Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

hijackthis log file

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

hijackthis log file

Unread postby guntrip » March 6th, 2006, 10:38 am

please can you review my hijackthis log

regards Linda

Logfile of HijackThis v1.99.1
Scan saved at 14:37:35, on 06/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\iNet Protector\IProtectorService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\postcode\Sage\AFDPcSage.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\iNet Protector\iprotect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\ACT\SideACT.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Zetafax\ZETAFAX.EXE
C:\Program Files\Sage\Accounts\Sage.exe
C:\PROGRA~1\Sage\Accounts\SGLAUN~1.EXE
C:\Program Files\ACT\act.exe
C:\PROGRA~1\ACT\ActEmail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Manager\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AFD Postcode for Sage] c:\postcode\Sage\AFDPcSage.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [inetprot] "C:\Program Files\iNet Protector\iprotect.exe" tray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5077256304
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{80FCB7D6-A31A-4943-AFFC-52CBCC56BE23}: NameServer = 192.168.0.3,217.13.128.17
O18 - Protocol: ActLink - {2A0C35F4-82A3-4C80-919D-7879FEE79DF6} - C:\Program Files\ACT\actlink.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Internet Protector System Service (InternetProtectorService) - Unknown owner - C:\Program Files\iNet Protector\IProtectorService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
guntrip
Active Member
 
Posts: 2
Joined: March 6th, 2006, 10:21 am
Advertisement
Register to Remove

Unread postby SpotCheckBilly » March 6th, 2006, 9:47 pm

Hello guntrip,

Welcome to the MWR forums.

There isn't much going on in your log file. Are you having any specific problems? If so, may I have the details?

The following Startup (O4) is an optional fix. It is also something that definitely does not need to start when Windows launches. The O17 entry should only be fixed if it is NOT your ISP.

If you're not having any particular problems, I can recommend some other optional startup (O4) entries that you can disable. When we have taken care of everything that you need, I would then post some tips on how to keep your machine free of malware.

--->Important Step<---Before we get started, lHijackThis needs to be moved to its own, permanent folder.

HijackThis will create a backup file to use if a restore is necessary, so please DO NOT run HijackThis from a temporary location or your desktop.

Create a folder on the root drive, (Usually C:\), called C:\HJT.
1. Go to "My Computer", (Windows key+e), or by double-clicking on the "My Computer" icon on your desktop.
2. Double click on "C:"
3. Right click and select New->Folder. Name it HJT. Move HijackThis to this new folder.

Also move the "Backups" folder, for HiJackThis, if present.

Run HiJackThis and click "Scan", then check(tick) the following, if present:

O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{80FCB7D6-A31A-4943-AFFC-52CBCC56BE23}: NameServer = 192.168.0.3,217.13.128.17
...(Verify that these ip addresses are for your isp's DNS Servers, if so, don't 'fix' these.)

With all windows closed except HiJackThis, click "Fix checked".

Post back a new log, along with a description of any problems and/or concerns you are (still) having. :wave:

SpotCheckBilly
User avatar
SpotCheckBilly
MRU Master
MRU Master
 
Posts: 943
Joined: February 22nd, 2005, 5:14 am
Location: Twin Cities, MN

Re Help

Unread postby guntrip » March 7th, 2006, 7:47 am

Thanks for all your help have taken action requested and problem has been resolved. :P

Regards Linda
guntrip
Active Member
 
Posts: 2
Joined: March 6th, 2006, 10:21 am

Unread postby SpotCheckBilly » March 7th, 2006, 6:04 pm

Hello Linda,

I'm glad that we were able to help. 8) Following is my standard "final cleanup" speech. Included are some tips on how to keep your machine malware free in trhe future.

1. Run "Disk Cleanup" and allow it to remove everything it finds.

2. If you've downloaded MicroWorld]MicroWorld AV (MWAV), run it again - but don't scan, just click "Clear Log" and exit the program.

Please skip this step 3. Go to www.trendmicro.com and click "Free Online Scan", then "Scan now, it's free!". Follow on-screen prompts.

4. Disable, then re-enable system restore; with a reboot in-between. Then immediately create a new system restore point manually.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster => SpywareBlaster will prevent spyware from being installed.
  • Spywareguard => SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware => If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware => If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware
To protect yourself further:
  • IE/Spyad => IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file => The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  • Google Toolbar => Get the free google toolbar to help stop pop up windows.
I also suggest that you delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself), for example:
  • C:\WINDOWS\Temp\--->Everything After the \.
  • C:\Temp\--->Everything After the \.
  • C:\Documents and Settings\username\Local Settings\Temp\--->Everything After the \.
  • Repeat for all users.
Also delete your Temporary Internet Files:
  • Click Start=>Control Panel=>Internet options.
  • Under the Generaltab.
  • Click Delete Files button.
  • Place a check-mark in Delete all off-line content.
  • Click OK=>OK
  • Exit Control Panel
  • Repeat for all users.
Empty the recycle bin:
  • Right-click the Recycle Bin icon on your desktop.
  • Select "Empty Recycle Bin".
  • Repeat forall users.
Note: You can also do the above steps using a program such as Cleanup! from Steven Gould or CCleaner.These steps should be done on a regular basis.

Also, please see: So how did I get infected in the first place?

If you have any other problems, don't hesitate to post back with a description and a fresh HijackThis log. :wave:

SpotCheckBilly
User avatar
SpotCheckBilly
MRU Master
MRU Master
 
Posts: 943
Joined: February 22nd, 2005, 5:14 am
Location: Twin Cities, MN

Unread postby NonSuch » March 7th, 2006, 6:21 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27305
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby ChrisRLG » March 8th, 2006, 9:22 am

We have noticed a few things with your access to our forum.

1.
Several people are having logs done from the same IP number - YOURS.

2.
They have all registered in the last few days, all with different machines.

Our rules state that a person is not allowed to have more than one username registered at our forum.

I have moved all your topics to this room :-
http://www.malwareremoval.com/forum/viewforum.php?f=78

It is hidden from normal public view, and I would like you to please explain what is going on here.

What it looks like is that you are one person, and are using our services to provide a service toother people, possibly for a fee.

Can you pease explain what is going on.

ChrisRLG
Malware Removal
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 59 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware