I think ive removed the malware using smitrem this other forum called SWI forus told me to run smitrem in safemode and it replaced a file called winnet. Ive still followed ur last reply and ive now got a full log, it may have been the malware preventing the full log but it might still be there
Thanx alot 4 ur help
Logfile of HijackThis v1.99.1
Scan saved at 17:28:58, on 09/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://search.msn.com/spbasic.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL =
http://www.microsoft.com/isapi/redir.dl ... r=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O1 - Hosts: # Copyright (c) 1993-1999 Microsoft Corp.
O1 - Hosts: # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
O1 - Hosts: # This file contains the mappings of IP addresses to host names. Each
O1 - Hosts: # entry should be kept on an individual line. The IP address should
O1 - Hosts: # be placed in the first column followed by the corresponding host name.
O1 - Hosts: # The IP address and the host name should be separated by at least one
O1 - Hosts: # space.
O1 - Hosts: # Additionally, comments (such as these) may be inserted on individual
O1 - Hosts: # lines or following the machine name denoted by a '#' symbol.
O1 - Hosts: # For example:
O1 - Hosts: # 102.54.94.97 rhino.acme.com # source server
O1 - Hosts: # 38.25.63.10 x.acme.com # x client host
O1 - Hosts: 127.0.0.1 localhost
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winrnr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rsvpsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rsvpsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O16 - DPF: DirectAnimation Java Classes -
file://C:\WINDOWS\Java\classes\dajava.cab
O16 - DPF: Microsoft XML Parser for Java -
file://C:\WINDOWS\Java\classes\xmldso.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shoc ... tor/sw.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) -
http://java.sun.com/update/1.4.2/jinsta ... s-i586.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
http://fpdownload.macromedia.com/get/sh ... rashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/C ... 2647337963
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2) -
http://java.sun.com/update/1.4.2/jinsta ... s-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shoc ... wflash.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\System32\msdxm.ocx
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll
O18 - Filter: application/octet-stream - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll
O18 - Filter: application/x-complus - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll
O18 - Filter: application/x-msdownload - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll
O18 - Filter: Class Install Handler - {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\SHELL32.dll
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\SHELL32.dll
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\SHELL32.dll
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\System32\webcheck.dll
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\System32\stobject.dll
O23 - Service: Alerter - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Application Layer Gateway Service (ALG) - Microsoft Corporation - C:\WINDOWS\System32\alg.exe
O23 - Service: Application Management (AppMgmt) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Audio (AudioSrv) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Computer Browser (Browser) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Indexing Service (CiSvc) - Microsoft Corporation - C:\WINDOWS\system32\cisvc.exe
O23 - Service: ClipBook (ClipSrv) - Microsoft Corporation - C:\WINDOWS\system32\clipsrv.exe
O23 - Service: COM+ System Application (COMSysApp) - Microsoft Corporation - C:\WINDOWS\System32\dllhost.exe
O23 - Service: Cryptographic Services (CryptSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: DHCP Client (Dhcp) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Logical Disk Manager (dmserver) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: DNS Client (Dnscache) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Error Reporting Service (ERSvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Event Log (Eventlog) - Microsoft Corporation - C:\WINDOWS\system32\services.exe
O23 - Service: COM+ Event System (EventSystem) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Help and Support (helpsvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Microsoft Corporation - C:\WINDOWS\System32\imapi.exe
O23 - Service: Infrared Monitor (Irmon) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Server (lanmanserver) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Workstation (lanmanworkstation) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Messenger - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Microsoft Corporation - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Microsoft Corporation - C:\WINDOWS\System32\msdtc.exe
O23 - Service: Windows Installer (MSIServer) - Microsoft Corporation - C:\WINDOWS\System32\msiexec.exe
O23 - Service: Network DDE (NetDDE) - Microsoft Corporation - C:\WINDOWS\system32\netdde.exe
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Microsoft Corporation - C:\WINDOWS\system32\netdde.exe
O23 - Service: Net Logon (Netlogon) - Microsoft Corporation - C:\WINDOWS\System32\lsass.exe
O23 - Service: Network Connections (Netman) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Microsoft Corporation - C:\WINDOWS\System32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Microsoft Corporation - C:\WINDOWS\system32\services.exe
O23 - Service: IPSEC Services (PolicyAgent) - Microsoft Corporation - C:\WINDOWS\System32\lsass.exe
O23 - Service: Protected Storage (ProtectedStorage) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Microsoft Corporation - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Routing and Remote Access (RemoteAccess) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Remote Registry (RemoteRegistry) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Microsoft Corporation - C:\WINDOWS\System32\locator.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: QoS RSVP (RSVP) - Microsoft Corporation - C:\WINDOWS\System32\rsvp.exe
O23 - Service: Security Accounts Manager (SamSs) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Smart Card Helper (SCardDrv) - Microsoft Corporation - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Smart Card (SCardSvr) - Microsoft Corporation - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Task Scheduler (Schedule) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Secondary Logon (seclogon) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: System Event Notification (SENS) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) (SharedAccess) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Print Spooler (Spooler) - Microsoft Corporation - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: System Restore Service (srservice) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: SSDP Discovery Service (SSDPSRV) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Microsoft Corporation - C:\WINDOWS\System32\dllhost.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Microsoft Corporation - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephony (TapiSrv) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Terminal Services (TermService) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Themes - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Microsoft Corporation - C:\WINDOWS\System32\wdfmgr.exe
O23 - Service: Upload Manager (uploadmgr) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Universal Plug and Play Device Host (upnphost) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Microsoft Corporation - C:\WINDOWS\System32\ups.exe
O23 - Service: Volume Shadow Copy (VSS) - Microsoft Corporation - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Windows Time (W32Time) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: WebClient - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Management Instrumentation (winmgmt) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Microsoft Corporation - C:\WINDOWS\System32\wbem\wmiapsrv.exe
O23 - Service: Automatic Updates (wuauserv) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Wireless Zero Configuration (WZCSVC) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe