View Full Version : cant open windows task manager
sjfrockerdude
2007-02-05, 20:44
Ive tried to open the task manager and it wont even load, I think its malware but im not sure, here is the hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 1:35:51 PM, on 2/5/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\spy finder\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - Global Startup: dllhost.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166587437154
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Client IP-IPX - Unknown owner - C:\WINNT\system32\svchosts.exe" -e mc-110-12-0000140 (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
sjfrockerdude
2007-02-06, 04:05
Also ive been doing some research on what the prob could be and I think it is "onoes.exe" but im not sure.
pskelley
2007-02-06, 12:56
Welcome to the forum, let me give you the facts as I see them. You are very infected with some nasty worms and from here I can not discern exactly what they are. I want first to tell you that HJT can not see everything, that is why these instructions are posted:
"BEFORE you POST" -Preliminary Steps
http://forums.spybot.info/showthread.php?t=288
The antivirus scan mentioned in those instructions will often tell us more than we can see with HJT. In this case, I can see enough, so don't run or post a antivirus scan unless I need it later.
Here is the problem: O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
You are also running a trojan from your services:
O23 - Service: Client IP-IPX - Unknown owner - C:\WINNT\system32\svchosts.exe" -e mc-110-12-0000140 (file missing)
Here is the Google information on the first one:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=winlog%2eexe
as you can see it can be many things, but I believe you have a nasty backdoor worm that has severely compromised your security on this computer and that you should have this information:
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
If you wish to scan the winlog.exe item, here are free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
You will need to enable all hidden files and folder to find it:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
I will wait until you have looked at this information, then let me know what you decide. We can remove the junk, but if it is as bad as I think it is, you can never trust this computer to be secure.
Thanks
sjfrockerdude
2007-02-06, 23:03
well... I wasn't expecting to hear that :( however this I dont use this computer for any online billing ect. and im not exaclty in the position to re format this computer. So I think that it would be better to try to get rid of as much as possible and if another thing like this occurs to then re format it. Also for quite a while ive been having a prob with the windows updates, for the last 5 months i havent been able to update anything, It would sya that ive updated it yet a few minutes later it would ask to install the same update. Could that also be do to a virus?
sjfrockerdude
2007-02-06, 23:04
oh and thank you for your help
pskelley
2007-02-07, 00:16
OK and thanks, I respect your decision. You asked this:
It would sya that ive updated it yet a few minutes later it would ask to install the same update. Could that also be do to a virus It could be the malware, once I give you the all clean, if you still can not download updates, then take that issue to Microsoft for help:
http://support.microsoft.com/
Unless I am missing something, you have no antivirus program running on this computer, if this is the case, please choose one of these three, download, update and run a scan with it. Delete what it locates.
http://free.grisoft.com/freeweb.php/doc/2/
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/
I would like you to look at this file, my scanner says it is safe, I wish to be positive, use one or more of the free scans and post the results for me to view.
The file: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe
The scanners: http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Please follow the instructions carefully and in the posted order.
Thanks to andymanchesta and anyone else who helped with the fix.
1) Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
(hold the reports and logs until we finish)
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
(next two are Alexa toolbar related resource wasters, if you don't use Alexa, remove them)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: Client IP-IPX - Unknown owner - C:\WINNT\system32\svchosts.exe" -e mc-110-12-0000140 (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) RIGHT Click on Start then click on Explore. Locate and delete these items:
(You will have to search for this file, it may be gone but it is very important not to miss it)
winlog.exe <<< delete that file
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program
Restart the computer and post the report.txt from SDFix, a new HJT log and your comments. How is the computer running now?
Thanks
sjfrockerdude
2007-02-07, 00:51
first the online scans
from www.virusscan.jotti.org
Scanner Malware name
AntiVir HEUR/Crypted
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
VirusBuster X
VBA32 Backdoor.Hupigon.4 (paranoid heuristics)
from
<http://www.virustotal.com/flash/index_en.html>
Antivirus Version Update Result AntiVir 7.3.1.34 02.06.2007 no virus found
Authentium 4.93.8 02.06.2007 no virus found
Avast 4.7.936.0 02.06.2007 no virus found
AVG 386 02.06.2007 no virus found BitDefender 7.2 02.05.2007 no virus found
CAT-QuickHeal 9.00 02.06.2007 no virus found
ClamAV devel-20060426 02.06.2007 no virus found
DrWeb 4.33 02.06.2007 no virus found
eSafe 7.0.14.0 02.06.2007 no virus found
eTrust-InoculateIT 30.4.3372 02.06.2007 no virus found
eTrust-Vet 30.4.3372 02.06.2007 no virus found
Ewido 4.0 02.06.2007 no virus found
Fortinet 2.85.0.0 02.06.2007 no virus found
F-Prot 4.2.1.29 02.06.2007 no virus found
Ikarus T3.1.0.31 02.06.2007 no virus found
Kaspersky 4.0.2.24 02.06.2007 no virus found
McAfee 4957 02.06.2007 W32/Vbbot
Microsoft 1.2101 02.06.2007 no virus found
NOD32v2 2042 02.06.2007 no virus found
Norman 5.80.02 02.06.2007 no virus found
Panda 9.0.0.4 02.06.2007 no virus found
sjfrockerdude
2007-02-07, 02:53
thank you very much for your help :) heres the SDfix report
SDFix: Version 1.63
Tue 02/06/2007 - 19:11:40.89
Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
Client IP-IPX
Path:
"C:\WINNT\system32\svchosts.exe" -e mc-110-12-0000140
Client IP-IPX Deleted
Restoring Windows Registry Entries
Restoring Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\WINNT\system32\netstat.com - Deleted
C:\WINNT\system32\p2pnetworking.exe - Deleted
C:\WINNT\system32\taskkill.com - Deleted
ADS Check:
C:\WINNT\system32
No streams found.
Final Check:
Remaining Services:
------------------
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes :
C:\WINNT\system32\cmd.com
C:\WINNT\system32\ping.com
C:\WINNT\system32\regedit.com
C:\WINNT\system32\tasklist.com
C:\WINNT\system32\tracert.com
C:\arcldr.exe
C:\arcsetup.exe
C:\CONFIG.SYS
Finished
and the hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 7:43:31 PM, on 2/6/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe
C:\WINNT\system32\wuauclt.exe
C:\spy finder\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Global Startup: dllhost.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166587437154
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
however I sill cant access the task manager... and while deleting the files as told it came up with an error:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm)
Error #5 - Invalid procedure call or argument
Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.00.2195
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1
This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
hope that helps :/
pskelley
2007-02-07, 03:22
Thanks for returning you information, I would still like to look at little more at this item:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe
This is what my scanner says it probably is: Name Gilat SOM Enumerator
Command dllhost.exe
Status Y
Description For Gilat Communications internet satellite systems - associated with SkyBlaster modem. Required if you have this system
Can you tell me if you have this item on your computer.
It is associated with this item: O4 - Global Startup: dllhost.exe so of one is safe the other will be.
C:\SDFix\backups\backups.zip <<< I am sure Andy does not need that one, you can delete that folder.
I see no malware in the HJT log. No problem with those messages, once in a while we get them and it looks like everything worked as it should, the junk is gone.
Let's run another scan first to see if anything may be hidden. Follow the directions in this link, please delete or at least quarantine anything located. Post the scan results for me to view.
http://forums.security-central.us/showthread.php?t=3165
Here is some information you can look at about the task manager issue:
http://www.google.com/search?hl=en&rls=GGLG%2CGGLG%3A2006-16%2CGGLG%3Aen&q=can%27t+open+windows+task+manager+&btnG=Search
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=task+manager+won%27t+open+in+windows+2000
Thanks
sjfrockerdude
2007-02-07, 04:53
I dont have any SkyBlaster Modem so not sure where that came from... but heres the log
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:45:45 PM 2/6/2007
+ Scan result:
C:\Documents and Settings\administrator\Cookies\billy bob@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\administrator\Cookies\billy bob@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
::Report end
not much there :)
pskelley
2007-02-07, 14:12
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe
Return to that file and right click it then choose properties. Post any information available.
Here is information about dllhost.exe: http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=dllhost%2eexe
and I have not liked where this one is running from since we started. A possible move would be to move it to the recycle bin and see what happens. Make sure the Bin has not been bypassed first.
Let's check you recycle bin to make sure it has not been bypassed. RIGHT click on it and choose properties. It should, by default, be set to "Use one setting for all drives"
Make sure the box "Do not move files to the Recycle Bin". Remove files immediately when deleted IS NOT CHECKED. Make sure you have space for deleted items, I keep my bin set at 5%. Now when we delete the file or folder, it will be moved to the bin and can be restored IF needed.
Thanks
sjfrockerdude
2007-02-07, 23:05
well there is know info availible on my comp about it, all it says is that it was created and modified on feb 5, 2007 and accesed today, when i tried to delete it it says "cannot delete, access is denied, source file may be in use. also in my program files ive noticed some random firles named a, b, 1, and 2 that werent there bafore, yet when i try to delete them they come right back.
pskelley
2007-02-07, 23:40
Did you receive the Private Message I sent you? Metallica added that item today:
Updated for %ALLUSERSSTARTUP%\dllhost.exe As far as I know the tool runs fine on Windows 2000, here is the tool:
http://www.geekstogo.com/forum/How_to_stop_and_undo_the_effects_of_the_Alcra_aka_Alcan_Worm-t98929.html
Follow the instructions in items 1, 3 and 3. Then restart the computer and post a new HJT log.
Thanks
sjfrockerdude
2007-02-08, 01:38
well I can get back into the task manager :) heres the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 6:32:20 PM, on 2/7/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\spy finder\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166587437154
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
once again thank you for all your help :)
pskelley
2007-02-08, 02:00
Thanks sounds good:bigthumb: I apologize for being so cautious, I had a bad feeling about that item from the beginning, but even the scans were not conclusive. Here was a clue removed by SDFix in case you want to know how all of this probably got started:
C:\WINNT\system32\p2pnetworking.exe - Deleted
Your HJT log looks good, you can remove all of the tools we used. ATF-Cleaner is your to keep if you wish.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
sjfrockerdude
2007-02-08, 02:33
Thanks for the help :)