Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log


  • Please log in to reply
9 replies to this topic

#1 webster72n

webster72n

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 24 November 2005 - 02:21 PM

Hello everyone:

I arrived here through the recommendation of Siljaline.
When my firewall displayed the following:
"C:\WINDOWS\WinSecurity\csrss.exe",
I was lured into believing this to be a legitimate program and allowed it.
As I found out, this was a bad mistake.
Using System restore and then flushing it, I was able to rectify the stuation,
but in order to be sure, I would like to submit my hijackthis log for examination.
All the usual safety scans have been performed, i.e. Adaware, Spybot, SpywareBlaster,
McAfee, CWShredder and the Stinger.
The OS is WinME.
Log attached.
Thank you.

Attached Files


Edited by webster72n, 24 November 2005 - 06:13 PM.


BC AdBot (Login to Remove)

 


#2 webster72n

webster72n
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 25 November 2005 - 12:27 PM

Just curious: Is it likely that someone will reply?

Thanks.

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:47 PM

Posted 26 November 2005 - 01:58 AM

You are using an outdated version of hijackthis.

Please download the newer version from the following link:

HijackThis Download Site

Once it is downloaded, extract the zip file to c:\hjt and navigate to the c:\hjt folder. Now double-click on hijackthis.exe and when the window opens, put a checkmark in the box at the bottom that states Don't show this frame again when I start HijackThis.

Then click on the button labeled None of the above, just start the program. You will now be presented with the main HJT screen.

Press the Scan button and then when it is done, the Save Log button. Save this log in c:\hjt, and then copy and paste the contents of the notepad it opens as a reply to this post.

#4 webster72n

webster72n
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 26 November 2005 - 12:11 PM

I'm on my way Grinler, thank you.

webster72n.

#5 webster72n

webster72n
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 26 November 2005 - 12:41 PM

I seem to have a problem getting the log here, Grinler.
The *Undo, Cut, Copy, Paste & Delete* buttons in notepad are all grayed out, meaning they are unusable. Why would that be?

webster72n.

#6 webster72n

webster72n
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 26 November 2005 - 12:55 PM

I finally managed, here it is:


Logfile of HijackThis v1.99.1
Scan saved at 12:43:33 PM, on 11/26/2005
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
D:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
D:\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\CTHELPER.EXE
C:\PROGRAM FILES\AOPEN\MOUSE\AMOUMAIN.EXE
D:\PROGRAM FILES\DIRECTCD.EXE
D:\AVAST4\ASHWEBSV.EXE
D:\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\3DLDEMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\PROGRAM FILES\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\BACK2ZIP\BACK2ZIP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
D:\PROGRAMS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - D:\PROGRAMS\POPTHIS.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\AOPEN\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] d:\PROGRA~1\DIRECTCD.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [avast! Web Scanner] D:\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] D:\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [3DLabsHelperDemon] 3dldemon.exe nowakeup
O4 - HKLM\..\Run: [CreateCD] D:\PROGRA~1\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SmcService] D:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [avast!] D:\Avast4\ashServ.exe
O4 - Startup: Refresh.lnk = D:\Program Files\REFRESH.EXE
O4 - Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Back2zip.lnk = C:\Program Files\Back2zip\Back2zip.exe
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O9 - Extra button: domex! - {2AE3F289-A78E-45C1-88C7-214B834A85A3} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: domex! - {2AE3F289-A78E-45C1-88C7-214B834A85A3} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - D:\PROGRAMS\POPTHIS.DLL
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - D:\PROGRAMS\POPTHIS.DLL
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn200...erInstaller.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:47 PM

Posted 26 November 2005 - 04:28 PM

What you originally had was the new sober mass-mailing worm that has become an epidemic lately.

It does not look like you have this worm though on your computer. I would fix this one line though with hijackthis by scanning your machine with it, and then putting a checkmark next to this entry and pressing fix.

O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn200...erInstaller.exe

#8 webster72n

webster72n
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 26 November 2005 - 05:14 PM

I shall do just that, Grinler.
My 'instincts' pointed in that direction, but I didn't want to go ahead
without expert approval.
Thank you very much.

webster72n.

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:47 PM

Posted 26 November 2005 - 07:51 PM

Your very welcome. Below are some prevention steps. You can skip the system restore one if you wish.

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

#10 webster72n

webster72n
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 27 November 2005 - 08:05 PM

Grinler:

That is really nice of you, to supply this valuable information.
I am not a novice in the pc-world and your recommended steps are or have been taken care of. I just happened to be a tiny bit careless and promptly paid the price. It was a wake-up-call.
Thank you so much for your assistance and the offer for additional help.
I shall bear it in mind.

webster72n.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users