Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Log File

  • This topic is locked This topic is locked
2 replies to this topic

#1 Aberfocation


  • Members
  • 69 posts
  • Location:Singapore
  • Local time:03:08 AM

Posted 11 November 2006 - 04:39 AM

Logfile of HijackThis v1.99.1
Scan saved at 5:30:53 PM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Automation
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/229?a3bf571f63634ed691dc8a02ec621ec3
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-sg\msntabres.dll.mui/230?a3bf571f63634ed691dc8a02ec621ec3
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158294394421
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

This is instructed.
Original problem link - Internet explorer
Computer Nubie =X

BC AdBot (Login to Remove)


#2 DaveM59


    Bleepin' Grandpa

  • Members
  • 1,355 posts
  • Gender:Male
  • Location:TN USA
  • Local time:01:08 PM

Posted 14 November 2006 - 09:36 PM

Hi Aberfocation,

I don't see any signs of malware in your HJT log. :thumbsup:

However, I see a line

O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe (file missing)

This could be a mistake by HJT, it sometimes reports files missing when they are not, but I don't see avp.exe or any other antivirus in your list of running processes. It is very important to have a real-time antivirus program installed and running on your computer. I see that you have run some online scans, but this is no substitute for a real-time scanner.

If you have disabled or uninstalled the AOL Antivirus please, either reactivate and update it, or else download one of these free programs:

AVG Free is available at this site.

Avast Home Edition is available here.

Avira AntiVir can be downloaded here.

I personally use AVG Free, but all these programs have good reputations. If you don't like one, you can try another. Please consult the help files or online support for information on installing, updating, and using the program. Remember to set your antivirus program's Auto Update feature to keep your protection current.

Just to be sure there is no malware on your computer, we need to do some more checking. First do a full system scan with your antivirus program (whichever you picked). Save the log.

Next, install AVG Antispyware. Open your browser and go to This page. Read the information regarding the paid and free versions of the program, then at the bottom of the page click the orange box labeled Download Now. Save the AVG-AS setup file to your desktop. Close your browser.

Double click the AVGAS setup icon. Unless you need to change the language first, click OK, then Next.

On the License agreement screen click I Agree. Then accept the default installation folder by clicking Next.

Finally, click Install. The program will then copy files and register itself; when it tells you it is installed, click Finish.

AVG-AS 7.5 will open. On the Status screen you will see a line Last Update ! Never. On that line click Update Now.

After the program updates, you may want to change the Auto Updates options. The default is to check for updates every 60 minutes, which you may feel is excessive. Note that after the 30 day trial period, Auto Updates is disabled unless you pay for the program.

Now click the Scanner icon at the top of the window. Click the Settings tab. When that screen opens select the radio button Automatically produce a report after every scan. Uncheck the box Only if threats were found.

On the same screen, under "How to Act", click on Recommended Actions. Select Quarantine.

Leave the other settings on that screen at their defaults.

Close the program. This will save the settings changes. Do not run a scan yet.
Now, Boot into Safe Mode.

If you don't know how to do this, here are two ways:

F8 Method
  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a menu.
  • When you have the menu on the screen. Use the arrow keys to move to the line that says Safe Mode.
  • Then press <Enter> on your keyboard to boot into Safe Mode.
Bootsafe utility

If the F8 method does not work, you can download this program: Bootsafe.exe. Download the .exe file (not the zip file) directly to your desktop, it requires no installation. To use it, double click the program icon, then select the radio button Safe Mode - Minimal and click on the Reboot button.

In Safe Mode, scan with AVG AntiSpyware:Double click the AVG-AS 7.5 icon on your desktop to start the program

Click the Scan tab. When the screen opens, select Complete System Scan. This action will take some time.

When the scan is finished, scroll through the list. Except for cookies, which should be set to Delete, every item should be set to Quarantine. If this is not the case, change it.

Now click Apply All Actions. Then click Save Report. On the screen that opens, click Save Report As, and in the Report save as... window navigate to and select your Desktop. You may want to rename the report file to something such as AVGAS_scan01.txt that will make it easier to recognize.

Close the program.
Now, Reboot back into normal mode:

If you used the F8 method, Windows should automatically reboot into normal mode when you restart it. If you used Bootsafe, open the program and select the Normal Mode radio button, then click Reboot.

Next, we need to run a rootkit scan.

Please download Blacklight Beta here. You can read the information on the download page for an idea of what it will do. Download it to your desktop and double click to open. Accept the agreement, then on the next screen click the Scan button. When the scan is finished, click Next. If anything was found, let Blacklight clean it. Then exit the program. You will find a log file on your desktop, named fsbl-xxxxxxxxxxxxx.log. The x's are numbers, the first four being the current year. This is a text file and can be opened with Notepad.

Finally, run a fresh HijackThis scan and save that log.

Post the antivirus, AVG Antispyware, Blacklight, and HJT logs to a reply here. Also let me know why your AOL antivirus was not running, or if you don't know why, let me know that. If you had any trouble performing these steps, tell me about that as well.

Good luck --


#3 DaveM59


    Bleepin' Grandpa

  • Members
  • 1,355 posts
  • Gender:Male
  • Location:TN USA
  • Local time:01:08 PM

Posted 21 November 2006 - 01:03 PM

Due to lack of feedback, this topic is closed.

If you need it re-opened, please PM me and include the url in your request.

This applies to the original poster. Everyone else please start a new topic.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users