exe
2007-10-17 13:05	<DIR>	d--------	C:\WINDOWS\RF Online
2007-10-14 21:51	<DIR>	d--------	C:\Program Files\Ocean Technology
2007-10-14 21:51	53,248	--a------	C:\WINDOWS\system32\ImageOle.dll
2007-10-14 21:50	<DIR>	d--------	C:\Documents and Settings\user\Application Data\InstallShield
2007-10-07 02:11	<DIR>	d--------	C:\Program Files\MSXML 4.0

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 10:53	32	--sha-w	C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-07 10:53	32	--sha-w	C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-07 10:53	32	--sha-w	C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-07 10:53	32	--sha-w	C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-05 12:05	65,536	----a-w	C:\WINDOWS\IFinst27.exe
2007-10-23 16:00	25,280	----a-w	C:\WINDOWS\system32\drivers\hamachi.sys
2007-09-22 11:26	---------	d-----w	C:\Program Files\Macromedia
2007-09-22 11:26	---------	d-----w	C:\Program Files\Common Files\Macromedia
2007-09-20 09:35	---------	d-----w	C:\Program Files\LimeWire
2007-09-09 17:55	294	--sh--w	C:\Documents and Settings\LocalService\PCTeamRulez.bat
2007-09-09 17:55	293	--sh--w	C:\Documents and Settings\NetworkService\PCTeamRulez.bat
2007-09-09 17:55	293	--sh--w	C:\Documents and Settings\Default User\PCTeamRulez.bat
2007-08-22 13:12	96,256	----a-w	C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12	658,944	----a-w	C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12	615,424	----a-w	C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12	55,808	----a-w	C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12	532,480	----a-w	C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12	474,112	----a-w	C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12	449,024	----a-w	C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12	39,424	----a-w	C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12	357,888	----a-w	C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12	3,058,176	----a-w	C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12	251,392	----a-w	C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12	205,312	----a-w	C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12	16,384	----a-w	C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12	151,040	----a-w	C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12	146,432	----a-w	C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12	1,494,528	----a-w	C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12	1,054,208	----a-w	C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12	1,022,976	----a-w	C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30	18,432	----a-w	C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15	683,520	----a-w	C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15	683,520	----a-w	C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-03 05:24	400	----a-w	C:\Documents and Settings\user\score.dat
2001-08-23 04:00:00	14,848	--sh--r	C:\WINDOWS\system32\avpo.exe
2004-08-03 14:56:50	87,684	--sha-w	C:\WINDOWS\system32\wmiprvse.exe
2004-08-03 14:56:50	87,684	--sha-w	C:\WINDOWS\system32\mgrShell.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-16 15:35]
"NvMediaCenter"="NvMCTray.dll" [2006-08-16 15:35 C:\WINDOWS\system32\nvmctray.dll]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-01-08 14:29]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 06:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"scApp"="C:\WINDOWS\system32\wmiprvse.exe" [2004-08-03 22:56]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\[u]0[/u]0PCTFW]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avpa]
C:\WINDOWS\system32\avpo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
C:\WINDOWS\VM_STI.EXE A4 Tech USB PC Camera

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChikkaDefault]
C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\\ChikkaLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvchost]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winlogon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo Messengger]
C:\WINDOWS\system32\SCVHSOT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PCToolsFirewallPlus"=2 (0x2)
"ray"=2 (0x2)

R1 BIOS;BIOS;\??\C:\WINDOWS\system32\drivers\BIOS.sys
S3 projectx1;projectx1;\??\D:\Project X\FelipeZe.sys
S4 ray;ray;C:\WINDOWS\systen.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 13:22:02 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\blastclnnn.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 21:33:36
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ... 

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  scApp = C:\WINDOWS\system32\wmiprvse.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-11-07 21:34:04
.
	--- E O F ---

HERE.
SIR CAN YOU TELL ME WHAT ARE THE THREATHENING FILES IN MY COMPUTER?.

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 08 November 2007 - 07:46 AM

SIR CAN YOU TELL ME WHAT ARE THE THREATHENING FILES IN MY COMPUTER?.

I'll let you know later,getting back to what we're doing.

You've posted the same Combofix.txt as you posted earlier on in this topic.

Please do the following,lets remove Combofix,and start again.
Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image


Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.

Note:
Please stop posting questions with the Caps Lock activated.
Posted Image
Posted Image

#15 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 08 November 2007 - 07:55 AM

sir theres an error
it says windows cannot find ComboFix/u. Make sure you typed it correctly and so one and so forth.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users