1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HijackThis log - Please help

Discussion in 'Virus & Other Malware Removal' started by ZecaU, Sep 17, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. ZecaU

    ZecaU Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    10
    Hi,

    I have problems with my computer.

    Here's my hijackthis log - please help if you can.

    thanks,
    Zeca

    Logfile of HijackThis v1.97.2
    Scan saved at 21:04:11, on 17.9.2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Save\Save.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\WINDOWS\regedit.exe
    C:\Program Files\Opera7\opera.exe
    C:\Program Files\wincmd\WINCMD32.EXE
    C:\DOCUME~1\URIDIUM\LOCALS~1\Temp\$wc\HIJACK~1.EXE

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5CB94F8C-97F9-4196-9FFE-8DD09E5494B9}: NameServer = 217.26.64.130 217.26.64.131
     
  2. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Welcome to TSG, ZecaU

    Go to Start | Control Panel | Add/Remove programs
    See if you can find Save
    Click Remove

    Don't worry if you can't find it, it doesn't always have an uninstaller,

    Restart Hijack this and put a check mark against the following:

    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe

    Click Fix Checked

    Restart your computer

    Go to C:\Program Files Find, Right Click and Delete the Save Folder

    If Verat is not your ISP add the following to th items to be checked

    O17 - HKLM\System\CCS\Services\Tcpip\..\{5CB94F8C-97F9-4196-9FFE-8DD09E5494B9}: NameServer = 217.26.64.130 217.26.64.131
     
  3. ZecaU

    ZecaU Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    10
    Thanks!

    I did it, and here is my new HijackThis log (Verat is my ISP).

    But I still have problems. When I open Outlook Express or some other M$ program the computer tries to install Windows XP???

    zeca

    Logfile of HijackThis v1.97.2
    Scan saved at 22:46:19, on 17.9.2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\URIDIUM\Local Settings\Temp\HijackThis.exe

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    What is the exact error message?
     
  5. ZecaU

    ZecaU Thread Starter

    Joined:
    Sep 17, 2003
    Messages:
    10
    I think it's all right now... i've restored system to yesterday, removed 'save' again and run antivirus and i don't experience any more problems

    thanks a lot
    zeca
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/165457

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice