View Full Version : Hi, here's my HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 20:16:43, on 06/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Secretmaker\secretmaker.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\hijackthis\HijackThis.exe
R3 - URLSearchHook: (no name) - {B45F5E4D-C983-B577-A5F4-E43BF70423C3} - C:\WINDOWS\System32\uejhrsjv.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {74B053C9-915D-B2FF-2C08-BBCE18BBEF9C} - C:\WINDOWS\System32\vehcbpt.dll (file missing)
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O2 - BHO: (no name) - {B45F5E4D-C983-B577-A5F4-E43BF70423C3} - C:\WINDOWS\System32\uejhrsjv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Rrskcoh] C:\WINDOWS\System32\n?pdb.exe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Meil] "C:\DOCUME~1\user\MYDOCU~1\CROSOF~1.NET\csrss.exe" -vt tzt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\Secretmaker\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'smnsp.dll' missing
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
shelf life
2006-04-12, 04:06
hi alx21,
first we will use hjt, then download and run ewido anti-malware.
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.
R3 - URLSearchHook: (no name) - {B45F5E4D-C983-B577-A5F4-E43BF70423C3} - C:\WINDOWS\System32\uejhrsjv.dll
O2 - BHO: (no name) - {74B053C9-915D-B2FF-2C08-BBCE18BBEF9C} - C:\WINDOWS\System32\vehcbpt.dll (file missing)
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\System32\smiehlp.dll
O2 - BHO: (no name) - {B45F5E4D-C983-B577-A5F4-E43BF70423C3} - C:\WINDOWS\System32\uejhrsjv.dll
O4 - HKCU\..\Run: [Rrskcoh] C:\WINDOWS\System32\n?pdb.exe
O4 - HKCU\..\Run: [Meil] "C:\DOCUME~1\user\MYDOCU~1\CROSOF~1.NET\csrss.exe" -vt tzt
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
-------------------------------------------
next get and run ewido:
1. Download Ewido and install
Ewido anti malware. It is a free trial version of the program:
http://www.ewido.net/en/download/
2. Install ewido anti malware
3. Launch ewido, there should be an icon on your desktop double-click it.
4. The program will now go to the main screen
You will need to update ewido to the latest definition files.
1. On the left hand side of the main screen click update
2. Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use Ewido manual updates
Once the updates are installed do the following:
1. Click on scanner
2. Click on Complete System Scan and the scan will begin.
3. NOTE: During some scans with ewido it is finding cases of false positives.**
o You will need to step through the process of cleaning files one-by-one.
o If ewido detects a file you KNOW to be legitimate, select none as the action.
o DO NOT select "Perform action on all infections"
o If you are unsure of any entry found select none for now.
4. Once the scan has completed, there will be a button located on the bottom of the screen named Save report
5. Click Save report.
6. Save the report .txt file to your desktop.
Now close ewido security suite.
---------------------------------------
reboot and rescan and post anew hjt log............
Hi Shelf life
Thank you for your help and sorry about the delay. I have removed the recommended items that HJT originally found, completed an ewido scan (complete system scan;choose files by extension) without removing any objects, and scanned again with HJT. The results are set out below-
Logfile of HijackThis v1.99.1
Scan saved at 00:25:12, on 14/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\Secretmaker\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'smnsp.dll' missing
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 00:11:55, 14/04/2006
+ Report-Checksum: 835FE071
+ Scan result:
C:\a.bat -> Trojan.Zapchast : Ignored
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Ignored
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[1].txt -> TrackingCookie.Goclick : Ignored
C:\i66.exe -> Adware.Virtumonde : Ignored
C:\Program Files\hijackthis\backups\backup-20060413-025938-190.dll -> Adware.PurityScan : Ignored
C:\WINDOWS\876057.exe -> Adware.Mirar : Ignored
C:\WINDOWS\justin.exe -> Adware.EZula : Ignored
C:\WINDOWS\system32\b2search.exe -> Adware.EZula : Ignored
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\01IB4LAR\drsmartload_js[1].htm -> Downloader.IstBar.j : Ignored
C:\WINDOWS\system32\irismon.dll -> Adware.SafeSurfing : Ignored
C:\WINDOWS\system32\irsmwqve.dll -> Adware.SafeSurfing : Ignored
C:\WINDOWS\system32\kwinrsap.exe -> Adware.ZenoSearch : Ignored
C:\WINDOWS\system32\lwinrsap.exe -> Adware.ZenoSearch : Ignored
C:\WINDOWS\system32\mwinosap.exe -> Adware.ZenoSearch : Ignored
C:\WINDOWS\system32\mwinssap.exe -> Adware.ZenoSearch : Ignored
C:\WINDOWS\system32\nse12D.dll -> Adware.EZula : Ignored
C:\WINDOWS\system32\nwinmsap.exe -> Adware.ZenoSearch : Ignored
C:\WINDOWS\system32\owinssap.exe -> Adware.ZenoSearch : Ignored
C:\WINDOWS\system32\pwinssap.exe -> Adware.ZenoSearch : Ignored
C:\WINDOWS\system32\rwinksap.exe -> Adware.ZenoSearch : Ignored
C:\WINDOWS\system32\twinksap.exe -> Adware.ZenoSearch : Ignored
::Report End:
shelf life
2006-04-14, 02:12
hi alx21,
that last hjt log looks good. how is your computer running now?
shelf life
Hi Shelf life
The computer itself is running without problems. Two questions- I uninstalled Spyware Doctor weeks ago but it's still showing up on HJT. Is it safe to remove it with HJT? Secondly, I have denied internet access permanently to these unknown programs- cation; sadhlp.dll; vclnt.dll and one with an unreadable filename. All are 0 KB.
What would you advise?
shelf life
2006-04-15, 18:17
hi alx21,
post another hjt log please.
Hi Shelf life
My latest HJT log (safe mode, show hidden files and folders)-
Logfile of HijackThis v1.99.1
Scan saved at 18:48:42, on 15/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\Secretmaker\secretmaker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'smnsp.dll' missing
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
shelf life
2006-04-16, 01:13
hi alx21,
it all looks good to me. one thing:
go to start>run and type in--> services.msc,<--in the list of services that comes up look for>>Service Hosts (ServiceHost)
right click on it and select properties. under the general tab:
make sure that the service status is: Stopped
and the Startup type is: disabled
shelf life
Hi Shelf life
I have now disabled Service Hosts from an automatic start-up (the service status was already stopped). Thanks for all your help. I am relieved my PC was not as infected as I feared- the false positives meant I could have deleted anything without informed advice. One more thing, Spybot always finds 3 entries of Command Service after scans, but this is not really bothering me as the PC is running OK. Should I just ignore it?
Thanks once again.
shelf life
2006-04-16, 22:49
hi alx21,
that cmdservice is just a harmless leftover. update ewido and avast. boot computer into safe mode, then run ewido and avast in safe mode.
reboot normally, pick out one of these and do a online scan or two:
BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
check AutoClean under Scan Options.
Panda ActiveScan
http://www.pandasoftware.com/products/activescan?NRMODE=Published&NRORIGINALURL=%2factivescan&NRNODEGUID=%7b3B202047-35D4-4DA2-B310-B1DBEC2971F2%7d&NRCACHEHINT=Guest
Kaspersky virus scanner
http://www.kaspersky.com/virusscanner
Housecall at TrendMicro
http://housecall.trendmicro.com/housecall/start_corp.asp
check Auto Clean.
F-Secure virus scanner
http://support.f-secure.com/enu/home/ols.shtml
eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
-------------------------
rescan with hjt and post anew log please.........
Hi Shelf life
I have carried out the scans as directed. Ewido (safe mode) found the same malware from my previous post, avast (safe mode) found no infections. Trend Micro's online scanner found 6 malware and cleaned all except two named ADW_SE. I have attached my new HJT log, along with Kaspersky's scan results.
How safe is it to have this new java programme running permanently on the PC? Is there a way to de-activate it and then re-activate when I need it for a Trend Micro scan? Many thanks.
Logfile of HijackThis v1.99.1
Scan saved at 20:07:09, on 17/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Secretmaker\secretmaker.exe
C:\Program Files\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\Secretmaker\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O10 - Broken Internet access because of LSP provider 'smnsp.dll' missing
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
*KASPERSKY ON-LINE SCANNER REPORT*
Monday, April 17, 2006 5:01:57 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1
(Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 17/04/2006
Kaspersky Anti-Virus database records: 177029
*Scan Settings*
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
*Scan Target* My Computer
A:\
C:\
D:\
*Scan Statistics*
Total number of scanned objects 23638
Number of viruses found 10
Number of infected objects 19
Number of suspicious objects 2
Duration of the scan process 01:36:40
*Infected Object Name* *Virus Name* *Last Action*
C:\a.bat Infected: Trojan.WinREG.Zapchast skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search &
Destroy\Recovery\Deskwizz1.zip/WinDy.exe Suspicious:
Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search &
Destroy\Recovery\Deskwizz1.zip ZIP: suspicious - 1 skipped
C:\Program Files\Common
Files\EliteMediaGroupOinUninstaller.exe/data0002 Infected:
Trojan.Win32.Scapur.k skipped
C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe NSIS:
infected - 1 skipped
C:\System Volume
Information\_restore{7E470C76-8866-4C9F-81BB-C9A706E0C557}\RP11\A0009856.exe/data0002
Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume
Information\_restore{7E470C76-8866-4C9F-81BB-C9A706E0C557}\RP11\A0009856.exe
NSIS: infected - 1 skipped
C:\System Volume
Information\_restore{7E470C76-8866-4C9F-81BB-C9A706E0C557}\RP11\A0009867.exe/data0002
Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume
Information\_restore{7E470C76-8866-4C9F-81BB-C9A706E0C557}\RP11\A0009867.exe
NSIS: infected - 1 skipped
C:\System Volume
Information\_restore{7E470C76-8866-4C9F-81BB-C9A706E0C557}\RP13\A0010135.exe/data0002/data0006
Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\System Volume
Information\_restore{7E470C76-8866-4C9F-81BB-C9A706E0C557}\RP13\A0010135.exe/data0002
Infected: Trojan-Dropper.Win32.VB.kk skipped
C:\System Volume
Information\_restore{7E470C76-8866-4C9F-81BB-C9A706E0C557}\RP13\A0010135.exe
NSIS: infected - 2 skipped
C:\System Volume
Information\_restore{7E470C76-8866-4C9F-81BB-C9A706E0C557}\RP13\A0010169.exe/data0006
Infected: Backdoor.Win32.HacDef.bo skipped
C:\System Volume
Information\_restore{7E470C76-8866-4C9F-81BB-C9A706E0C557}\RP13\A0010169.exe
NSIS: infected - 1 skipped
C:\System Volume
Information\_restore{7E470C76-8866-4C9F-81BB-C9A706E0C557}\RP3\A0001556.exe
Infected: Trojan-Downloader.Win32.PurityScan.be skipped
C:\System Volume
Information\_restore{7E470C76-8866-4C9F-81BB-C9A706E0C557}\RP3\A0001805.exe
Infected: Trojan-Downloader.Win32.PurityScan.br skipped
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINDOWS\system32\unirimon.exe/data0001 Infected:
Trojan-Downloader.NSIS.Agent.l skipped
C:\WINDOWS\system32\unirimon.exe NSIS: infected - 1 skipped
C:\WINDOWS\YOINSI.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\WINDOWS\YOINSI.exe NSIS: infected - 1 skipped
*Scan process completed.*
shelf life
2006-04-18, 01:52
hi alx21,
look in add/remove programs panel for anyhting called:
Zeno or elite media group, and run the uninstaller if present.
looks like you have the latest java version, its ok to leave running permanently.
its only used to interact with some web pages.
all of these:
C:\System Volume
Information\_restore{
are in your system restore archives, which we will clean out when everythign looks good.........shelf life
Hi Shelf life
Zeno and Elitemediagroup are no longer present in Add/Remove progams, so Trend Micro (which I ran after Kaspersky) must have uninstalled them. What is present is Media Tickets by OIN, which I have not deleted because Trend Micro left it behind. I also have Yazzle Sudoku in Avast's quarantine, but I'm not sure whether to delete it permanently or not.
