HJT Log for Tashi

B

baja463

New member
Tashi: At your request, I ran the Trend Micro AV online scanner, which detected five files of grayware/spyware. I did NOT run Spybot 1.4 again, as I felt there is nothing to be gained (you have seen the log), and it takes too long. Finally, here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:52:59 PM, on 1/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\sMaRTcaPs\SmartCaps.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\KeePass Password Safe\KeePass.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\William Anton\My Documents\Backups\Installed Software\Security\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com"); (C:\Documents and Settings\William Anton\Application Data\Mozilla\Profiles\default\wc4k9rv9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\William Anton\Application Data\Mozilla\Profiles\default\wc4k9rv9.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Please let me know if I can provide anything else.

Hope this helps,
Bill A
 
Hi baja463

Please re-enable this items
Located: WinLogon, crypt32chain (DISABLED)
command: crypt32.dll
file: crypt32.dll
Located: WinLogon, cryptnet (DISABLED)
command: cryptnet.dll
file: cryptnet.dll
Located: WinLogon, cscdll (DISABLED)
command: cscdll.dll
file: cscdll.dll
Located: WinLogon, ScCertProp (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
Located: WinLogon, Schedule (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
Located: WinLogon, sclgntfy (DISABLED)
command: sclgntfy.dll
file: sclgntfy.dll
Located: WinLogon, SensLogn (DISABLED)
command: WlNotify.dll
file: WlNotify.dll
Located: WinLogon, termsrv (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
Located: WinLogon, wlballoon (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Then restart your PC
How did that go ?

I ran Spybot 1.4 (all updates) to completion last night. The total runtime was over 3 hours for 34177 files with 1 problem (Pipas.A) found on my machine. Interestingly, Spybot reported the runtime as 18:38 (in the lower left corner of the run screen).
Click to expand...
Post a report from this tool
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
!!Do not rename any files yet
 
Lonny: I have re-enabled those items. Unable to discern any real difference from having them active or disabled, tho.

Ran Blacklight and found three items. One is innocuous (wbemtest from Win Server 2003 Guided Tour) -- I'm not familiar with the other two. Posted the BL log.

Many thanks for your help!

Regards,
Bill A


LonnyRJones said:
Hi baja463

Please re-enable this items
Located: WinLogon, crypt32chain (DISABLED)
command: crypt32.dll
file: crypt32.dll
Located: WinLogon, cryptnet (DISABLED)
command: cryptnet.dll
file: cryptnet.dll
Located: WinLogon, cscdll (DISABLED)
command: cscdll.dll
file: cscdll.dll
Located: WinLogon, ScCertProp (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
Located: WinLogon, Schedule (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
Located: WinLogon, sclgntfy (DISABLED)
command: sclgntfy.dll
file: sclgntfy.dll
Located: WinLogon, SensLogn (DISABLED)
command: WlNotify.dll
file: WlNotify.dll
Located: WinLogon, termsrv (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
Located: WinLogon, wlballoon (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Then restart your PC
How did that go ?


Post a report from this tool
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
!!Do not rename any files yet
Click to expand...
 
Next:
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items(if there):


If you see a new item that wasnt in your last log in your O4 lines in hijackthis, starting with dm... for example:
O4 - HKLM\..\Run: [dm***.exe] C:\WINDOWS\system32\dm***.exe (the *** stand for random letters)
or starting with hg***.exe for example:
O4 - HKLM\..\Run: [hg***.exe] C:\Windows\System32\hg***.exe
or starting with cs***.exe for example:
O4 - HKLM\..\Run: [cscyd.exe] cscyd.exe
Check it as well. If your not sure, leave it and only check the ones I asked you to check
===========================================================
Click Fix Checked. Close HijackThis, and click OK to proceed.




Finally, please post the contents of report.txt (it should open), along with a new HijackThis log.
 
Done.

Thank you for your help,
Bill A



LonnyRJones said:
Next:
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items(if there):


If you see a new item that wasnt in your last log in your O4 lines in hijackthis, starting with dm... for example:
O4 - HKLM\..\Run: [dm***.exe] C:\WINDOWS\system32\dm***.exe (the *** stand for random letters)
or starting with hg***.exe for example:
O4 - HKLM\..\Run: [hg***.exe] C:\Windows\System32\hg***.exe
or starting with cs***.exe for example:
O4 - HKLM\..\Run: [cscyd.exe] cscyd.exe
Check it as well. If your not sure, leave it and only check the ones I asked you to check
===========================================================
Click Fix Checked. Close HijackThis, and click OK to proceed.




Finally, please post the contents of report.txt (it should open), along with a new HijackThis log.
Click to expand...
 
Success -- Kudos to Lonny & Tashi!

Lonny, Tashi:

FYI ... After completing Lonny's fixes (above), I ran Spybot to completion in just 9 minutes, with no detected problems.

You guys know your business.

Many thanks for your skilled treatment of this problem.

A clean machine is a happy machine! :bigthumb:

Best Regards,
Bill A
 
Those logs look fine

But do a file search for encodex.exe in the system32 folder and let me know if its there please

did you already delete these?
C:\WINDOWS\SYSTEM32\cszeu.exe
C:\WINDOWS\SYSTEM32\filesafer23.exe
 
Lonny: encodex.exe not found in system32.

No, I didn't delete those two files. And, I just reran BL and it didn't find anything.

Let me know if you want me to provide more info - and thanks again.

-Bill A

LonnyRJones said:
Those logs look fine

But do a file search for encodex.exe in the system32 folder and let me know if its there please

did you already delete these?
C:\WINDOWS\SYSTEM32\cszeu.exe
C:\WINDOWS\SYSTEM32\filesafer23.exe
Click to expand...
 
Go ahead and delete, if they are still on the pc
C:\WINDOWS\SYSTEM32\cszeu.exe.ren
C:\WINDOWS\SYSTEM32\filesafer23.exe.ren

Are there any current problems ?
 
Found neither file. Everything seems to working well -- no apparent problems.

Thanks,
Bill A

LonnyRJones said:
Go ahead and delete, if they are still on the pc
C:\WINDOWS\SYSTEM32\cszeu.exe.ren
C:\WINDOWS\SYSTEM32\filesafer23.exe.ren

Are there any current problems ?
Click to expand...
 
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.
 
You must log in or register to reply here.
Back
Top