Hijack This Log Thread

Xon · Post by **Xon** » 2005-06-29 05:31am

Manus Celer Dei wrote:Okay, I am running XP Home, will I have to do anything differently?

Yes. Use the SetSAFER utility I linked to and edit the .xml file to include

C:\WINDOWS\runservice.exe
VTPreset.exe
newdll2.exe
C:\WINDOWS\system32\fm27clv1.exe

Then use SetSAFER to prevent those applications from running as administrator(much easier to get rid of that way).

Then after a reboot, you can change the permisions of the files so no one can read(in safemode as Administrator!) them. Todo this, goto the Security tab on the file properties, and hit the "Add" button, type "Everyone" & enter, then click in the Deny column "Read & Execute". Since the applications are not administrators anymore, they can take back ownership or change the permisions. Then reboot once more, they are DEAD.

Also, what's secpol.msc?

A very handy utility for securing a WinXP computer.

Manus Celer Dei · Post by **Manus Celer Dei** » 2005-06-29 09:24am

Um, I'm not too sure how to use Safeset. Trying to run safeset.exe gives me an error, something about it failing to initialise.

When you say add to the *.xml, do you just mean copy and paste what you wrote into it? BEcause everything that was already there was like

<app comment="Internet Explorer" path="c:\program files\internet explorer" user="false" />

That sort of thing. Do I have to set it up like that for the stuff you told me to add?

EDIT: I've just discovered that it's a damn good thing I'm using Opera. Any active IE windows autotmatically reset to searchweb2.com about every two minutes.

And a look at task manager reveals that my processor usage is more or less constant at 70% WHEN THE COMPUTER IS IDLE.

Xon · Post by **Xon** » 2005-06-29 12:15pm

Sorry about the lack of instructions.

Ok, you need to extra both the exe & xml file to the same location.

Then you need to add the following bits to the xml file:

<app comment="spyware1" path="C:\WINDOWS\runservice.exe" user="false" />
<app comment="spyware2" path="VTPreset.exe" user="false" /> " user="false" />
<app comment="spyware3" path="newdll2.exe" user="false" />
<app comment="spyware4" path="C:\WINDOWS\system32\fm27clv1.exe" user="false" />

after

<app comment="Internet Explorer" path="c:\program files\internet explorer" user="false" />

Make sure you dont delete or overwrite anything else in there.

Then run the SetSAFER app, & tick the spyware entries (and IE entry too!), hit apply and follow it up with a reboot.

Manus Celer Dei · Post by **Manus Celer Dei** » 2005-06-30 05:31am

OOookay.

Trying to run SetSafer gets me this:

That's after adding the entries you told me to. I get the same whether I'm in safemode or not.

Xon · Post by **Xon** » 2005-06-30 07:34am

Fuck.

Do you have .NET v1.1 installed? If not, that could be causing it to fail. Rewriting it into a language which doesnt require the .NET framework would require a day or so, and it will be too the weekend till I get the time.

Franky, you should just get a Windows XP CD and format the box. Install WinXP sp2, activate the firewall and patch everything, using Microsft Update instead of Windows Updates. It covers more stuff.

Manus Celer Dei · Post by **Manus Celer Dei** » 2005-06-30 07:42am

ggs wrote:Fuck.

Do you have .NET v1.1 installed? If not, that could be causing it to fail. Rewriting it into a language which doesnt require the .NET framework would require a day or so, and it will be too the weekend till I get the time.

Is there anywhere that I could download it from? I would only need a trial version or something.

Franky, you should just get a Windows XP CD and format the box. Install WinXP sp2, activate the firewall and patch everything, using Microsft Update instead of Windows Updates. It covers more stuff.

I already would have done, but it'll be about two weeks until I can get my hands one.

System restore isn't working either.

If I ever meet the guy who did this ...

Xon · Post by **Xon** » 2005-06-30 08:03am

Manus Celer Dei wrote: Is there anywhere that I could download it from? I would only need a trial version or something.

Tis a free download(~20mb), in fact Microsoft would like everyone to have it

I already would have done, but it'll be about two weeks until I can get my hands one.

In that case, I might get around to rewriting SetSafer into a different language in a day or so.

System restore isn't working either. If I ever meet the guy who did this ...

Ugh, evil.

Soontir C'boath · Post by **Soontir C'boath** » 2005-07-03 10:03pm

Much obliged.

Code: Select all

Logfile of HijackThis v1.99.1
Scan saved at 21 56 53, on 7/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Jason\Desktop\HijackThis.exe
C:\WINDOWS\UninstallFirefox.exe
C:\DOCUME~1\Jason\LOCALS~1\Temp\ns_temp\uninstall.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O15 - Trusted Zone: www.gmail.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\WINDOWS\System32\VetMsgNT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

DocHorror · Post by **DocHorror** » 2005-07-24 09:37pm

How'm I doin?

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BitLord\BitLord.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/e ... efault.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/ie/e ... efault.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/e ... efault.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/ie/e ... efault.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: Subscribe in default RSS reader - C:\Documents and Settings\Paul\Application Data\RssBandit\iecontext_subscribefeed.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 5312216859
O17 - HKLM\System\CCS\Services\Tcpip\..\{6895F33F-D712-4E20-A4FF-8F23E4656FEE}: NameServer = 159.134.237.6,159.134.248.17
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Need I worry about anything?

Datana · Post by **Datana** » 2005-07-24 10:52pm

Soontir C'boath and DocHorror, you both look clean, though DocHorror can potentially cut a few things (DMXLauncher, SGTray, QTTask, etc.) to conserve RAM. If that isn't a problem (or you use the functions in question), though, you should be in the clear.

Brother-Captain Gaius · Post by **Brother-Captain Gaius** » 2005-07-27 12:49pm

Logfile of HijackThis v1.97.7
Scan saved at 10:45:22 AM, on 7/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trillian\trillian.exe
C:\Documents and Settings\JediNeophyte\My Documents\Archived Crap mk2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bbs.stardestroyer.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://bbs.stardestroyer.net/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunServices: [system] dcomx.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/ ... 2264116828
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/ ... mv9VCM.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/C ... 4770601852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer ... taller.cab

Also, I've been getting some oddities since last night. I took care of some, but I've been getting an odd whirring noise... but I ran CHKDSK, and it didn't give any problems. Checked inside, fan was a little dusty and cleaned that out, but that wasn't the culprit either.

Datana · Post by **Datana** » 2005-07-27 01:32pm

Brother-Captain Gaius, you're trojaned. If antivirus software doesn't catch it, try the following: restart in Safe Mode, then use HijackThis! to eliminate the following entry:

Code: Select all

O4 - HKLM\..\RunServices: [system] dcomx.exe

As for the odd whirring noise, my first guess would be a dying hard drive (CHKDSK and SMART don't start reporting problems until the damage is pretty severe). Apart from that, check any other fans in the case (video card, power supply) to see if they're free. My video card starts whining like hell whenever it gets dusty, and a quick zap with canned air fixes it. Fans and hard drive are the only moving components inside a normal PC case, so the sound has to be coming from one of those.

Brother-Captain Gaius · Post by **Brother-Captain Gaius** » 2005-07-27 02:03pm

Thanks. How the hell do you restart in safe mode under XP though? All my manuals are out of date and for the life of me I can't figure it out. I logged in with ctrl+alt+del at login and killed the process from there, would that work?

Datana · Post by **Datana** » 2005-07-27 02:58pm

Brother-Captain Gaius wrote:Thanks. How the hell do you restart in safe mode under XP though? All my manuals are out of date and for the life of me I can't figure it out. I logged in with ctrl+alt+del at login and killed the process from there, would that work?

Hit F8 while the Windows bootloader is spooling up (the bar of white DOS-style blocks on a black screen that fills up). Under Windows 2000, this bar actually had a note under it saying "Hit F8 to enter Safe Mode," so I don't know why they cut it.

Anyway, if running another HJT! scan after a cold restart reveals that dcomx.exe is gone, then you should be clean.

Enigma · Post by **Enigma** » 2005-07-28 09:17pm

My computer is running slowly. I have to reboot the computer every half to an hour. After playing games like Guild Wars and Colin McRae Rally 2005 the computer starts to slow down and I am losing memory despite having 1 GB of PC2100 RAM. HELP!!

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\LVCOMSX.EXE
C:\PROGRAM FILES\LOGITECH\VIDEO\LOGITRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LOGITECH\VIDEO\FXSVR2.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\KAZAA FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\SYSTEM\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\PROGRAM FILES\LOGITECH\VIDEO\MANIFESTENGINE.EXE" boot
O8 - Extra context menu item: &NeoTrace It! - C:\Program Files\NeoTracePro\NTXcontext.htm
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O16 - DPF: {3734A957-FBD5-4F87-A404-4289C6F3DDFF} (DownloadScanEngine.ctlDSE296315) - http://downloads.rogershelp.com/updates.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc ... tor/sw.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://sympatico.zone.msn.com/binFramew ... b34246.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/res ... nPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://sympatico.zone.msn.com/bingame/d ... der_v6.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C ... 7133796296

Datana · Post by **Datana** » 2005-07-29 12:36am

Enigma, you didn't include the full log. The header contains useful information as well (specifically, your operating system, general level of patching, and HJT! version). I can tell by the presence of KB891711.EXE and ssdpsrv.exe that you're running Windows ME or 98SE, but not much more than that. Also, if you're running an earlier version of HJT!, it'll miss numerous pieces of scumware -- I don't see anything out of the ordinary in your log (it's actually rather clean for a Win9x box), but there might still be something lurking on your system if you're running HJT! 1.97.7.

As for general tips:
- Try scandisk/defrag if this is a recent problem. Windows 9x takes heavy performance hits from drive fragmentation.
- Consider switching to PC-2700 RAM, especially if your motherboard can use the dual channel feature. PC-2100 is the lowest grade of DDR RAM currently on the market, and bogs your system down (especially for Intel-based systems).
- If it's been over a year since your last reformat, Windows rot may be creeping up on your installation. About the only version of Windows that seems resistant to rot, in my experience, is 2000.

Illuminatus Primus · Post by **Illuminatus Primus** » 2005-07-29 01:47pm

Wow something fucked up is on my computer. I think its maybe a bad torrent or something. I load my computer by the icons never materialize (apart from the generic icon that won't open - as if the computer doesn't recognize the program to run it). I'm in Safe Mod right now, trying to find and run HijackThis. I can't open it.

Yup. Can't do it. Fuck.

Enigma · Post by **Enigma** » 2005-07-29 05:23pm

Datana wrote:Enigma, you didn't include the full log. The header contains useful information as well (specifically, your operating system, general level of patching, and HJT! version). I can tell by the presence of KB891711.EXE and ssdpsrv.exe that you're running Windows ME or 98SE, but not much more than that. Also, if you're running an earlier version of HJT!, it'll miss numerous pieces of scumware -- I don't see anything out of the ordinary in your log (it's actually rather clean for a Win9x box), but there might still be something lurking on your system if you're running HJT! 1.97.7.

As for general tips:
- Try scandisk/defrag if this is a recent problem. Windows 9x takes heavy performance hits from drive fragmentation.
- Consider switching to PC-2700 RAM, especially if your motherboard can use the dual channel feature. PC-2100 is the lowest grade of DDR RAM currently on the market, and bogs your system down (especially for Intel-based systems).
- If it's been over a year since your last reformat, Windows rot may be creeping up on your installation. About the only version of Windows that seems resistant to rot, in my experience, is 2000.

Thanks. I've defragged and scandisked but it makes no difference. As for the RAM, I doubt it since most of it is new and the oldest stick is a year and a half old. As for WinME, it has been a year and a half since I got this computer and I won't format the computer until I get my Win XP next week.

Tiger Ace · Post by **Tiger Ace** » 2005-07-29 05:26pm

Windows rot, I have no idea for ME specificly, but cleaning out a massive bunch of old files, registry cleaning, all help.

Illuminatus Primus · Post by **Illuminatus Primus** » 2005-07-30 01:57am

Please help me. I think it might be serious.

Datana · Post by **Datana** » 2005-07-30 02:17am

Illuminatus Primus, if your situation's that far gone, it's not something I'm knowledgeable enough in to be able to solve without being on site. You could try restoring to the last known good configuration via the Safe Mode selection menu, but beyond that, I can't even start with a diagnosis. Perhaps someone who knows more about Windows quirks (like ggs) might know something that can help more.

Illuminatus Primus · Post by **Illuminatus Primus** » 2005-07-30 02:27pm

Well I've been able to access Firefox and a few other applications but my icons are still fucked up, and I can't load HijackThis! because its not an installed program.

Datana · Post by **Datana** » 2005-07-30 04:03pm

Illuminatus Primus wrote:Well I've been able to access Firefox and a few other applications but my icons are still fucked up, and I can't load HijackThis! because its not an installed program.

I'm not quite sure what you mean by that last part. Can you run programs via the Run menu, the command line, via Explorer, or are you limited to desktop shortcuts? I'm also not quite clear on what's happening on your system in general -- can you successfully take a screenshot of your desktop and post it? There are a large number of "generic icons," and which one pops up might hold a hint. At this point, all I can do is toss out ideas and hope some stick.

If you have the Start Menu but don't have any desktop icons, icons might be disabled. Right-click on the desktop, "Arrange Icons By," then make sure "Show Desktop Icons" is checked.

Also, you can try repairing icons with TweakUI if they simply look messed up but still work as links (under the "Repair" heading, then "Rebuild Icons").

Illuminatus Primus · Post by **Illuminatus Primus** » 2005-07-30 04:43pm

Datana wrote:
Illuminatus Primus wrote:Well I've been able to access Firefox and a few other applications but my icons are still fucked up, and I can't load HijackThis! because its not an installed program.
I'm not quite sure what you mean by that last part. Can you run programs via the Run menu, the command line, via Explorer, or are you limited to desktop shortcuts? I'm also not quite clear on what's happening on your system in general -- can you successfully take a screenshot of your desktop and post it? There are a large number of "generic icons," and which one pops up might hold a hint. At this point, all I can do is toss out ideas and hope some stick.

If you have the Start Menu but don't have any desktop icons, icons might be disabled. Right-click on the desktop, "Arrange Icons By," then make sure "Show Desktop Icons" is checked.

Also, you can try repairing icons with TweakUI if they simply look messed up but still work as links (under the "Repair" heading, then "Rebuild Icons").

If you select them it asks you what program do you want to run this with, and you can select the appropriate program - i.e., click on WMP and then select it from the list and it'll work, but the icon won't turn back into the WMP one.

Datana · Post by **Datana** » 2005-07-30 05:00pm

Illuminatus Primus wrote:If you select them it asks you what program do you want to run this with, and you can select the appropriate program - i.e., click on WMP and then select it from the list and it'll work, but the icon won't turn back into the WMP one.

Sounds like your associations have been killed by something. Have you installed any programs recently? I've encountered numerous petulant programs that have a "scorched earth" policy WRT file associations, Real Player and DivX Player being the worst of the lot -- if you tell them not to handle a type of file, they'll sometimes delete the association completely rather than keeping it with the program that had it before. About the only way to really remedy that is to restore each one manually.

For instance, for WMP files (WMA, etc.), start up WMP, then go to Tools -> Options, then the "File Types" tab. Check whatever you want reassociated with WMP, then Apply. For some programs, you can simply double-click to open, then when the "Open With" menu opens up, you click once on the program you want and check "Always use the selected program to open this kind of file."

If files are associated (e.g. opens in WMP with a double-click) but the icons are screwy, open up Explorer, Tools -> Folder Options, File Types tab. Go to the file extension that you're interested in, click on it, then click on the "Advanced" button below. "Change icon" on the window that appears will let you change the appearance.