Should I now proceed with cleaning System Restore (safe mode) by this method- switching it off, rebooting and then switching it back on again, and then delete all System Volume Information related trojans in Avast's quarantine?
If you confirm this as the way to proceed, I will then run Kaspersky afterwards and post the scan results with a new HJT log.
Thanks.
shelf life
2006-04-19, 23:53
hi alx21,
look in add/remove programs panel for Media Tickets and uninstall if present.
delete anything in Avast's quarantine also.
update and run spyware doctor once more.
i think you will be good to make new restore points now.
turn off system restore, reboot (deletes archive)
turn on, reboot (makes new clean restore point)
rerun Kaspersky and post one more hjt........
Hi Shelf life
I have completed the instructions and the results are set out below-
Thanks.
Logfile of HijackThis v1.99.1
Scan saved at 20:45:01, on 20/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Secretmaker\secretmaker.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\Secretmaker\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O10 - Broken Internet access because of LSP provider 'smnsp.dll' missing
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
*KASPERSKY ON-LINE SCANNER REPORT*
Thursday, April 20, 2006 8:08:27 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1
(Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 20/04/2006
Kaspersky Anti-Virus database records: 177699
*Scan Settings*
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
*Scan Target* My Computer
A:\
C:\
D:\
*Scan Statistics*
Total number of scanned objects 19253
Number of viruses found 5
Number of infected objects 7
Number of suspicious objects 2
Duration of the scan process 01:26:23
*Infected Object Name* *Virus Name* *Last Action*
C:\Documents and Settings\All Users\Application Data\Spybot - Search &
Destroy\Recovery\Deskwizz1.zip/WinDy.exe Suspicious:
Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search &
Destroy\Recovery\Deskwizz1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\user\.housecall\Quarantine\a.bat.bac_a03808
Infected: Trojan.WinREG.Zapchast skipped
C:\Documents and
Settings\user\.housecall\Quarantine\YOINSI.exe.bac_a03808/data0002
Infected: Trojan.Win32.Scapur.k skipped
C:\Documents and
Settings\user\.housecall\Quarantine\YOINSI.exe.bac_a03808 NSIS:
infected - 1 skipped
C:\Documents and
Settings\user\.housecall\Quarantine\YOINSI.exe.bac_a03808 CryptFF.b:
infected - 1 skipped
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINDOWS\system32\unirimon.exe/data0001 Infected:
Trojan-Downloader.NSIS.Agent.l skipped
C:\WINDOWS\system32\unirimon.exe NSIS: infected - 1 skipped
*Scan process completed.*
shelf life
2006-04-20, 23:54
hi alx21,
good. ok lets try this:
FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
----------------------------------
then look for and delete these:
folder(?) called i located in C:\WINDOWS\system32 dir
unirimon.exe process in C:\WINDOWS\system32 dir
if they give you problems when deleting, reboot computer into safe mode. you reach safe mode by tapping the f8 key during a restart. chose first option safe mode.
OR; use hjt, start hjt, click on ";open misc tools section" click on "delete afile on reboot, browse for one of them, double click it. hjt will prompt you for reboot. then go back and do other file same way
shelf life
Hi Shelf life
Sorry about the delay as I was away over the last two days and thank you for your patience. The files 'i' and 'unirimon.exe' have now been deleted (HJT,
safe mode). I also double checked to ensure that 'i' did not exist as a folder. My new Kaspersky scan results are below.
In the meantime, since Internet Explorer is the Kaspersky's default scanning browser (I always use Firefox otherwise), what security measures would you recommend whilst scanning? I already have Spyware Blaster installed, and since all other anti-virus applications have to be shut down for Kaspersky's to work properly, do you reckon this is the way by which new stuff keeps coming in e.g. the new stuff in Sys Vol Info?
Many thanks once again.
*KASPERSKY ON-LINE SCANNER REPORT*
Sunday, April 23, 2006 12:32:42 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1
(Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 23/04/2006
Kaspersky Anti-Virus database records: 178076
*Scan Settings*
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
*Scan Target* My Computer
A:\
C:\
D:\
*Scan Statistics*
Total number of scanned objects 19367
Number of viruses found 4
Number of infected objects 6
Number of suspicious objects 2
Duration of the scan process 01:25:54
*Infected Object Name* *Virus Name* *Last Action*
C:\Documents and Settings\All Users\Application Data\Spybot - Search &
Destroy\Recovery\Deskwizz1.zip/WinDy.exe Suspicious:
Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search &
Destroy\Recovery\Deskwizz1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\user\.housecall\Quarantine\a.bat.bac_a03808
Infected: Trojan.WinREG.Zapchast skipped
C:\Documents and
Settings\user\.housecall\Quarantine\YOINSI.exe.bac_a03808/data0002
Infected: Trojan.Win32.Scapur.k skipped
C:\Documents and
Settings\user\.housecall\Quarantine\YOINSI.exe.bac_a03808 NSIS:
infected - 1 skipped
C:\Documents and
Settings\user\.housecall\Quarantine\YOINSI.exe.bac_a03808 CryptFF.b:
infected - 1 skipped
C:\System Volume
Information\_restore{7E470C76-8866-4C9F-81BB-C9A706E0C557}\RP2\A0000085.exe/data0001
Infected: Trojan-Downloader.NSIS.Agent.l skipped
C:\System Volume
Information\_restore{7E470C76-8866-4C9F-81BB-C9A706E0C557}\RP2\A0000085.exe
NSIS: infected - 1 skipped
*Scan process completed.*
Hi again Shelf life
It has just occurred to me that the 'new stuff' in Sys Vol Info may actually be System Restore remakes of the last two viruses I deleted (the extension data0001 is familiar), which means Kaspersky's scan may have given me the all clear! I have posted a new HJT log below which I hope do not contain any new infections.
Thanks
Logfile of HijackThis v1.99.1
Scan saved at 19:23:07, on 23/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Secretmaker\secretmaker.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\Secretmaker\secretmaker.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O10 - Broken Internet access because of LSP provider 'smnsp.dll' missing
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
shelf life
2006-04-23, 21:29
hi alx21,
good,that last hjt log looks ok. dont see many people using processguard.
applications have to be shut down for Kaspersky's to work properly, do you reckon this is the way by which new stuff keeps coming in e.g. the new stuff in Sys Vol Info?
no.
since Internet Explorer is the Kaspersky's default scanning browser (I always use Firefox otherwise), what security measures would you recommend whilst scanning
i think you will be ok to disable your resident av, scan, then re-enable it.
i think you can make new restore points now. here is some reference material for you:
Be careful of what you download, and where you download it from. Many programs come bundled with extra software.You may be installing more than you think. Make sure you understand what it is you will be downloading and installing to your computer. Visit the makers website, learn more about the program, Does the program you want come bundled with other "3rd party" programs? What do the 3rd party programs do? Will they deliver ads? Track your surfing habits?. Read the EULA agreement, you know, that paragraph of stuff you "agree to" before the software installs? If you search hard enough you can always find a "clean" alternative to any software. Stay away from warez and crack sites. Becarful what you download from file sharing networks. If you are not sure, scan it with your Antivirus app. A small file (in KB) is probably not what you think it is. DO YOU TRUST THE SOURCE?
Make sure you keep your Windows OS current by visiting Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp)
occasionaly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.
Adjust your browser settings: Change your(active x) settings in IE. With IE open go to tools, internet options, security tab. Click on the internet globe, then custom level. Set the first option "download signed active x controls" to prompt, the next two to disable. Read more:
Internet Explorer Privacy & Security Settings (https://netfiles.uiuc.edu/ehowes/www/btw/ie/ie-opts.htm)
Working with Internet Explorer 6 Security (http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx)
Many exploits are directed at Internet Explorer, you dont have to use it. Try a different browser. You can have and use more than one browser on your computer.
Like Firefox (http://www.mozilla.org/products/firefox/),
Install a Firewall:A firewall will control what comes in from the internet and what leaves your computer to the internet. A firewall will also alert you when a application trys to connect to the internet from your computer, this is a good way to catch crapware or trojans, trying to connect out bound from your computer- whats that and why does it need a internet connection? You can deny it access it until more investigation is done. Zone Alarm is a free and easy to use firewall, that will provide in and outbound protection. Microsoft XP firewall only provides inbound protection. SP2 adds in and out bound protection which is better than nothing, but is not as robust as third party firewalls, Be sure to run only >one< firewall.If you use another, be sure to disable XP's built in firewall. If you use Zone Alarm learn what needs/uses your internet connection. If something unusal or out of the ordinary "asks" deny it access until more investigation is done.
Zone Alarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=dbtopnav_zass)
OutPost Lite (http://www.agnitum.com/products/outpostfree/download.php)
Outlook Express with the default settings is not secure. It will run scripts, download images etc, just like a browser. You dont have to use it.
look here (http://www.codecutters.org/outlook/)
and here (http://www.tames.net/security/oesettings.htm)
Or try Pegasus Mail, safer by default,no tweaking needed. (http://www.pmail.com/)
Make sure you have and keep updated Antivirus software
Free for home users:
avast! 4 Home Edition Download (http://www.avast.com/eng/free_virus_protectio.html)
AVG free version 7.0 (http://free.grisoft.com/freeweb.php/doc/2/)
AntiVir Personal Edition (http://www.free-av.com/)
Download one or two of these, install and update before using:(if these are constantly finding malware, then you need to make changes to your browser and or your habits)
CounterSpy (http://www.sunbelt-software.com/)Free trial version
Spybot Search and destroy (http://www.safer-networking.org/en/index.html)
Ad-Aware SE Personal edition (http://www.lavasoft.de/)
Microsoft Windows Defender (http://www.microsoft.com/athome/security/spyware/software/default.mspx)
Becarful with spyware "removers and scanners"-- there are many "rogue/suspect" (http://www.spywarewarrior.com/rogue_anti-spyware.htm) programs that "claim to remove" spyware.Check here first.
AntiTrojan software to fill in the gap:
a2 free (http://www.emsisoft.com/en/software/free/)
Ewido Anti-Malware (http://www.ewido.net/en/)
Trojan Hunter (30 day trial version) (http://www.misec.net/)
Tauscan trial version (http://www.agnitum.com/products/tauscan/)
Other programs to consider:
Process Guard (http://www.diamondcs.com.au/processguard/) stop events/processes with user intervention
SpywareBlaster (http://www.bleepingcomputer.com/forums/index.php?showtutorial=49) add security to IE
IE-SPYAD (https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD) adds adware peddlers sites/domains to IE restricted zone
CleanUp (http://www.stevengould.org/software/CleanUp/index.html) cleans out temp files,history, autoforms etc
ATF cleaner (W2K,XP only) (http://www.atribune.org/content/view/25/2/) cleans out temp files, history etc
Learn More:
Browser Checkup (http://www.jasons-toolbox.com/BrowserSecurity/)
Parasite Free (http://www.doxdesk.com/parasite/prevention.html)
Safe Hex (http://www.claymania.com/safe-hex.html)
Shelf Lifes page (http://security-central.us/SafeHex/index.htm)
Home Computer Security (http://www.cert.org/homeusers/HomeComputerSecurity/)
Hi Shelf life
I have now restored a new point. Process Guard, I guess, can be a tricky application, but for me, so far, so good. Overall, this malware removal exercise has been a great learning experience, and not only do I have a clean HJT log to use as a benchmark for suspicious applications, but I have also learnt the importance of seeking advice before deleting anything.
Your guidance has been priceless. Thank you so much!
shelf life
2006-04-24, 23:22
hi alx21,
glad to help. happy safe surfing out there.