1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hjt Log

Discussion in 'Virus & Other Malware Removal' started by yasmeen143, Jul 14, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. yasmeen143

    yasmeen143 Thread Starter

    Joined:
    Jan 1, 2006
    Messages:
    138
    HJT LOG

    Logfile of HijackThis v1.99.1
    Scan saved at 12:35:55 AM, on 14/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ACS.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\system32\DVDRAMSV.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\MessengerPlus! 3\MsgPlus.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {23AF36E1-FBA1-0FEB-E0F8-25DD2BF368BF} - C:\DOCUME~1\NARGIS~1\APPLIC~1\DEBUGK~1\helploud.exe (file missing)
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133745951125
    O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} (IMCv1 Control) - http://vchat.evoicechat.com/talk.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136604120734
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssiPictureUploader.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
    O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.


    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    O2 - BHO: (no name) - {23AF36E1-FBA1-0FEB-E0F8-25DD2BF368BF} - C:\DOCUME~1\NARGIS~1\APPLIC~1\DEBUGK~1\helploud.exe (file missing)
    O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
    O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab



    you don't appear to have a firewall, even if you have a router you still need
    a software frewall, downlaod the one from the link below!


    Filseclab Personal Firewall Professional Edition


    http://www.filseclab.com/eng/download/downloads.htm

    http://www.download.com/Filseclab-Pe...8.html?tag=dir


    use this site to confgure filseclab , see page 7 and post 165 of that thread!

    http://www.wilderssecurity.com/showthread.php?t=92710


    Use this site's shields up to test filseclab and see if it is stealthing, some rules may have to be changed to " out " to pass the tests!

    http://grc.com/





    Here's some free tools to keep you from getting infected in the future.


    To stop reinfection get spywareblaster from


    http://www.javacoolsoftware.com/downloads.html


    get the hosts file from here.Unzip it to a folder!



    http://www.mvps.org/winhelp2002/hosts.htm


    put it into : or click the mvps bat and it should do it for you!


    Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
    Win 98\ME = C:\WINDOWS



    ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

    when you visit innocent-looking sites that aren't actually innocent at all.


    http://www.spywarewarrior.com/uiuc/resource.htm


    Arovax shield: stop your computer from being hijacked!

    http://www.arovaxshield.com/


    Winpatrol, protects your computer from hijackers !


    http://www.winpatrol.com/winpatrol.html



    Use spybot's immunize button and use spywareblaster' enable
    protection once you update it. you can put spybot's hosts file into
    your own and lock it.



    I would also suggest switching to Mozilla's firefox browser, it's safer, has
    a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good
    e-mail client.

    http://www.mozilla.org/


    Another good and free browser is Opera!

    http://www.opera.com/


    Read here to see how to tighten your security:

    http://forums.techguy.org/t208517.html


    A good overall guide for firewalls, anti-virus, and anti-trojans as well as
    regular spyware cleaners.

    http://www.firewallguide.com/anti-trojan.htm



    you can mark your own thread solved through thread tools at the top of
    the page.
     
  3. yasmeen143

    yasmeen143 Thread Starter

    Joined:
    Jan 1, 2006
    Messages:
    138
    thanks alot for the reply but im stuck with this filseclab... well in that forum it says that

    (2) Go to Shields Up! or the Sygate scan site (your choice)
    (3) Run the port scan

    well i did the 2 one but i couldn't find any port scan anywhere for 3, does it mean its in filseclab or the internet page that it say in 2???
     
  4. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    in grc.com you go to shields up and click on all service ports!
     
  5. yasmeen143

    yasmeen143 Thread Starter

    Joined:
    Jan 1, 2006
    Messages:
    138
    oh thanks dear... well about my firewall you were right it was somehow off so i turned it back on. & i didn't download filseclab since i hav firewall & i did the test, the result is above

    GRC Port Authority Report created on UTC: 2006-07-15 at 15:30:09

    Results from scan of ports: 0-1055

    0 Ports Open
    1 Ports Closed
    1055 Ports Stealth
    ---------------------
    1056 Ports Tested

    NO PORTS were found to be OPEN.

    The port found to be CLOSED was: 113

    Other than what is listed above, all ports are STEALTH.

    TruStealth: FAILED - NOT all tested ports were STEALTH,
    - NO unsolicited packets were received,
    - A PING REPLY (ICMP Echo) WAS RECEIVED.
     
  6. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    what firewall do you have?
     
  7. yasmeen143

    yasmeen143 Thread Starter

    Joined:
    Jan 1, 2006
    Messages:
    138
    windows firewall....

    I don't know what's wrong with it like last night i turned the firewall ON & it showed like Firewalled beside the connection, now even its ON it doesnt show if it's firewalled or not. but i can check it in properties that it is ON...
     
  8. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Windows firewall isn't god enough as it only blocks incoming, you need a software firewall thqat can control outgoing .

    That's why I asked you to install filseclab, once you do, if you do you should disable windows firewall!
     
  9. yasmeen143

    yasmeen143 Thread Starter

    Joined:
    Jan 1, 2006
    Messages:
    138
    im stuck in

    (5) Check the rule(s) that allowed port(s) - change the direction of the rule(s) to "Out"

    K i don't know how to change the rules to out????
     
  10. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
  11. yasmeen143

    yasmeen143 Thread Starter

    Joined:
    Jan 1, 2006
    Messages:
    138
    i know that's what it says in the P-7 of post 165 of that site but i didn't get it like how can i change it to out????u don't really know anything about that stuff, thanks for it anyways
     
  12. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Excuse me! You should follow the instructions, try and read them!

    I have had dozens of people follow these instructions without any problems but if it is too much for you, you should consider calling it a day or take your computer back to the store and tell them you aint up to having a computer!


    Now, if you find the rule for port 13 then you should be able to change it to "out" by either highlighting the rule or right clicking it. I have not had filseclab on my computer for a while and I am not going to uninstall Jetico to install filseclab for something which I know a child can do!


    This firewall is quite good for beginners but appears too advanced even for you?



    (4) After the scan is concluded, check the Monitor page. You should have an entry for each port scanned, including whether the port was allowed/denied and the Filseclab rule that was invoked
    (5) Check the rule(s) that allowed port(s) - change the direction of the rule(s) to "Out"
     
  13. yasmeen143

    yasmeen143 Thread Starter

    Joined:
    Jan 1, 2006
    Messages:
    138
    thanks alot man lol ur so mad well im sorry i didn't mean to write "u" in dat post i meant "i" don't really know anything about that stuff... but I don't know i tried to change it to out even by right clickin on it it didn't give me the option to change it to out.. im sorry if i said anything wrong. I will give it another try... thanks
     
  14. yasmeen143

    yasmeen143 Thread Starter

    Joined:
    Jan 1, 2006
    Messages:
    138
  15. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Yes, that's it!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/483078

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice