Hijackthis log

Byteman · 04-21-2005, 06:50 PM

There were probably others with the same date, and on the reboot they re-seeded the infection. Please boot to normal mode and run about:buster again, delete the prefetch files, reboot normal and post another log and we'll go from there.

terryh · 04-21-2005, 10:34 PM

byteman
Going over the threads I just realized I never delete the prefetch files. I have to show my ignorance. I couldn't find them. Where are they?

Byteman · 04-21-2005, 11:27 PM

Oooppss your on Windows2000, no prefetch exists (it's a win xp thing).

terryh · 04-22-2005, 12:51 AM

Byteman
I reran CWShredder and about:blaster. One of the 2 picked up a coolweb homepage. I had trouble deleting this but I persisted and it finally removed it. I think it was CWShredder. The other (about:blaster) removed another 8 items. I rebooted and for the first time about:blank didn't come back as my home page. Is it a little premature to think that it is really gone.

Byteman · 04-22-2005, 01:28 AM

Hard to tell just yet, the about:blank hijack is a coolwebsearch variation that has new varients itself from time to time, so it's hard to be 100% sure until you can surf without the symptoms for a few days.

However, since it appears to be killed at the moment, run about:buster one more time since you got 8 items the last time, (be sure to let it kill explorer when it asks' you). and reboot, do a hjt log and post it, so we can be sure.

terryh · 04-22-2005, 10:59 AM

I ran about:buster and got nothing. This is my new copy of hijacthis. This is different from the one I ran last night. Last night the ones beginning with R1 ended with bellsouth. Now they end in google and when I opened my homepage this morning it went to google and not my homepage.

Logfile of HijackThis v1.99.1
Scan saved at 4:50:49 AM, on 4/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\system32\ncsvc.exe
C:\Program Files\Nortel Networks\Remote Access Manager\NNDService.exe
C:\Program Files\Nortel Networks\Remote Access Manager\RAMSettings.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\ltmsg.exe
C:\THINKPAD\TP98.EXE
C:\THINKPAD\tphkmgr.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\THINKPAD\tponscr.exe
C:\Program Files\Visual Networks\Visual IP InSight\Nortel\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\Nortel\IPMon32.exe
C:\Program Files\BellSouth\Connection Tool\IPClient.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\BellSouth\Connection Tool\IPMon32.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TP98UTIL] C:\THINKPAD\TP98.EXE /s
O4 - HKLM\..\Run: [TpHotkey] C:\THINKPAD\tphkmgr.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [RAMConnectionChecker] "C:\Program Files\Nortel Networks\Remote Access Manager\RAMConnChecker.exe" -m
O4 - HKLM\..\Run: [RAMGINAConnWatch] "C:\Program Files\Nortel Networks\Remote Access Manager\RAMConnWatcher.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Nortel\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Nortel\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\BellSouth\Connection Tool\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\BellSouth\Connection Tool\IPMon32.exe"
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.bellsouth.net
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://connect2.prudential.com/dana...terisSetup.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: CVCBrokerService - Unknown owner - C:\Program Files\Nortel Networks\Remote Access Manager\CVCBrokerService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: Virtual Com Port Service (neoNcSvc) - Unknown owner - C:\WINNT\system32\ncsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: NNDService - Unknown owner - C:\Program Files\Nortel Networks\Remote Access Manager\NNDService.exe
O23 - Service: RAMSettings - Unknown owner - C:\Program Files\Nortel Networks\Remote Access Manager\RAMSettings.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Byteman · 04-22-2005, 02:03 PM

From what I see your log looks clean.

Try resetting your IE settings, reboot and see if you homepage is MSN.

To reset IE to the default settings (MSN), Start/control panel/Internet options/Programs tab, click "Reset Web Settings". On the Advanced tab, click "Restore Defaults", click ok and reboot. Your homepage should be the default MSN page, let me know if not. If it is, then you can set your homepage to what ever you like, and your all done with the infestation.

terryh · 04-22-2005, 03:16 PM

Byteman

I'm at work now. When I get home I will do just that. I can't thank you enough. I think what finally did it is when the Coolweb home page got removed. I can't remember which tool removed it. I think it was HSRemove. Also, I had forgotten to upgrade the tools I was using. I upgraded them yesterday also and I think this helped. Again for now many thanks Byteman.

Byteman · 04-22-2005, 03:41 PM

I don't think i mentioned the HSremove tool, but it's a good thing you used it. about:blank and Homesearch are VERY close and use much of the same stuff/technics. You may have had both?... Good work!

And yes, if you don't update or use updated tools, you're most likely wasting time. The malware comes out with varients all the time and the tools are constantly updated to combat them.

P11 · 05-12-2005, 09:02 PM

Can Someone please tell me what to delete:

Logfile of HijackThis v1.99.1
Scan saved at 15:59:02, on 12/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Peter Baraian\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1115487353202
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

04-21-2005, 06:50 PM	#11 (permalink)
Byteman Malware Destroyer Join Date: Apr 2005 Location: Hurricane Heaven... still Posts: 1,093	There were probably others with the same date, and on the reboot they re-seeded the infection. Please boot to normal mode and run about:buster again, delete the prefetch files, reboot normal and post another log and we'll go from there. __________________ Don't byte off more than you can chew...

04-21-2005, 11:27 PM	#13 (permalink)
Byteman Malware Destroyer Join Date: Apr 2005 Location: Hurricane Heaven... still Posts: 1,093	Oooppss your on Windows2000, no prefetch exists (it's a win xp thing). __________________ Don't byte off more than you can chew... Last edited by Byteman; 04-21-2005 at 11:30 PM.

04-22-2005, 12:51 AM	#14 (permalink)
terryh New Member Join Date: Apr 2005 Posts: 8	about:blank Byteman I reran CWShredder and about:blaster. One of the 2 picked up a coolweb homepage. I had trouble deleting this but I persisted and it finally removed it. I think it was CWShredder. The other (about:blaster) removed another 8 items. I rebooted and for the first time about:blank didn't come back as my home page. Is it a little premature to think that it is really gone.

04-22-2005, 01:28 AM	#15 (permalink)
Byteman Malware Destroyer Join Date: Apr 2005 Location: Hurricane Heaven... still Posts: 1,093	Hard to tell just yet, the about:blank hijack is a coolwebsearch variation that has new varients itself from time to time, so it's hard to be 100% sure until you can surf without the symptoms for a few days. However, since it appears to be killed at the moment, run about:buster one more time since you got 8 items the last time, (be sure to let it kill explorer when it asks' you). and reboot, do a hjt log and post it, so we can be sure. __________________ Don't byte off more than you can chew...

04-22-2005, 02:03 PM	#17 (permalink)
Byteman Malware Destroyer Join Date: Apr 2005 Location: Hurricane Heaven... still Posts: 1,093	From what I see your log looks clean. Try resetting your IE settings, reboot and see if you homepage is MSN. To reset IE to the default settings (MSN), Start/control panel/Internet options/Programs tab, click "Reset Web Settings". On the Advanced tab, click "Restore Defaults", click ok and reboot. Your homepage should be the default MSN page, let me know if not. If it is, then you can set your homepage to what ever you like, and your all done with the infestation. __________________ Don't byte off more than you can chew... Last edited by Byteman; 04-22-2005 at 02:05 PM.

04-21-2005, 10:34 PM	#12 (permalink)
terryh New Member Join Date: Apr 2005 Posts: 8	byteman Going over the threads I just realized I never delete the prefetch files. I have to show my ignorance. I couldn't find them. Where are they?

04-22-2005, 10:59 AM	#16 (permalink)
terryh New Member Join Date: Apr 2005 Posts: 8	I ran about:buster and got nothing. This is my new copy of hijacthis. This is different from the one I ran last night. Last night the ones beginning with R1 ended with bellsouth. Now they end in google and when I opened my homepage this morning it went to google and not my homepage. Logfile of HijackThis v1.99.1 Scan saved at 4:50:49 AM, on 4/22/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Network Associates\VirusScan\avsynmgr.exe C:\WINNT\system32\ncsvc.exe C:\Program Files\Nortel Networks\Remote Access Manager\NNDService.exe C:\Program Files\Nortel Networks\Remote Access Manager\RAMSettings.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\WINNT\system32\tp4mon.exe C:\WINNT\system32\ltmsg.exe C:\THINKPAD\TP98.EXE C:\THINKPAD\tphkmgr.exe C:\Program Files\Network Associates\VirusScan\Avconsol.exe C:\THINKPAD\tponscr.exe C:\Program Files\Visual Networks\Visual IP InSight\Nortel\IPClient.exe C:\Program Files\Visual Networks\Visual IP InSight\Nortel\IPMon32.exe C:\Program Files\BellSouth\Connection Tool\IPClient.exe C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe C:\Program Files\BellSouth\Connection Tool\IPMon32.exe C:\CFGSAFE\AUTOCHK.EXE C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe C:\WINNT\system32\wuauclt.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\unzipped\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9 O4 - HKLM\..\Run: [TP98UTIL] C:\THINKPAD\TP98.EXE /s O4 - HKLM\..\Run: [TpHotkey] C:\THINKPAD\tphkmgr.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [RAMConnectionChecker] "C:\Program Files\Nortel Networks\Remote Access Manager\RAMConnChecker.exe" -m O4 - HKLM\..\Run: [RAMGINAConnWatch] "C:\Program Files\Nortel Networks\Remote Access Manager\RAMConnWatcher.exe" O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Nortel\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Nortel\IPMon32.exe" O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\BellSouth\Connection Tool\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\BellSouth\Connection Tool\IPMon32.exe" O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe O14 - IERESET.INF: START_PAGE_URL=http://home.bellsouth.net O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://connect2.prudential.com/dana...terisSetup.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe O23 - Service: CVCBrokerService - Unknown owner - C:\Program Files\Nortel Networks\Remote Access Manager\CVCBrokerService.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe O23 - Service: Virtual Com Port Service (neoNcSvc) - Unknown owner - C:\WINNT\system32\ncsvc.exe O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe O23 - Service: NNDService - Unknown owner - C:\Program Files\Nortel Networks\Remote Access Manager\NNDService.exe O23 - Service: RAMSettings - Unknown owner - C:\Program Files\Nortel Networks\Remote Access Manager\RAMSettings.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

04-22-2005, 03:16 PM	#18 (permalink)
terryh New Member Join Date: Apr 2005 Posts: 8	about:blank Byteman I'm at work now. When I get home I will do just that. I can't thank you enough. I think what finally did it is when the Coolweb home page got removed. I can't remember which tool removed it. I think it was HSRemove. Also, I had forgotten to upgrade the tools I was using. I upgraded them yesterday also and I think this helped. Again for now many thanks Byteman.

04-22-2005, 03:41 PM	#19 (permalink)
Byteman Malware Destroyer Join Date: Apr 2005 Location: Hurricane Heaven... still Posts: 1,093	I don't think i mentioned the HSremove tool, but it's a good thing you used it. about:blank and Homesearch are VERY close and use much of the same stuff/technics. You may have had both?... Good work! And yes, if you don't update or use updated tools, you're most likely wasting time. The malware comes out with varients all the time and the tools are constantly updated to combat them. __________________ Don't byte off more than you can chew... Last edited by Byteman; 04-22-2005 at 03:44 PM.

05-12-2005, 09:02 PM	#20 (permalink)
P11 VIP Member Join Date: Sep 2004 Location: Toronto Age: 19 Posts: 1,309	Can Someone please tell me what to delete: Logfile of HijackThis v1.99.1 Scan saved at 15:59:02, on 12/05/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Documents and Settings\Peter Baraian\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1115487353202 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe __________________ Asus K8V-SE Deluxe AMD 64 3400+ 2.56 Ghz Cosair 1.5 GB PC-3200 400Mhz Enermax 535W/SLI-Ready/12V @38A 250GB Western Digital HD 8mb cache IDE 320GB Western Digital My Book Premium External HD Sony DVD+RW/+R Double Layer burner drive Logitech MX5000 Bluetooth Combo ATI X850XT 256MB ;) Diablotek Samurai ATX Case 3DMark03 PC Exposure : www.pcexposure.com

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode