luluhifi Posted February 19, 2006 Share Posted February 19, 2006 Hello Pit good day to everyone can you guy take alook at this log and see if anything need to be fix please :crash: Logfile of HijackThis v1.99.1 Scan saved at 5:17:56 PM, on 2/19/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Link to post Share on other sites
Jacee Posted February 19, 2006 Share Posted February 19, 2006 What infection was on this machine? Rescan with HJT, check these items, close all windows and programs except HJT, then click 'fix checked': R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) Next, clean out all the temporary files and cookies on your system. Go to Start > Run and type cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin. Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete. Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete. Then use "Start > Run" and type in "%temp%" (without the quotes). Delete the entire contents of that "temp" folder (use "Edit > Select All", press "Delete", click "Yes"). Empty your Temporary Internet Cache completely. Close all instances of Outlook and and Internet Explorer. Go to Control Panel > Internet Options > General tab" and click the "Delete File" button. When prompted place a check in: "Delete all offline content", then click OK. *Use Windows Explorer to clean out ALL the other temp folders on your system (navigate to the folder, use "Edit > Select All", press "Delete", click "Yes"): * C:\Documents and Settings\<Your Profile>\Local Settings\Temp\ * C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\ * C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\ * C:\Windows\Prefetch\ * Empty your "Recycle Bin". Reboot and post a new log Link to post Share on other sites
luluhifi Posted February 19, 2006 Author Share Posted February 19, 2006 What infection was on this machine? Rescan with HJT, check these items, close all windows and programs except HJT, then click 'fix checked': R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) Next, clean out all the temporary files and cookies on your system. Go to Start > Run and type cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin. Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete. Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete. Then use "Start > Run" and type in "%temp%" (without the quotes). Delete the entire contents of that "temp" folder (use "Edit > Select All", press "Delete", click "Yes"). Empty your Temporary Internet Cache completely. Close all instances of Outlook and and Internet Explorer. Go to Control Panel > Internet Options > General tab" and click the "Delete File" button. When prompted place a check in: "Delete all offline content", then click OK. *Use Windows Explorer to clean out ALL the other temp folders on your system (navigate to the folder, use "Edit > Select All", press "Delete", click "Yes"): * C:\Documents and Settings\<Your Profile>\Local Settings\Temp\ * C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\ * C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\ * C:\Windows\Prefetch\ * Empty your "Recycle Bin". Reboot and post a new log Hi Jacee I run a RootKitRevealer scan and came up with 24 suspect so I did a clean install of winXp and I now run HJThis. I will do what you told me to do in the mean time. Thank alot Link to post Share on other sites
luluhifi Posted February 20, 2006 Author Share Posted February 20, 2006 [New scan Logfile of HijackThis v1.99.1 Scan saved at 6:59:50 PM, on 2/19/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Digital Media Reader\shwiconem.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Link to post Share on other sites
Jacee Posted February 20, 2006 Share Posted February 20, 2006 Looks good Set a new restore point so you will have a clean one to fall back on! Link to post Share on other sites
luluhifi Posted February 20, 2006 Author Share Posted February 20, 2006 (edited) Looks good Set a new restore point so you will have a clean one to fall back on! Thank you very much Jacee you always help me out alot I have acouple more but dont have time so I will post them to this same thread tomorrow ok Edited February 20, 2006 by luluhifi Link to post Share on other sites
Jacee Posted February 20, 2006 Share Posted February 20, 2006 Please start a new thread. This one is going into the [solved] room Link to post Share on other sites
luluhifi Posted February 20, 2006 Author Share Posted February 20, 2006 Please start a new thread. This one is going into the [solved] room OK Well do Link to post Share on other sites
.png.9d4b89b15b2cd5e65edd93a0e6823dce.png)
Recommended Posts