hijackthis log analysis

sizk · May 20, 2005

hi,
i've just caught a spyware blocking my desktop background and displaying a windows error message instead.
here is the log i got from hijackthis, thx for your help:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\Ati2evxx.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\WINNT\system32\rundll32.exe
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\WINNT\System32\hphmon05.exe
E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
E:\Program Files\Olitec\USB ADSL\CnxDslTb.exe
E:\WINNT\System32\HPZipm12.exe
E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
I:\# PROGRAMS\# PROGRAMS\Setups\# UTILS\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [KAVPersonal50] E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD05] E:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] E:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] E:\Program Files\Olitec\USB ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\edonkey2000.exe" -t
O4 - HKLM\..\Run: [WindowsUpdate] E:\WINNT\System\svchost.exe /s
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = E:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINNT\web\related.htm
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O16 - DPF: teleir_cert - https://static.ir.dgi.minefi.gouv.fr/secure/connexion/archives/ie4n4/teleir_cert.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{78B44176-C987-40AA-B09D-C9989DFC9FA3}: NameServer = 212.151.136.254 130.244.127.161
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - E:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Adobe LM Service - Unknown - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown - E:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - E:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINNT\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

dansilva · May 20, 2005

these are the definate fix...

R3 - Default URLSearchHook is missing
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O4 - HKLM\..\Run: [WindowsUpdate] E:\WINNT\System\svchost.exe /s
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=

Check these for yourself...could be nasty....
O16 - DPF: teleir_cert - https://static.ir.dgi.minefi.gouv.f...teleir_cert.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{78B44176-C987-40AA-B09D-C9989DFC9FA3}: NameServer = 212.151.136.254 130.244.127.161

do another log, AFTER CLEANING (FIXING) and post it here...

sizk · May 20, 2005

i just have tried this, here is the new log. i reboot the comp and check your answer.
thx for your help

E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\Ati2evxx.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\WINNT\System32\hphmon05.exe
E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
E:\Program Files\Olitec\USB ADSL\CnxDslTb.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINNT\System32\HPZipm12.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
I:\# PROGRAMS\# PROGRAMS\Setups\# UTILS\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD05] E:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] E:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] E:\Program Files\Olitec\USB ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\eDonkey2000.exe" -t
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KAV50] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0
O4 - HKLM\..\Run: [Kaspersky] C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\KAV Personal Pro\5.0\Save Kaspersky.bat
O4 - HKLM\..\Run: [WindowsUpdate] E:\WINNT\System\svchost.exe /s
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - E:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Adobe LM Service - Unknown - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown - E:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - E:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: KLBLMain - Kaspersky Lab - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINNT\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

sizk · May 20, 2005

well, looks like it didn't fix it after all, there's still that error message and the background options of display properties are still locked out...

tnt27 · May 20, 2005

try www.hijackthis.de , it shows everything on ur logfile, really useful

Byteman · May 20, 2005

What message does it say on your desktop, and what color background do you have? (it's important).

sizk · May 20, 2005

thx tnt, good resource indeed.
byteman, the exact message is "windows error. system has detected spyware activity. some system functions are blocked out. windows recommends you to clean your pc with a spyware removal tool. this has te be done as soon as possible to prevent loss of data".

now, according to www.hijackthis.de the trojan seems to be O4 - HKLM\..\Run: [WindowsUpdate] E:\WINNT\System\svchost.exe /s but i just can't get rid of it... anytime i fix it, it's just back on next scan. ad-aware & spybot apparently don't recognize it.
after i'd that problem i've done all windows updates, a bit late btw

Buzz1927 · May 20, 2005

Do the online scan atTrend Micro.
Then post a new log.

sizk · May 20, 2005

i've scanned only the system drive and trend micro's online AV's detected nothing...

tnt27 · May 20, 2005

hey sizk,

try any of these programs

a-squared
Microsoft Anti-Spyware
CWSshredder
Webroot Spysweeper (30 day trial)

go to http://www.spychecker.com/ to check for spyware programs

i personally also use Xoftspy, SpySubtract, Spyware Doctor and Scan Spyware in conjunction with the list and ad-aware and spybot (im paranoid

), but these must be registered.

Buzz1927 · May 20, 2005

If it's what I think it it is, I don't think those programs will work. Can't hurt to run them anyway, tho. Adaware SE is good as well.

Buzz1927 · May 20, 2005

Apparently Trojanhunter works on this. Download and run it, reboot and post a new log.

Byteman · May 20, 2005

sizk,
are you able to right-click on your desktop? also, i assume the options to change your background are grayed out? correct?...

Edit: i ask, because desktop hijacks aren't fixable via HJT, but there are fixes, so I need to know what things the hijack won't let you do. Most common are the rightclicking and backgrounds.

sizk · May 20, 2005

buzz, i'm just giving a try to trojanhunter, i let you know later

byteman, desktop is as described on 1st page of the thread and it's grayed out indeed. already had such hijacks but this one is kinda tough... none of avg, ad-aware, spybot and trend micro's online scan get a trace of it... let me know if you have any idea

Byteman · May 20, 2005

do you have any of the following installed: (look in Add/Remove programs)

Security IGuard
Virtual Maid
Search Maid

sizk · May 20, 2005

sizk · May 20, 2005

it seems trojan hunter didn't work neither on this one, even it found a few more trojans the others apps didn't... those 2 lines of the log are still quite bothering and they just can't be deleted permanently:
O4 - HKLM\..\Run: [WindowsUpdate] E:\WINNT\System\svchost.exe /s
O17 - HKLM\System\CCS\Services\Tcpip\..\{78B44176-C987-40AA-B09D-C9989DFC9FA3}: NameServer = 212.151.136.246 130.244.127.169

however, here's the complete log:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\csrss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\Ati2evxx.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\WINNT\system32\rundll32.exe
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\WINNT\System32\hphmon05.exe
E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
E:\Program Files\Olitec\USB ADSL\CnxDslTb.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
E:\WINNT\System32\HPZipm12.exe
E:\Program Files\TrojanHunter 4.2\TrojanHunter.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
I:\# PROGRAMS\# PROGRAMS\Setups\# UTILS\hijackthis\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD05] E:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] E:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] E:\Program Files\Olitec\USB ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KAV50] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0
O4 - HKLM\..\Run: [WindowsUpdate] E:\WINNT\System\svchost.exe /s
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{78B44176-C987-40AA-B09D-C9989DFC9FA3}: NameServer = 212.151.136.246 130.244.127.169
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: KLBLMain - Kaspersky Lab - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINNT\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Buzz1927 · May 20, 2005

Is this log after a re-boot? If not, can you re-boot and post a new log.

sizk · May 20, 2005

it was after reboot

Buzz1927 · May 20, 2005

Boot into safe mode. Find and delete E:\WINNT\System\svchost.exe (in bold). Make sure it's in System and not System32. Find Windows\Temp, delete anything in the Temp folder (not the folder itself). Go start>run, type %temp%, delete anything found. Run Hijackthis and check
O4 - HKLM\..\Run: [WindowsUpdate] E:\WINNT\System\svchost.exe /s
Hit "Fix Checked".
Reboot and post another log.

hijackthis log analysis

New Member

New Member

New Member

New Member

New Member

Malware Destroyer

New Member

Digaredd

New Member

New Member

Digaredd

Digaredd

Malware Destroyer

New Member

Malware Destroyer

New Member

New Member

Digaredd

New Member

Digaredd