Jump to content
Sign in to follow this  
wizzkid

Hijackthis log

Recommended Posts

Hi all,

 

Could some one please take a look at this log for me and let me know if it is ok. Just a minute ago I ran a scan and just out of interest I looked at, O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll and readup about it & apperently these .dll's are rarely ever used except by trojans could this be one.....

 

 

 

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 15:28:22, on 10/2/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton Utilities\NPROTECT.EXE

C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe

C:\Program Files\Speed Disk\nopdb.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\DOCUME~1\Pete\LOCALS~1\Temp\clclean.0001

C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareControl.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)

O2 - BHO: (no name) - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] C:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - AppInit_DLLs:

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE

O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

SASWINLO.dll:

http://www.castlecops.com/o20list-228.html

 

Not to worry. :)

 

There are a couple of entries on the log that can be cleaned up, but I will get back with you tomorrow. I am about ready to call it quits for tonight.

 

In the meantime, please download Ewido Anti-Malware:

http://www.ewido.net/en/download/

Locate the icon on the Desktop and double-click it to launch the program.

 

Now, update the definition files:

On the main screen select Update, and then select the Update Now link.

Next, select the Start Update button

(The update starts and a progress bar shows the updates installed.)

 

Once the update completes select: Scanner (the top of the screen)

Select the Settings tab

Once in the Settings screen click on: Recommended actions

Select: Quarantine

Under: Reports, select: Automatically generate report after every scan

Un-Select: Only if threats were found

Close Ewido for now. We will use it later after removing some of the malware entries on your log.

 

~~~~

Reboot to Safe Mode :

-Restart your computer.

-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.

-Select the option for Safe Mode using the arrow keys.

-Press Enter to boot into Safe Mode.

 

~~~~

Go to Start > Control Panel > Internet Options

In the General tab, Temporary Internet Files, click: Delete Files

When prompted, check: Delete all offline content

You can also check: Delete Cookies

(You will have to re-enter passwords at websites that require them.)

Click OK

 

Also, please empty the FireFox browser cache:

Go to Tools > Options

Select Privacy and then the Cache tab

In the cache tab, click: Clear Cache Now

Click OK to close the Options window

 

Then, go to Start >Run and enter: cleanmgr

Select the drive to clean: C:\

Check the following boxes and then press OK to remove:

Temporary Files

Temporary Internet Files

RecycleBin

Agree to the prompt to perform the action...

 

~~~~

Still in Safe Mode, launch Ewido once again

Select: Scanner (at the top)

Select the Scan tab

Click on: Complete System Scan

Ewido begins the scanning process, and it may take a while.

Please do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process!!

 

Once the scan is complete, Ewido lists any infections found.

It also automatically sets the recommended action.

Click: Apply all actions

Ewido will then display: All actions have been applied

 

Next select: Reports (at the top)

Select: Save report as (lower left of the screen)

Save the report to a text file in a location where you can find it!

Close Ewido.

 

~~~~

Restart the computer.

 

~~~~

Please provide the Ewido report in your reply.

Share this post


Link to post
Share on other sites

Hi,

 

I did all you said and there was nothing found at all this is what the report said :

 

---------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 15:30:33 10/5/2006

 

+ Scan result:

 

 

 

Nothing found.

 

 

::Report end

 

 

 

Thanks for your help, Wizzkid

Share this post


Link to post
Share on other sites

There are a couple of entries on the log that can be cleaned up:

 

Run HijackThis, Scan

Check box for:

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

 

O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)

O2 - BHO: (no name) - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)

 

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

 

O20 - AppInit_DLLs:

 

Select: Fix checked

 

~~~~

If you are not having malware problems, you are good to go!

 

====

Take a good look at the following suggestions to remain malware free:

Tony Klein’s article 'How Did I Get Infected In The First Place'

http://forums.spywareinfo.com/index.php?showtopic=60955

 

====

Thank you for your patience, and performing the procedures requested.

If you have any questions or comments, post back. Otherwise...

 

Good luck, wizzkid!!

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...