1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I have been infected!! HJT file included.

Discussion in 'Windows XP' started by lranger2, May 20, 2007.

Thread Status:
Not open for further replies.
  1. lranger2

    lranger2 Thread Starter

    Joined:
    Oct 7, 2006
    Messages:
    20
    My firewall stopped SVC Host from connecting outbound. The report read that something had commanded it to connect and was closing that application.

    When I cleaned out my offline files and history, all of my cookies except four were also gone. I have my machine set to where it only allows the cookies I accept, and never erase them.

    I ran Spybot and get this as a threat: Win32.Agent.pz path:C:\windows\system32\wnspoem\.

    Shortly after this threat appears on the screen, but before the scan is complete, the computer will shut off and will not restart until I unplug it.

    The same happens when I run AVG, except I don't get an error before the system shuts down. NOD32 comes up clean.

    I restored to a known good point, and at least I can boot up, where as before it would boot, shut down and reboot continiously.

    All of my saved login names and passwords are also missing and have to be re-entered.

    The system runs great until I try to scan.

    Here is my log. All help is greatly appreciated.


    Logfile of HijackThis v1.99.1
    Scan saved at 2:54:15 AM, on 5/20/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\BRMFRSMG.EXE
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&gl=us
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe /waitservice
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
    O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk.disabled
    O4 - Global Startup: QuickBooks Update Agent.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://install.charter.com/diskless/bin/tgctlcm.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124125262062
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6us.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by110fd.bay110.hotmail.msn.com/activex/HMAtchmt.ocx
    O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Lavasoft Personal Firewall Service (LavasoftFirewall) - Agnitum Ltd. - C:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
     
  2. lranger2

    lranger2 Thread Starter

    Joined:
    Oct 7, 2006
    Messages:
    20
    I finally got SpyBot to run an entire session and removed the only thing it found. Could someone please look at my HJT and tell me if everything is OK before I start entering usernames and passwords again.

    I need to pay some bills, but don't won't my information hijacked.

    Thanks all. When I am sure this thing is safe I definitely will donate.
     
  3. redoak

    redoak Gone but never forgotten

    Joined:
    Jun 24, 2004
    Messages:
    6,782
    Click the red bordered triangle in the upper right corner of the Thread window. That will allow you to send a message to a Moderator. Ask for an authorized "HJT" person to look at your log. Only those with a 'gold shield' to the right of their name/moniker are authorized to analyze a "HJT" log.
    {redoak}
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/575313

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice