« previous next »
Pages: [1]

Author Topic: HijackThis Logfile  (Read 2077 times)

Guest

  • Guest
HijackThis Logfile
« on: December 04, 2004, 09:18:14 AM »
I would very much appreciate help in the following matter. Below is the most recent HijackThis log. I would assume that I got to delete all O15's as well as O18, so that's what I did, but they would just keep coming back everytime I re-scan. I tried to delete httpfilter.dll in the WINDOWS folder, but it wouldn't let me. Please let me know what I'd need to do. Thanks a lot!


Logfile of HijackThis v1.98.2
Scan saved at 15:05:11, on 04.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\scagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Programme\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\WinPortrait\wpctrl.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Programme\my-playlist\my-playlist.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Programme\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Programme\ArtecUSB\ScanPanel\ScnPanel.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Programme\WinPortrait\floater.exe
C:\Programme\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Programme\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Programme\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [my-playlist] "C:\Programme\my-playlist\my-playlist.exe" /Autostart
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScanPanel.lnk = C:\Programme\ArtecUSB\ScanPanel\ScnPanel.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: http://*.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.Email Removed.msn.com/resour...es/MsnPUpld.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D67AC55A-B750-41A4-BEE6-020E017A7996} (IEPlugIn Class) - http://install.cokemusic.de/client/pc/MY-P...LLER_loader.exe
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
HijackThis Logfile
« Reply #1 on: December 04, 2004, 01:09:17 PM »
Let's try something to rid you of those entries

If you don't have this installed already,
Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version
If you don't have this verision, uninstall yours and install this one
After installation-CHECK FOR UPDATES
Allow to download updates

Don't run a scan yet

===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad, click FILE>>SAVE AS
Name the file as RemoveTrusted.reg
Important>>Change the Save as Type to All Files.
Save this file on the desktop

Quote
REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains][-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

Do another scan with Hijackthis and put a check next to these entries

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: http://*.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com

O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll

I would suggest that you fix the next one with Hijackthis too, not needed on startup
Typically related to Kazaa
P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns.
You should uninstall it thru Add/Remove programs afterwards
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

After you have ticked the above entries, close out all open windows, including this one,
Leave Hijackthis open and click the FIX CHECKED
YES and exit hijackthis

Double click on RemoveTrusted.reg
Allow it to merge to the Registry

RESTART your computer

When your back in Windows
Open Ad-aware---Click the GEAR at the top
# Click on the General button on the left hand side.

   1. Make sure the following items under the Safety category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

         1. Automatically save logfile
         2. Automatically quarantine objects prior to removal
         3. Safe Mode (always request confirmation)

# Next click on the Advanced button on the left hand side.

   1. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

         1. Include additional object information
         2. Include negligible objects information
         3. Include environment information
         4. Include Alternate data stream details in log file

# Next click on the Tweak button on the left hand side.

   1. Then click on the + (plus) sign next to the Log Files section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

         1. Include basic Ad-Aware settings in logfile
         2. Include additional Ad-Aware settings in logfile

   2. Then click on the + (plus) sign next to the Scanning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

         1. Unload recognized processes & modules during scan
         2. Scan registry for all users instead of current user only

   3.
      Then click on the + (plus) sign next to the Cleaning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.

         1. Always try to unload modules before deletion
         2. During removal, unload Explorer and IE if necessary
         3. Let Windows remove files in use at next reboot

Once these settings have been completed, you should click on the Proceed button

Make sure you change the scan mode to Perform full system scan. Then uncheck the Search for negligible risk entries.

Step 5: Start the Actual Scan---You should close out all browser windows before starting

Now click on the Next button to have Ad-Aware SE start scanning your system. Ad-Aware SE will start scanning your system for Spyware and Hijackers

When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process

Back in Windows
Download ServiceFilter

This reveals potential unauthorised running services in your system. Download, unzip and double-click ServiceFilter.vbs >>Allow this to run, it's only collecting information. This script will create a text file named Post_This.txt in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

Could you also post back a fresh Hijackthis log
We should be able to deal with that 018 then

Could you also let me know what this entry is related too
O4 - HKCU\..\Run: [my-playlist] "C:\Programme\my-playlist\my-playlist.exe" /Autostart
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
HijackThis Logfile
« Reply #2 on: December 05, 2004, 09:43:00 AM »
Thanks for all your great help, guestolo. I followed all of your instructions and will post the content of the POST_THIS.txt file below (just in case you don't know, "Falsch" means "False" and "Wahr" means "True"). Here you go now, and right below that output by ServiceFilter, I'll provide you with more information...


The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Dez 5, 2004 15:38:35


---> Begin Service Listing <---

Unknown Service # 1
Service Name: AClient
Display Name: Altiris Client-Dienst
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\compaq\aclient\aclient.exe -service
State: Running
Process ID: 1004
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 2
Service Name: AntiVirService
Display Name: AntiVir Service
Start Mode: Auto
Start Name: LocalSystem
Description: Permanenter Virenschutz mit der H+BEDV AntiVir ...
Service Type: Own Process
Path: "c:\programme\avpersonal\avguard.exe"
State: Running
Process ID: 1052
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 3
Service Name: AVWUpSrv
Display Name: AntiVir Update
Start Mode: Auto
Start Name: LocalSystem
Description: Hilfsdienst fuer AntiVir Personal ...
Service Type: Own Process
Path: "c:\programme\avpersonal\avwupsrv.exe"
State: Running
Process ID: 1068
Started: Wahr
Exit Code: 0
Accept Pause: Wahr
Accept Stop: Wahr

Unknown Service # 4
Service Name: CPQALERT
Display Name: Compaq Local Alerter
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\programme\compaq\compaq management agents\cpqalert.exe
State: Running
Process ID: 1088
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 5
Service Name: CpqDfwWebAgent
Display Name: Compaq Remote Diagnostics Enabling Agent
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\cpqdiag\cpqdfwag.exe
State: Running
Process ID: 1188
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 6
Service Name: cpqdmi
Display Name: cpqdmi
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\compaq\compaq~1\cpqdmi.exe
State: Running
Process ID: 1780
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 7
Service Name: cpqWebDmi
Display Name: Compaq DMI Web Agent
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\compaq\compaq~1\cpqweb~1\webdmi.exe
State: Running
Process ID: 1208
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #8
Service Name: iPodService
Display Name: iPod Service
Start Mode: Manual
Start Name: LocalSystem
Description: iPod hardware management ...
Service Type: Own Process
Path: c:\programme\ipod\bin\ipodservice.exe
State: Running
Process ID: 2140
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 9
Service Name: ISEXEng
Display Name: ISEXEng
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\angelex.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #10
Service Name: MDM
Display Name: Machine Debug Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Manages local and remote debugging for Visual Studio ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\microsoft shared\vs7debug\mdm.exe"
State: Running
Process ID: 1344
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 11
Service Name: NMSSvc
Display Name: Intel® NMS
Start Mode: Auto
Start Name: LocalSystem
Description: Intel® NIC Management ...
Service Type: Own Process
Path: c:\windows\system32\nmssvc.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 12
Service Name: scagent
Display Name: Security Agent
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: "c:\windows\system32\scagent.exe" start
State: Running
Process ID: 1372
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #13
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Verwaltet Software-basierte Schattenkopien des Volumeschattenkopie-Dienstes. Software-basierte ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{6a63995b-ff59-45be-ac97-3ba6f31078ff}
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 14
Service Name: WIN32SL
Display Name: Win32Sl
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\programme\compaq\compaq management agents\dmi\win32\bin\win32sl.exe
State: Running
Process ID: 300
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

---> End Service Listing <---

There are 87 Win32 services on this machine.
14 were unrecognized.

Script Execution Time: 0,8125 seconds.



guestolo, you asked me what the following entry stands for:

O4 - HKCU\..\Run: [my-playlist] "C:\Programme\my-playlist\my-playlist.exe" /Autostart

This entry is directly linked to the following entry:

O16 - DPF: {D67AC55A-B750-41A4-BEE6-020E017A7996} (IEPlugIn Class) - http://install.cokemusic.de/client/pc/MY-P...LLER_loader.exe

Both entries refer to a free promotional program by Coke Music. For a few months, one could download songs from their Web site by entering codes found on Coke bottles. So, I downloaded a few songs that way, but I could basically get rid of the software, because I could easily extract the tracks. Shall I go ahead and do that, i.e. does a program like that cause potential problems or slow down the system and/or the booting process? Please let me know.



And here is a fresh HijackThis log resulting from the most recent scan I just ran... Please tell me what'd be the next thing to do here and how to get rid of O18, for example. Thanks a lot!


Logfile of HijackThis v1.98.2
Scan saved at 15:48:40, on 05.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Programme\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\WinPortrait\wpctrl.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\my-playlist\my-playlist.exe
C:\Programme\Gemeinsame Dateien\GMT\GMT.exe
C:\Programme\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Programme\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Programme\ArtecUSB\ScanPanel\ScnPanel.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Programme\WinPortrait\floater.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\scagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Microsoft Office\Office10\WINWORD.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE.exe
C:\Programme\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Programme\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Programme\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [my-playlist] "C:\Programme\my-playlist\my-playlist.exe" /Autostart
O4 - Global Startup: GStartup.lnk = C:\Programme\Gemeinsame Dateien\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScanPanel.lnk = C:\Programme\ArtecUSB\ScanPanel\ScnPanel.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.Email Removed.msn.com/resour...es/MsnPUpld.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D67AC55A-B750-41A4-BEE6-020E017A7996} (IEPlugIn Class) - http://install.cokemusic.de/client/pc/MY-P...LLER_loader.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9E56139-FF61-49A8-872C-FDD6C6BFAA6C}: NameServer = 213.191.74.18 213.191.92.87
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
HijackThis Logfile
« Reply #3 on: December 05, 2004, 12:49:27 PM »
You have a new nastie on your computer, did you run Ad-Aware?
If you didn't please download it.

Let's get you clean....
If you didn't download Ad-Aware, download it now and Check for Updates but don't run it yet
It's a free program---Hold onto it and check for updates every couple of weeks and run a Smart System Scan, it's faster than the Full System Scan

Next:
Download and UNZIP to desktop delete_scagent
A little script by Mosaic1 that removes the Security Agent service from your system.
Don't run this yet

Download and UNZIP to desktop 018 Clean-up.zip

You may want to print the rest of this out. Or save this too a notepad file on the desktop
Important
Close out ALL browser windows and Disconnect from the Internet, stay disconnected until we are done

Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- Security Agent

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
OK out of it

===Do another Scan with Hijackthis and put a check next to these entries

O4 - HKCU\..\Run: [my-playlist] "C:\Programme\my-playlist\my-playlist.exe" /Autostart
O4 - Global Startup: GStartup.lnk = C:\Programme\Gemeinsame Dateien\GMT\GMT.exe

O16 - DPF: {D67AC55A-B750-41A4-BEE6-020E017A7996} (IEPlugIn Class) - http://install.cokemusic.de/client/pc/MY-P...LLER_loader.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll

After you have ticked the above entries, close down All other open windows
Leave Hijackthis open and Click FIX CHECKED
YES and exit Hijackthis

==Double click on delete_scagent.vbs on the desktop (Allow this to run if prompted from your AV). You should get a message box saying Stopped Already and then another one saying Done.

==Double click on 018 Clean-up.reg and Allow it to merge to the registry

Restart your computer into SAFE MODE
You can do this by tapping the F8 key on your keyboard continuously when the System is starting up

Set Windows to Show Hidden Files and Folders
* Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Find and delete these files or folders if they exist

C:\WINDOWS\system32\scagent.exe <--file
C:\WINDOWS\httpfilter.dll <--file

C:\Programme\Gemeinsame Dateien\GMT <--folder

Stay in safe mode and Do a Full System Scan with Ad-Aware
Remove All Critical objects when the scan is complete

Restart back into Normal mode

Run Service Filter again and make sure that this service is removed
Quote
Unknown Service # 12
Service Name: scagent
Display Name: Security Agent
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: "c:\windows\system32\scagent.exe" start
State: Running
Process ID: 1372
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

After you have done the above, please download and install this free program
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html
This doesn't run in the background, just run it once and enable All protection
Check for updates every couple of weeks and enable all protection after every update

Post back a Fresh Hijackthis log afterwards and let me know if your problems are gone

Concerning MyPlaylist
If there is a program to remove, you should uninstall it now if you don't want or need it.....
Restart your computer and find and delete this folder if it still exists
C:\Programme\my-playlist <--folder
« Last Edit: December 05, 2004, 12:58:24 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
HijackThis Logfile
« Reply #4 on: December 05, 2004, 02:05:53 PM »
Thanks, guestolo, your help is very much appreciated. Yes, I had run Ad-Aware, and lots of stuff got deleted that way. I also followed your most recent instructions, and here are the current results of both ServiceFilter (POST_THIS.txt) and HijackThis... The service scagent (Security Agent) appears to be gone. Does it all look good now? Please let me know. Thank you!



The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Dez 5, 2004 20:12:32


---> Begin Service Listing <---

Unknown Service # 1
Service Name: AClient
Display Name: Altiris Client-Dienst
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\compaq\aclient\aclient.exe -service
State: Running
Process ID: 1056
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 2
Service Name: AntiVirService
Display Name: AntiVir Service
Start Mode: Auto
Start Name: LocalSystem
Description: Permanenter Virenschutz mit der H+BEDV AntiVir ...
Service Type: Own Process
Path: "c:\programme\avpersonal\avguard.exe"
State: Running
Process ID: 1172
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 3
Service Name: AVWUpSrv
Display Name: AntiVir Update
Start Mode: Auto
Start Name: LocalSystem
Description: Hilfsdienst fuer AntiVir Personal ...
Service Type: Own Process
Path: "c:\programme\avpersonal\avwupsrv.exe"
State: Running
Process ID: 1196
Started: Wahr
Exit Code: 0
Accept Pause: Wahr
Accept Stop: Wahr

Unknown Service # 4
Service Name: CPQALERT
Display Name: Compaq Local Alerter
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\programme\compaq\compaq management agents\cpqalert.exe
State: Running
Process ID: 1132
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 5
Service Name: CpqDfwWebAgent
Display Name: Compaq Remote Diagnostics Enabling Agent
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\cpqdiag\cpqdfwag.exe
State: Running
Process ID: 1320
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 6
Service Name: cpqdmi
Display Name: cpqdmi
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\compaq\compaq~1\cpqdmi.exe
State: Running
Process ID: 888
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 7
Service Name: cpqWebDmi
Display Name: Compaq DMI Web Agent
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\compaq\compaq~1\cpqweb~1\webdmi.exe
State: Running
Process ID: 708
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #8
Service Name: iPodService
Display Name: iPod Service
Start Mode: Manual
Start Name: LocalSystem
Description: iPod hardware management ...
Service Type: Own Process
Path: c:\programme\ipod\bin\ipodservice.exe
State: Running
Process ID: 2244
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 9
Service Name: ISEXEng
Display Name: ISEXEng
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\angelex.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #10
Service Name: MDM
Display Name: Machine Debug Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Manages local and remote debugging for Visual Studio ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\microsoft shared\vs7debug\mdm.exe"
State: Running
Process ID: 1440
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 11
Service Name: NMSSvc
Display Name: Intel® NMS
Start Mode: Auto
Start Name: LocalSystem
Description: Intel® NIC Management ...
Service Type: Own Process
Path: c:\windows\system32\nmssvc.exe
State: Running
Process ID: 1816
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #12
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Verwaltet Software-basierte Schattenkopien des Volumeschattenkopie-Dienstes. Software-basierte ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{6a63995b-ff59-45be-ac97-3ba6f31078ff}
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 13
Service Name: WIN32SL
Display Name: Win32Sl
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\programme\compaq\compaq management agents\dmi\win32\bin\win32sl.exe
State: Running
Process ID: 1304
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

---> End Service Listing <---

There are 86 Win32 services on this machine.
13 were unrecognized.

Script Execution Time: 0,953125 seconds.



Logfile of HijackThis v1.98.2
Scan saved at 20:02:19, on 05.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Programme\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\WinPortrait\wpctrl.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Programme\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Programme\ArtecUSB\ScanPanel\ScnPanel.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\WinPortrait\floater.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Programme\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Programme\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [my-playlist] "C:\Programme\my-playlist\my-playlist.exe" /Autostart
O4 - Global Startup: GStartup.lnk = C:\Programme\Gemeinsame Dateien\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScanPanel.lnk = C:\Programme\ArtecUSB\ScanPanel\ScnPanel.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.Email Removed.msn.com/resour...es/MsnPUpld.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D67AC55A-B750-41A4-BEE6-020E017A7996} (IEPlugIn Class) - http://install.cokemusic.de/client/pc/MY-P...LLER_loader.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
HijackThis Logfile
« Reply #5 on: December 05, 2004, 02:42:12 PM »
Your still not clean yet

Service Filter looks good
Is your version of Ad-Aware right up to date?
Open Ad-Aware and click on Details
Let me know Reference number and Internal Build

Do this again

Do another scan with hijackthis
Put a check next to these entries

O4 - HKCU\..\Run: [my-playlist] "C:\Programme\my-playlist\my-playlist.exe" /Autostart

O4 - Global Startup: GStartup.lnk = C:\Programme\Gemeinsame Dateien\GMT\GMT.exe <--make sure you get this one

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D67AC55A-B750-41A4-BEE6-020E017A7996} (IEPlugIn Class) - http://install.cokemusic.de/client/pc/MY-P...LLER_loader.exe

After you have ticked the Above entries, Close out ALL other windows, Including this one
Leave Hijackthis open and click FIX CHECKED
YES to the prompt and exit Hijackthis

RESTART your computer

Find and delete this folder if it exists
C:\Programme\Gemeinsame Dateien\GMT <--folder

Then post back a fresh hijackthis log
Let me know that info from Ad-Aware

Make sure you install SpywareBlaster
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
HijackThis Logfile
« Reply #6 on: December 05, 2004, 03:34:57 PM »
Thanks, guestolo, for all your great help. Yes, my version of Ad-Aware should be current, it's the following: Ad-Aware SE Personal, Build 1.05. I put a check next to all four entries you mentioned and restarted the computer. The folder C:\Programme\Gemeinsame Dateien\GMT had already been deleted. After restarting the computer, I checked just to make sure, and that GMT folder is still gone. Here is the most recent HijackThis log... Please let me know if you think it's all good now. Thank you!


Logfile of HijackThis v1.98.2
Scan saved at 21:40:34, on 05.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Programme\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\WinPortrait\wpctrl.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\ArtecUSB\ScanPanel\ScnPanel.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Programme\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Programme\WinPortrait\floater.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Programme\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Programme\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Programme\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScanPanel.lnk = C:\Programme\ArtecUSB\ScanPanel\ScnPanel.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.Email Removed.msn.com/resour...es/MsnPUpld.cab
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
HijackThis Logfile
« Reply #7 on: December 05, 2004, 03:42:42 PM »
Looks good  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Remember that SpywareBlaster will help to prevent these types of infections

You may want to read this
How did I get Infected?

You will notice in that link it advises to install Spybot 1.3
I definitely recommend installing it>>It's free http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />
Another great Spyware remover and has an Immunization feature
Also TEA TIMER
This protects certain parts of the registry being changed by Hijackers

Stay Safe

EDIT>>That link also recommends another free program that helps prevent hijackers
SpywareGuard, if you decide to install it you won't need to Enable TEA timer
« Last Edit: December 05, 2004, 03:44:30 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
HijackThis Logfile
« Reply #8 on: December 05, 2004, 04:43:03 PM »
Thanks so much, guestolo. Aside from HijackThis 1.98, I've also got the following programs already: Spybot 1.2.0.8, SpyStopper 2.7.0.5, and SpywareBlaster 3.2. In addition, I've got Ad-Aware 1.05, AntiVir 6, and CWShredder 1.59.0.1. Do you also know what the program SED is for? And what's your experience with Kazaa? Is it really so bad in attracting viruses, so would you recommend to get rid of it by uninstalling it? Please let me know. Thanks a lot in advance!
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
HijackThis Logfile
« Reply #9 on: December 05, 2004, 04:57:28 PM »
You can delete CWShredder, it's outdated

Concerning Spybot
Uninstall it through Add/Remove Programs
It's outdated and you won't be able to find updates anymore
That was about 8 months ago  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
You must of been wondering what I was talking about when I said tea timer
I don't think the old version had tea timer>>Hee hee

After you uninstall it
Download and Install Spybot S&D 1.3
After installation--SEARCH FOR UPDATES
Download all updates
Check for Problems---FIX everything in RED
If anything in red is fixed please restart your computer to finish the cleaning

SED>>You should be able to delete the folder, send it to the recycle bin
But can you let me know the exact directory of it

Watch what you download with Kazaa
I usually recommend uninstalling it, but this is up to you
There are spyware free versions of P2P file sharing programs
Personally I use Kazaalite, so I'm no angel
The link to it is hard to find
I may be able to still find a link though

Spystopper, I don't know much about
Can you link me to their website
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
HijackThis Logfile
« Reply #10 on: December 05, 2004, 05:41:20 PM »
guestolo, thank you so much for another most helpful posting. I deleted CWShredder and the old version of Spybot. I just finished downloading Spybot 1.3 including TeaTimer, a registry backup that I had them create, as well all updates. How about the compatibility warnings in regards to Ad-Aware? I ignored those basically. I just checked for problems, and 25 entries were found, with two of them that can only be fixed after a restart.

Also, I just deleted the SED folder. It was located under C:\Programme\SED and was easy to delete. As far as SpyStopper, I just deleted it, because I realized that I had the outdated version. The new one is 3.0, and one may download it here (please let me know if you think this is worth downloading): http://www.download.com/SpyStopper/3000-21...tml?tag=lst-0-1

Last but not least, I decided to uninstall Kazaa. May you provide me with the link to Kazaalite if by any chance possible? I've heard only good things about it. Thanks a lot in advance!
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
HijackThis Logfile
« Reply #11 on: December 05, 2004, 05:49:59 PM »
By the way Spybot and Ad-Aware work well together, keep them both
Check for updates every couple of weeks
With Ad-Aware you can run a Smart System Scan
Run a full system scan once in awhile

You can search thru google, but I'm not sure which ones have the legitimate download
http://www.google.ca/search?q=kazaalite&hl...=&start=10&sa=N
« Last Edit: December 06, 2004, 10:09:38 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »