Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack Log (not-a-virus:risktoolwin32.hidewindows)


  • This topic is locked This topic is locked
2 replies to this topic

#1 Esplanade

Esplanade

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:37 AM

Posted 28 June 2008 - 03:11 PM

Bad - Remove almost always
OK Most of the time - don't need to touch
Probably not needed - Safe to remove
Generally harmless - third party applications
Bad if you don't know what it is
Unknown Item - Investigate further
You can reference this log by going to: EDIT: removed link
log=495257Logfile[/url] of Trend Micro HijackThis v2.0.2
Old Version of HijackThis
We suggest you upgrade to the latest version of HijackThis (version 1.99.1") at www.merijn.org

Scan saved at 3:59:52 PM, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
Smss.exe
What is it?
Session Manager SubSystem - smss.exe

What does it do?
smss.exe - This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).

Additional Reading:
Smss.exe does not resolve forward references in environment

You will not be able to end this through task manager!

More info


Virus Precaution:

The smss.exe which is from Microsoft is located at c:windowsSystem32smss.exe . We've been able to find several viruses that run as smss to trick you.

Adware.Advision - Symantec Corporation
Adware.DreamAd - Symantec Corporation
Backdoor.IRC.Aladinz.O - Symantec Corporation
Backdoor.IRC.Flood.F - Symantec Corporation
W32.Dalbug.Worm - Symantec Corporation
W32.Resdoc - Symantec Corporation

C:\WINDOWS\system32\winlogon.exe
Winlogon.exe
What is it?
Windows Logon Process - Winlogon.exe

What does it do?
Direct Quote from here:
This is the process responsible for managing user logon and logoff. Moreover, Winlogon is active only when the user presses CTRL+ALT+DEL, at which point it shows the security dialog box.

Search MS for more info: Link

Virus Precaution:
The original Winlogon.exe from Microsoft gets placed in the C:WINDOWSSystem32 directory. if you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses. We've been able to find only 1 report of a virus so far.

Troj/Madr-B @ Sophos
Netsky.D @ Trend Micro

C:\WINDOWS\system32\services.exe
services.exe
services.exe is a part of Windows that manages the processes. Anytime a service starts or stops it is through services.exe. During system startup and shutdown is when this process sees most of its action. You should never end this process unless it is running outside of your windows system folder.

C:\WINDOWS\system32\lsass.exe
lsass.exe
What is it?
Local Security Authentication Server - lsass.exe

What does it do?
lsass.exe - It generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token.

You will not be able to end this through task manager!

From MS


The lsass.exe which is from Microsoft is located at c:windowsSystem32lsass.exe . there's a few viruses that have been found to run as lsass.exe to hide from you.

C:\WINDOWS\system32\svchost.exe
Svchost.exe

What is it?
Service Host Process - svchost.exe

What does it do?

Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService

If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.

1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt

Here's an example of what I got when I issued this command if you'd like to take a look at an example.

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.

C:\WINDOWS\System32\svchost.exe
Svchost.exe

What is it?
Service Host Process - svchost.exe

What does it do?

Here's a direct quote from MS about this: (source)
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSvchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesService

If you're running Windows XP Home edition then you'll have to download this file HERE and put it in your windows/system32 directory. If you're running XP Pro then you won't need that file since you already have it.

1.) Start --> Run --> cmd
2.) Tasklist /svc >C:ianaginfo.txt

Here's an example of what I got when I issued this command if you'd like to take a look at an example.

A Description of Svchost.exe in Windows XP:
http://support.microsoft.com/?kbid=314056

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located in C:WINDOWSSystem32 directory. If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
aswUpdSv.exe

What is it?

aswUpdSv.exe is an executable file that is included with the avast! anti virus program

What does it do?

aswUpdSv.exe handles automatic updates for the avast anti virus program.

Both the virus database and the program itself can be updated automatically. The updates are incremental, i.e. only the new or missing data are downloaded, thus reducing the transfer heavily. The typical size of a virus database update are tens of KB, the program update usually has hundreds of KB.

If your Internet connection is persistent, the updates are performed completely automatically in fixed time intervals. If you connect to the Internet only occasionally, avast! watches your connection and tries to perform the update when you are online.

More info:

http://www.avast.com/


C:\Program Files\Alwil Software\Avast4\ashServ.exe
ashServ.exe

What is it?

ashServ.exe is an executable file that is included with the avast! anti virus program

What does it do?

Both the virus database and the program itself can be updated automatically. The updates are incremental, i.e. only the new or missing data are downloaded, thus reducing the transfer heavily. The typical size of a virus database update are tens of KB, the program update usually has hundreds of KB.

If your Internet connection is persistent, the updates are performed completely automatically in fixed time intervals. If you connect to the Internet only occasionally, avast! watches your connection and tries to perform the update when you are online.

More info:

http://www.avast.com/

C:\WINDOWS\Explorer.EXE
explorer.exe

What is it?
Windows Explorer - explorer.exe

What does it do?
explorer.exe - Below is a direct quote from Microsoft found on THIS page:

This is the user shell, which we see as the familiar taskbar, desktop, and so on. This process isn't as vital to the running of Windows as you might expect, and can be stopped (and restarted) from Task Manager, usually with no negative side effects on the system.

I have found that stopping this process is needed sometimes to stop some other processes.

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed at C:WINDOWSSystem32explorer.exe . if you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses. There's only one unique virus found through this search. All of the results are the various names of this single virus.

Deloder-A @ Sophos
MyDoom.B @ Symantec

C:\WINDOWS\system32\spoolsv.exe
Spoolsv.exe
What is it?
SPOOLer SerVice - spoolsv.exe

What does it do?
spoolsv.exe - The spooler service is responsible for managing spooled print/fax jobs

You will be able to end this through task manager!

More info


Virus Precaution:
The spoolsv.exe which is from Microsoft is located at c:windowsSystem32spoolsv.exe . We've been able to find several viruses that run as spoolsv to trick you.

Backdoor.Ciadoor.B - Symantec Corporation
Hacktool.Privshell - Symantec Corporation
VBS.Masscal.Worm (vbs) - Symantec Corporation
Graybird-A @ Sophos

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
ashMaiSv.exe

What is it?

ashMaiSv.exe is an executable file that is included with the avast! anti virus program

What does it do?

Both the virus database and the program itself can be updated automatically. The updates are incremental, i.e. only the new or missing data are downloaded, thus reducing the transfer heavily. The typical size of a virus database update are tens of KB, the program update usually has hundreds of KB.

If your Internet connection is persistent, the updates are performed completely automatically in fixed time intervals. If you connect to the Internet only occasionally, avast! watches your connection and tries to perform the update when you are online.

More info:

http://www.avast.com/

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
ashwebsv.exe

What is it?

ashwebsv.exe is a file associated with Avast antivirus software.

What does it do?

Both the virus database and the program itself can be updated automatically. The updates are incremental, i.e. only the new or missing data are downloaded, thus reducing the transfer heavily.

More info:

Read more about avast antivirus software

@ avast.com

C:\WINDOWS\system32\hkcmd.exe
hkcmd.exe

What is it?
Intel's HotKey Command - hkcmd.exe

What does hkcmd.exe do?
Not much data has been found on this. It seems like every manufacturer has their own hotkey programming application and this is the one brought to you by Intel.

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of hkcmd.exe is C:WINDOWSSystem32hkcmd.exe

At this time no viruses were found running as this process. You will want to check since new bugs come through daily.

Also .

C:\WINDOWS\system32\igfxpers.exe
igfxpers.exe
igfxpers.exe - This is related to Common user Interface module from Intel.

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
ashDisp.exe

What is it?

ashDisp.exe is an executable file that is included with the avast! anti virus program

What does it do?

Both the virus database and the program itself can be updated automatically. The updates are incremental, i.e. only the new or missing data are downloaded, thus reducing the transfer heavily. The typical size of a virus database update are tens of KB, the program update usually has hundreds of KB.

If your Internet connection is persistent, the updates are performed completely automatically in fixed time intervals. If you connect to the Internet only occasionally, avast! watches your connection and tries to perform the update when you are online.

More info:

http://www.avast.com/

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
jusched.exe

What is it?
Java Update Scheduler - jusched.exe

What does it do?
jusched.exe - This is Sun's Java automatic update utility. If you would like to disable this scheduler then go to your control panel and click on the java module. The go to the updates tab and uncheck "check for updates automatically".

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of jusched.exe is C:Program FilesJavaj2re1.4.2_04injusched.exe. Obviously j2re1.4.2_04 is the version number. At this time my search shows nothing that you need to worry about..

C:\WINDOWS\system32\wscntfy.exe
wscntfy.exe
What is It?
Windows Security Center Notification - wscntfy.exe

What does it do?
wscntfy.exe - This is a part of windows XP's SP2. This is a little notification that will be in your taskbar and continue to nag you about various security settings like your firewall, automatic updates and virus protection.

If you'd like to get rid of this process you'll want to go into your control panel and then go into the security center. Once in there look along the left bar where you'll see quite a bit of text. At the bottom of this list you'll see where it says change the way security center alerts me. Click on this. Uncheck all three of these settings.

Click image for larger version Name: alert.png Views: 0 Size: 8.8 KB

Virus Precaution:
The original wscntfy.exe from Microsoft gets placed at C:WINDOWSSystem32wscntfy.exe . If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses. At this time I have not found ANY viruses that run themselves using this filename. All of the results currently affect this file in some way, but do not actually run as this filename.

C:\Program Files\Messenger\msmsgs.exe
msmsgs.exe

What is it?
Windows Messenger AKA MSN Messenger - msmsgs.exe

What does it do?
msmsgs.exe - This is Microsofts version of AIM or ICQ. Just like Internet Explorer they've been forcing it upon people for years being installed on your system by default. They hope that you will use their IM/Chat app instead of downloading and installing a seperate one. Below is a way to stop it from automatically starting up.

If you don't use Windows Messenger, you can disable it as follows: Start -> Programs -> Windows Messenger -> Tools -> Options -> Preferences. Uncheck "Run this program when Windows Starts

To fully remove the app you'll need to modify a windows file:

X:Windowsinfsysoc.inf (replace X with your windows drive)

Open it and look for:

msmsgs=msgrocm.dll,OcEntry,msmsgs.inf, hide ,7

Change that to this:

msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,,7

Now under add/remove --> Windows Components you'll have the option to remove this ;)

More Info
More Info

Virus Precaution:
The original file from Microsoft gets placed in the Located at C:Program FilesMessengermsmsgs.exe . If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses. At this time I have not found ANY viruses that run themselves using this filename. All of the results currently affect this file in some way, but do not actually run as this filename.

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
TeaTimer.exe
TeaTimer.exe is Spybot Search and Destroys resident protection which prevents unauthorized system changes. More information can be found here.

Quote:

The Resident TeaTimer is a new tool of Spybot-S&D which perpetually monitors the processes called/initiated. It immediately detects known malicious processes wanting to start and terminates them giving you some options, how to deal with this process in the future: You can set TeaTimer to:

* be informed, when the process tries to start again
* automatically kill the process
* or generally allow the process to run

There is also an option to delete the file associated with this process.

In addition, TeaTimer detects, when something wants to change some critical registry keys. TeaTimer can protect you against such changes again giving you an option: You can either "Allow" or "Deny" the change.

As TeaTimer is always running in the background, it takes some resources of about 5 MB.


C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe

What is it?
Mozilla Firefox - firefox.exe

What does it do?
firefox.exe - This is Mozilla Firefox my personal favorite browser. It is the slimmed down browser only project based upon Mozilla code.

Virus Precautions:
You'll want to keep an eye on this google search for any known viruses. The normal location of this file is C:Program FilesMozilla Firefoxfirefox.exe


C:\WINDOWS\system32\wuauclt.exe
wuauclt.exe

What is it?
Windows Update Automatic Client - wuauclt.exe

What does it do?
wuauclt.exe - This is used by the automatic update tool in Windows ME to check the Windows Update site every so often to see if any updates need to be installed.

More Info
More Info

Virus Precaution:
The original wuauclt.exe from Microsoft gets placed in the Located at C:WINDOWSSystem32wuauclt.exe . If you find it anywhere else then you should be suspicious for sure.

You'll want to keep an eye on this google search for any known viruses.

.

Backdoor.Clt @ Symantec Corporation
Troj/Cult-B @ Sophos

C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
jucheck.exe
jucheck.exe - This is produced by the sun, it checks for Java updates.

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
SUPERAntiSpyware.exe
We Don't know! Please post a comment with information about this file

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
HijackThis.exe
This is our favorite application for fighting against malware and other trashy application that bog systems down. Our guide to using this software can be found here. We have also taken the time to write a system to process the log files created from this application here.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk/ie
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.sympatico.ca/
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk/ie
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lavasoft.de/help/aw/evhelp/0.htm
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
Internet Start Page
This is where you go when you first open IE. Should be something like google.com or iamnotageek.com if theres a site you don't know here clean this line!

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
Unnamed BHO
SnagItBHO.dll - SnagIt http://www.techsmith.com/products/snagit/default.asp

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
AcroIEhelper.ocx AcroIEhelper.dll - Adobe Acrobat reader http://www.adobe.com/products/acrobat/reads
AcroIEhelper.ocx AcroIEhelper.dll - Adobe Acrobat reader http://www.adobe.com/products/acrobat/readstep2.html

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
SDhelper.dll - SpyBot Search&Destroy http://www.safer-networking.org/index.php
SDhelper.dll - SpyBot Search&Destroy http://www.safer-networking.org/index.php

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
Unnamed BHO
ssv.dll - Related to Sun_Java_software http://java.com/en/download/index.jsp

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
igfxtray
"Quick access to the control panel via a System Tray icon for graphics based upon the Intel chipsets (ie

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Avast!
"Avast! anti-virus software"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
SunJavaUpdateSched
"Checks with Sun's Java updates site to see if newer Java versions are available. Visit http://java.sun.com or just run the Java Plug-In Control Panel"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
QuickTime Task
System Tray access to Apple's "Quick Time" viewer from version 5 onwards

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O4 - HKLM\..\RunOnce: [avp6_post_install] msiexec.exe /i"c:\kav\kav7\kav.en.msi"
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
MSMSGS
"Windows Messenger utility. If you don't use Windows Messenger

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
SpybotSD TeaTimer
"TeaTimer is a new tool of Spybot S&D - spam filter which perpetually monitors the processes called/initiated. It immediately detects known malicious processes wanting to start and terminates them giving you some options

O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
SUPERAntiSpyware
"""SUPERAntiSpyware is the most thorough scanner on the market. Our Multi-Dimensional Scanning and Process Interrogation Technology will detect spyware that other products miss! SUPERAntiSpyware will remove ALL the Spyware

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,DelNodeRunDLL32 "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] cmd.exe /c md "%SystemRoot%\System32\dllcache" (User 'LOCAL SERVICE')
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'LOCAL SERVICE')
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_06] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'LOCAL SERVICE')
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
Internet Right Click Menu
Most of the time this is garbage leave it only if you actually use this function. Otherwise for the sake of cleanliness get rid of this sucker. A wise man once said Cleanliness is next to godliness

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
Sun Java Console
Related to Sun Java

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
Sun Java Console
Related to Sun Java

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
Research
Microsoft Office related

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
Unknown Item
Sorry. We are not sure what this item is. If you would like, you can click on it to request additional information about it.

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
@xpsp3res.dll-20001
Related to Network_Diagnostics for Windows XP is available to help identify and fix network connection problems. Note: File is located under %windir%Network Diagnostic.

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
@xpsp3res.dll-20001
Related to Network_Diagnostics for Windows XP is available to help identify and fix network connection problems. Note: File is located under %windir%Network Diagnostic.

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
Windows Messenger
Related to Microsoft's Windows Messenger.

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
Windows Messenger
Related to Microsoft's Windows Messenger.

O15 - Trusted Zone: www.myspace.com
Trusted Zone
Do you really trust this site? If you don't really trust this site make sure you have HJT fix this line

O17 - HKLM\System\CCS\Services\Tcpip\..\{DC1C263C-6B28-4D53-B362-B1D44901C4C7}: NameServer = 207.164.234.193 207.164.234.129
Internet Settings
These may not be bad if your internet connection is set manually

O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
Extra Protocols
There's a few known hijackers that use this but I haven't found anything good come out of these

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
AppInit_DLLs Registry value autorun
Very few known *good* purposes of this. Norton Cleansweep being the headliner of good items
Loads a .dll into memory when a user logs in. Frequently used by VERY bad hijackers.

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
avast! iAVS4 Control Service
Related to Avast AntiVirus

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
avast! Antivirus
Related to Avast AntiVirus

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
avast! Mail Scanner
Related to Avast AntiVirus

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
avast! Web Scanner
Related to AWIL Software http://www.avast.com/

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
InstallDriver Table Manager
Related to Macrovision Corporation.

Thank you for your help!

Edited by harrythook, 23 July 2008 - 04:41 AM.


BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:37 AM

Posted 26 July 2008 - 09:06 PM

Hello Esplanade,

Welcome to Bleeping Computer :)

Sorry about the delay.:thumbsup:

Please read this and then post when you're done. :) http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:37 AM

Posted 08 August 2008 - 01:24 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users