1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

LSASS and svchost

Discussion in 'Windows XP' started by gyurika, Apr 25, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. gyurika

    gyurika Thread Starter

    Joined:
    Apr 25, 2004
    Messages:
    14
    Hi,
    At the exact moment I clicked on Norton "stop scan", for some unexplained reason (I have UPS) the power cut off for a moment. The computer restarted on its own, but could not finish loading the startup programs. I managed to uninstal Norton which I suspected was hanging it, so now it would finish loading. The problem is, that lsass.exe will run with 65% CPU usage in Task Manager, and svchost.exe with the remaining 35%. Since lsass can not be stopped I would end svchost.exe, and then lsass goes to zero on its own, I guess because it is not being hosted anymore. So I believe something is corrupt what lsass would want to do. Could I fix it short of reinstalling Windows (XP Pro)? Another strange thing was that for the first time in history Go Back initially did not help, upon reboot it was already running in this 100% mode and Goback recovery window would not load...
    Will appreciate any help... thanks.
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,458
    Hi and welcome to TSG,

    Please post a Hijack This log for the experts to review.

    Please do this. Click here: http://www.sherrylynn.us/HijackThis.exe to download Hijack This. Save it to it’s own folder (not temporary files or the desktop).

    Close all open windows and open HIJACK THIS. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”. Click on “Save Log” and save it to NotePad. Copy the entire log and paste it here.

    DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise.


    Cookie
     
  3. gyurika

    gyurika Thread Starter

    Joined:
    Apr 25, 2004
    Messages:
    14
    Logfile of HijackThis v1.97.7
    Scan saved at 11:17:42 AM, on 4/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\WinPortrait\wpctrl.exe
    C:\WINDOWS\System32\RevoTask.exe
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Andrea Electronics\AudioCommander\AudioCommander.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\WinPortrait\floater.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\PROGRA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\Roxio\GoBack\GBTray.exe
    C:\Program Files\ShortCuts\ShortCut.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
    C:\Program Files\MailWasher Pro\MailWasher.exe
    E:\Downloadhere\Hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9884&s=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9884&s=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://CookieCop:8100
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: CookieCop3 - {D7EEF1C5-B053-4a70-B378-3462074D3226} - C:\Program Files\PC Magazine Utilities\CookieCop\CookieHlpr.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
    O4 - HKLM\..\Run: [RevoTaskbarApp] C:\WINDOWS\System32\RevoTask.exe
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [AudioCommander] C:\Program Files\Andrea Electronics\AudioCommander\AudioCommander.exe /tray
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
    O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - Startup: ShortCut.lnk = C:\Program Files\ShortCuts\ShortCut.exe
    O4 - Global Startup: 3Com Connection Assistant.lnk = C:\Program Files\3com\Connection Assistant\bin\matcli.exe
    O4 - Global Startup: Font Reserve Startup.lnk = C:\Program Files\Font Reserve\FontReserve.exe
    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
    O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {13A6F8EA-E2D0-40EE-B7CF-ECE5600F18B4} (SightSpeed_Check.System_Test) - https://www.sightspeed.com/files/SightSpeed_Check.CAB
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab

    Hope this is it, and thanks.
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,458
    You do have a few issues in the log. You mentioned failure with Goback. Did you also try a system restore to an earlier restore point when everything was working fine?

    Cookie
     
  5. gyurika

    gyurika Thread Starter

    Joined:
    Apr 25, 2004
    Messages:
    14
    No, - that service is redundant with GoBack running so I have it disabled. (That is only registry, GoBack is full everything...)
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,458
    Please download and run the following programs.

    AD-AWARE

    Go here: http://www.lavasoftusa.com/support/download/
    and download Ad-Aware 6 Build 181

    Install the program and launch it.

    First in the main window look in the bottom right-hand corner and click on Check for updates now and download the latest reference files.

    Make sure the following settings are made and on -------ON=GREEN

    From main window: Click Start then Activate in-depth scan (recommended)

    Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

    Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

    Click proceed to save your settings.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it. (Right click the window and choose select all from the drop down menu and click Next)

    Restart your computer

    Download and run: SPYBOT SEARCH & DESTROY, here:

    http://download.com.com/3000-2144-1...tml?tag=lst-0-1

    Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems'', Put a check in every entry Spybot Search & Destroy flags with a red exclamation mark and click ''Fix Selected Problems'' , Then restart your computer.

    Download both of these for added protection: SPYWAREBLASTER & SPYWAREGUARD, here:

    http://www.javacoolsoftware.com/spywareblaster.html

    Then do a couple of on-line virus scans, i.e.

    http://housecall.trendmicro.com/

    http://www.pandasoftware.com/activescan/

    This is just a start, there will be more to do. Please post another log afterwards.

    Cookie
     
  7. gyurika

    gyurika Thread Starter

    Joined:
    Apr 25, 2004
    Messages:
    14
    I appreciate that. I am running these regularly. The propblem stems from a power failure curruption as far as I can tell, and not malware. The culprit is somewhere with lsass... that developed from the blackout corrupting something. Have to run to work now, - will be back, please keep on...
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,458
    C:\WINDOWS\svchost.exe in your running processes indicates that you have or had a virus. It should not be running from C:Windows. The valid svchost.exe runs from Systerm 32. Spybot may have taken care of it but you still need to delete the file from your hard drive.

    So it does look like there are still some security issues here, even if you feel the current problem was related to a blackout.

    There are several entries related to PopNav in the log as well.

    Run Hijack This again and have it fix these entries :

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9884&s=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9884&s=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html

    O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe


    You will need to boot into safe mode and delete these files:

    C:\WINDOWS\svchost.exe BE CAREFUL NOT TO DELETE THE VALID SVCHOST.EXE WHICH RUNS IN SYSTEM 32

    Srng.exe


    These files may be hidden so click on My Computer - view - folder options. Click on view tab andmsure sure "show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "O.K."

    Then post another log please

    Cookie
     
  9. gyurika

    gyurika Thread Starter

    Joined:
    Apr 25, 2004
    Messages:
    14
    Logfile of HijackThis v1.97.7
    Scan saved at 1:23:16 AM, on 4/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\Program Files\WinPortrait\wpctrl.exe
    C:\WINDOWS\System32\RevoTask.exe
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Andrea Electronics\AudioCommander\AudioCommander.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\WinPortrait\floater.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\PROGRA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\Roxio\GoBack\GBTray.exe
    C:\Program Files\ShortCuts\ShortCut.exe
    C:\WINDOWS\System32\svchost.exe
    E:\Downloadhere\Hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://CookieCop:8100
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: CookieCop3 - {D7EEF1C5-B053-4a70-B378-3462074D3226} - C:\Program Files\PC Magazine Utilities\CookieCop\CookieHlpr.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
    O4 - HKLM\..\Run: [RevoTaskbarApp] C:\WINDOWS\System32\RevoTask.exe
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [AudioCommander] C:\Program Files\Andrea Electronics\AudioCommander\AudioCommander.exe /tray
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - Startup: ShortCut.lnk = C:\Program Files\ShortCuts\ShortCut.exe
    O4 - Global Startup: 3Com Connection Assistant.lnk = C:\Program Files\3com\Connection Assistant\bin\matcli.exe
    O4 - Global Startup: Font Reserve Startup.lnk = C:\Program Files\Font Reserve\FontReserve.exe
    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
    O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {13A6F8EA-E2D0-40EE-B7CF-ECE5600F18B4} (SightSpeed_Check.System_Test) - https://www.sightspeed.com/files/SightSpeed_Check.CAB
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
     
  10. gyurika

    gyurika Thread Starter

    Joined:
    Apr 25, 2004
    Messages:
    14
    Hi Cookie,
    All the hijacker logs you have seen sofare were made after I had stopped the offending svchost.exe process. Before going to bed (2 AM) I started an AdAware scan without killing this process, and it appears that in 3.5 hours it did a scan. I could see nothing but you have been proven to see more so I am sending it. I also did a regmechanic repair. I am sorry if I may have sounded harsh earlier, this snrg gets on my computer about every week, I have tried everything but can't prevent it from getting there, so about once a week I get rid of these things. That what I meant by having it under control. The offending svchost in windows had a log file next to it that contained mytime and an other line entrypairs. Also it appeared that when I last booted into safe mode it was not hanging with this svchost/lsass. That's all I could help with at this point, / thanks for your ongoing effort...


    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :Monday, April 26, 2004 2:22:35 AM
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R299 22.04.2004
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan within archives
    Set : Scan my Hosts file


    4-26-2004 2:22:35 AM - Scan started. (Smart mode)

    Listing running processes
    ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 4-26-2004 6:15:17 AM
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 4-26-2004 6:15:25 AM
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 4-26-2004 6:15:28 AM
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft
    Created on : 8/23/2001 12:00:00 PM
    Last accessed : 4/26/2004 6:15:44 AM
    Last modified : 8/23/2001 12:00:00 PM

    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 4-26-2004 6:15:28 AM
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 8/29/2002 3:41:26 AM
    Last accessed : 4/26/2004 6:15:44 AM
    Last modified : 8/29/2002 3:41:26 AM

    #:5 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 4-26-2004 6:15:29 AM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 8/23/2001 12:00:00 PM
    Last accessed : 4/26/2004 6:16:01 AM
    Last modified : 8/23/2001 12:00:00 PM

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 4-26-2004 6:15:29 AM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 8/23/2001 12:00:00 PM
    Last accessed : 4/26/2004 6:16:01 AM
    Last modified : 8/23/2001 12:00:00 PM

    #:7 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 4-26-2004 6:15:32 AM
    BasePriority : Normal
    FileSize : 50 KB
    FileVersion : 5.1.2600.0 (XPClient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    OriginalFilename : spoolsv.exe
    ProductName : Microsoft
    Created on : 8/23/2001 12:00:00 PM
    Last accessed : 4/26/2004 6:11:35 AM
    Last modified : 8/23/2001 12:00:00 PM

    #:8 [explorer.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 4-26-2004 6:15:33 AM
    BasePriority : Normal
    FileSize : 973 KB
    FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
    ProductVersion : 6.00.2800.1221
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft
    Created on : 5/12/2003 1:12:10 AM
    Last accessed : 4/26/2004 6:18:48 AM
    Last modified : 5/12/2003 1:12:10 AM

    #:9 [wpctrl.exe]
    FilePath : C:\Program Files\WinPortrait\
    ThreadCreationTime : 4-26-2004 6:15:39 AM
    BasePriority : Normal
    FileSize : 675 KB
    Created on : 7/2/2003 8:57:40 PM
    Last accessed : 4/26/2004 5:52:24 AM
    Last modified : 7/2/2003 8:57:40 PM

    #:10 [revotask.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 4-26-2004 6:15:39 AM
    BasePriority : Normal
    FileSize : 212 KB
    FileVersion : 1, 0, 1, 3
    ProductVersion : 1, 0, 2, 6
    Copyright : Copyright
    CompanyName : M-Audio
    FileDescription : RevoTaskbarApp
    InternalName : STTaskbarApp
    OriginalFilename : RevoTaskbarApp.exe
    ProductName : M-Audio Revolution
    Created on : 2/15/2004 6:03:50 PM
    Last accessed : 4/26/2004 6:15:13 AM
    Last modified : 9/15/2003 6:04:26 PM

    #:11 [sstray.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 4-26-2004 6:15:39 AM
    BasePriority : Normal
    FileSize : 76 KB
    FileVersion : 1.00.00.0298
    ProductVersion : 1.00.00.0298
    Copyright : Copyright 2000-2002 NVIDIA Corporation
    CompanyName : NVIDIA Corporation
    FileDescription : NVIDIA nForce Taskbar Utility
    InternalName : SSTray.exe
    ProductName : NVIDIA nForce
    Created on : 4/1/2003 10:00:52 PM
    Last accessed : 4/26/2004 6:15:13 AM
    Last modified : 10/26/2002 3:02:06 PM

    #:12 [mmkeybd.exe]
    FilePath : C:\Program Files\Netropa\Multimedia Keyboard\
    ThreadCreationTime : 4-26-2004 6:15:39 AM
    BasePriority : Normal
    FileSize : 176 KB
    FileVersion : 1.00
    ProductVersion : 1.00
    Copyright : Copyright
    CompanyName : Netropa Corp.
    FileDescription : Netropa(tm) Hot Key
    InternalName : Netropa Hot Key
    OriginalFilename : nhk.exe
    ProductName : Netropa Hot Key
    Created on : 4/29/2003 1:51:12 AM
    Last accessed : 4/26/2004 6:15:39 AM
    Last modified : 6/19/2002 2:50:36 PM

    #:13 [point32.exe]
    FilePath : C:\Program Files\Microsoft IntelliPoint\
    ThreadCreationTime : 4-26-2004 6:15:39 AM
    BasePriority : Normal
    FileSize : 160 KB
    FileVersion : 5.00.174.0
    ProductVersion : 5.0
    CompanyName : Microsoft Corporation
    FileDescription : Point32.exe
    InternalName : Point32.exe
    OriginalFilename : Point32.exe
    ProductName : Microsoft IntelliPoint
    Created on : 5/15/2003 11:41:15 PM
    Last accessed : 4/26/2004 6:15:39 AM
    Last modified : 5/15/2003 11:41:15 PM

    #:14 [audiocommander.exe]
    FilePath : C:\Program Files\Andrea Electronics\AudioCommander\
    ThreadCreationTime : 4-26-2004 6:15:40 AM
    BasePriority : Normal
    FileSize : 812 KB
    FileVersion : 3, 3, 0, 0
    ProductVersion : 3, 3, 0, 0
    Copyright : Copyright
    CompanyName : Andrea Electronics Corporation
    FileDescription : AudioCommander Application
    InternalName : AudioCommander
    OriginalFilename : AudioCommander.EXE
    ProductName : AudioCommander Application
    Created on : 1/25/2004 5:33:42 AM
    Last accessed : 4/26/2004 6:15:40 AM
    Last modified : 9/24/2002 5:52:18 PM

    #:15 [realsched.exe]
    FilePath : C:\Program Files\Common Files\Real\Update_OB\
    ThreadCreationTime : 4-26-2004 6:15:40 AM
    BasePriority : Normal
    FileSize : 176 KB
    FileVersion : 0.1.0.3018
    ProductVersion : 0.1.0.3018
    Copyright : Copyright
    CompanyName : RealNetworks, Inc.
    FileDescription : RealNetworks Scheduler
    InternalName : schedapp
    OriginalFilename : realsched.exe
    ProductName : RealPlayer (32-bit)
    Created on : 7/6/2003 5:20:25 AM
    Last accessed : 4/26/2004 6:15:40 AM
    Last modified : 3/27/2004 4:29:24 AM

    #:16 [ppmemcheck.exe]
    FilePath : C:\PROGRA~1\PESTPA~1\
    ThreadCreationTime : 4-26-2004 6:15:40 AM
    BasePriority : Normal
    FileSize : 145 KB
    Created on : 4/9/2003 3:59:49 PM
    Last accessed : 4/26/2004 6:15:40 AM
    Last modified : 4/19/2003 8:53:08 AM

    #:17 [cookiepatrol.exe]
    FilePath : C:\PROGRA~1\PESTPA~1\
    ThreadCreationTime : 4-26-2004 6:15:40 AM
    BasePriority : Normal
    FileSize : 68 KB
    Created on : 4/9/2003 4:00:15 PM
    Last accessed : 4/26/2004 5:52:24 AM
    Last modified : 5/30/2003 12:47:06 AM

    #:18 [floater.exe]
    FilePath : C:\Program Files\WinPortrait\
    ThreadCreationTime : 4-26-2004 6:15:40 AM
    BasePriority : Normal
    FileSize : 727 KB
    Created on : 7/2/2003 8:57:54 PM
    Last accessed : 4/26/2004 6:15:41 AM
    Last modified : 7/2/2003 8:57:54 PM

    #:19 [nhksrv.exe]
    FilePath : C:\Program Files\Netropa\Multimedia Keyboard\
    ThreadCreationTime : 4-26-2004 6:15:41 AM
    BasePriority : Normal
    FileSize : 28 KB
    Created on : 4/29/2003 1:51:12 AM
    Last accessed : 4/26/2004 5:52:24 AM
    Last modified : 8/6/2001 10:41:48 AM

    #:20 [zlclient.exe]
    FilePath : C:\PROGRA~1\ZONEAL~1\
    ThreadCreationTime : 4-26-2004 6:15:42 AM
    BasePriority : Normal
    FileSize : 677 KB
    FileVersion : 4.5.594.000
    ProductVersion : 4.5.594.000
    Copyright : Copyright
    CompanyName : Zone Labs Inc.
    FileDescription : Zone Labs Client
    InternalName : zlclient
    OriginalFilename : zlclient.exe
    ProductName : Zone Labs Client
    Created on : 2/19/2004 6:15:27 PM
    Last accessed : 4/26/2004 6:15:42 AM
    Last modified : 4/1/2004 1:30:04 PM

    #:21 [gbpoll.exe]
    FilePath : C:\Program Files\Roxio\GoBack\
    ThreadCreationTime : 4-26-2004 6:15:43 AM
    BasePriority : Normal
    FileSize : 536 KB
    FileVersion : 3.21.106
    ProductVersion : 3.21.106
    Copyright : Copyright
    CompanyName : Roxio, Inc.
    FileDescription : GoBack Polling Service
    InternalName : GoBack Polling Service
    OriginalFilename : GBPoll.exe
    ProductName : GoBack
    Created on : 4/5/2003 1:50:34 AM
    Last accessed : 4/26/2004 5:52:24 AM
    Last modified : 10/28/2002 4:51:52 PM

    #:22 [ctfmon.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 4-26-2004 6:15:43 AM
    BasePriority : Normal
    FileSize : 13 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : CTF Loader
    InternalName : CTFMON
    OriginalFilename : CTFMON.EXE
    ProductName : Microsoft
    Created on : 8/29/2002 3:41:22 AM
    Last accessed : 4/26/2004 6:15:13 AM
    Last modified : 8/29/2002 3:41:22 AM

    #:23 [msnmsgr.exe]
    FilePath : C:\Program Files\MSN Messenger\
    ThreadCreationTime : 4-26-2004 6:15:43 AM
    BasePriority : Normal
    FileSize : 4572 KB
    FileVersion : 6.1.0211
    ProductVersion : Version 6.1
    Copyright : Copyright (c) Microsoft Corporation 1997-2003
    CompanyName : Microsoft Corporation
    FileDescription : Messenger
    InternalName : msnmsgr
    OriginalFilename : msnmsgr.exe
    ProductName : Messenger
    Created on : 3/4/2004 8:01:00 PM
    Last accessed : 4/26/2004 6:13:54 AM
    Last modified : 3/4/2004 8:01:00 PM

    #:24 [robotaskbaricon.exe]
    FilePath : C:\Program Files\Siber Systems\AI RoboForm\
    ThreadCreationTime : 4-26-2004 6:15:44 AM
    BasePriority : Normal
    FileSize : 40 KB
    FileVersion : 5-6-2
    ProductVersion : 5-6-2
    Copyright : Copyright (C) 1999-2004
    CompanyName : Siber Systems
    FileDescription : RoboForm TaskBar Icon
    InternalName : RoboTaskBarIcon
    OriginalFilename : RoboTaskBarIcon.exe
    ProductName : Siber Systems AI RoboForm
    Created on : 3/3/2004 3:43:52 PM
    Last accessed : 4/26/2004 6:15:25 AM
    Last modified : 3/3/2004 3:43:52 PM

    #:25 [traymon.exe]
    FilePath : C:\Program Files\Netropa\Multimedia Keyboard\
    ThreadCreationTime : 4-26-2004 6:15:46 AM
    BasePriority : Normal
    FileSize : 108 KB
    Created on : 4/29/2003 1:51:12 AM
    Last accessed : 4/26/2004 6:13:54 AM
    Last modified : 7/12/2002 6:03:10 AM

    #:26 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 4-26-2004 6:15:46 AM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 8/23/2001 12:00:00 PM
    Last accessed : 4/26/2004 6:16:01 AM
    Last modified : 8/23/2001 12:00:00 PM

    #:27 [vsmon.exe]
    FilePath : C:\WINDOWS\system32\ZoneLabs\
    ThreadCreationTime : 4-26-2004 6:15:46 AM
    BasePriority : Normal
    FileSize : 805 KB
    FileVersion : 4.5.594.000
    ProductVersion : 4.5.594.000
    Copyright : Copyright
    CompanyName : Zone Labs Inc.
    FileDescription : TrueVector Service
    InternalName : vsmon
    OriginalFilename : vsmon.exe
    ProductName : TrueVector Service
    Created on : 4/13/2004 2:32:30 PM
    Last accessed : 4/26/2004 6:15:13 AM
    Last modified : 4/1/2004 1:29:14 PM

    #:28 [osd.exe]
    FilePath : C:\Program Files\Netropa\Onscreen Display\
    ThreadCreationTime : 4-26-2004 6:15:46 AM
    BasePriority : Normal
    FileSize : 88 KB
    FileVersion : 2.02
    ProductVersion : 2.02
    Copyright : Copyright
    CompanyName : Netropa Corp.
    FileDescription : Netropa(r) Onscreen Display
    InternalName : OSD
    OriginalFilename : osd.exe
    ProductName : Onscreen Display
    Created on : 4/29/2003 1:51:12 AM
    Last accessed : 4/26/2004 6:15:47 AM
    Last modified : 11/14/2001 8:03:12 AM

    #:29 [gbtray.exe]
    FilePath : C:\Program Files\Roxio\GoBack\
    ThreadCreationTime : 4-26-2004 6:15:49 AM
    BasePriority : Normal
    FileSize : 552 KB
    FileVersion : 3.21.106
    ProductVersion : 3.21.106
    Copyright : Copyright
    CompanyName : Roxio, Inc.
    FileDescription : GoBack Tray Icon
    InternalName : GoBack Tray Icon
    OriginalFilename : GBTray.exe
    ProductName : GoBack
    Created on : 4/5/2003 1:50:34 AM
    Last accessed : 4/26/2004 6:15:51 AM
    Last modified : 10/28/2002 4:51:52 PM

    #:30 [shortcut.exe]
    FilePath : C:\Program Files\ShortCuts\
    ThreadCreationTime : 4-26-2004 6:15:51 AM
    BasePriority : Normal
    FileSize : 868 KB
    FileVersion : 1, 2, 0, 0
    ProductVersion : 1, 2, 0, 0
    Copyright : Copyright (C) 1997
    CompanyName : Kiss Software
    FileDescription : ShortCuts
    InternalName : ShortCuts
    OriginalFilename : ShortCuts.EXE
    ProductName : ShortCuts
    Created on : 4/5/2003 3:37:02 AM
    Last accessed : 4/26/2004 6:15:51 AM
    Last modified : 9/11/1998 9:37:08 PM

    #:31 [taskmgr.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 4-26-2004 6:16:55 AM
    BasePriority : High
    FileSize : 125 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : Windows TaskManager
    InternalName : taskmgr
    OriginalFilename : taskmgr.exe
    ProductName : Microsoft
    Created on : 8/29/2002 3:41:28 AM
    Last accessed : 4/26/2004 6:16:55 AM
    Last modified : 8/29/2002 3:41:28 AM

    #:32 [ad-aware.exe]
    FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
    ThreadCreationTime : 4-26-2004 6:18:34 AM
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 4/26/2004 5:47:24 AM
    Last accessed : 4/26/2004 6:19:20 AM
    Last modified : 7/13/2003 1:00:20 AM

    Memory scan result :
    ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

    Registry scan result :
    ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
    New objects : 0
    Objects found so far: 0


    Started deep registry scan
    ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

    Deep registry scan result :
    ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
    New objects : 0
    Objects found so far: 0


    ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
    ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


    Deep scanning and examining files (C:)
    ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


    Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
    ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

    Hosts file scan result:
    ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
    2 entries scanned.
    New objects :0
    Objects found so far: 0



    Possible Browser Hijack attempt Object recognized!
    Type : File
    Data : 100 best incredimail sites.url
    Object : C:\Documents and Settings\Gö99\Favorites\Computer\Comp Links\

    Created on : 4/6/2003 1:59:01 AM
    Last accessed : 4/26/2004 9:47:59 AM
    Last modified : 1/9/2003 4:11:49 AM




    Performing conditional scans..
    ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

    Conditional scan result:
    ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
    New objects : 0
    Objects found so far: 1


    5:52:47 AM Scan complete

    Summary of this scan
    ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
    Total scanning time :03:25:48:438
    Objects scanned :57277
    Objects identified :1
    Objects ignored :0
    New objects :1
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,458
    Please download and run CWShredder

    http://www.spywareinfo.com/~merijn/files/cwshredder.zip

    Close all browser windows, open cwshredder.exe then click "Fix" and let it run.

    Then restart your computer and post another log.

    IMPORTANT! To help prevent this from happening again, you should install all the security patches and critical updates.

    Then have Hijack This fix these two entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank


    Then post another log please.

    Cookie
     
  12. gyurika

    gyurika Thread Starter

    Joined:
    Apr 25, 2004
    Messages:
    14
    Hi Cookie,

    CWShredder said system was clean.
    Here is new hijacker log.
    Doctor, are we getting closer?

    Thanks, and here is the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:43:13 AM, on 4/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\WinPortrait\wpctrl.exe
    C:\WINDOWS\System32\RevoTask.exe
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Andrea Electronics\AudioCommander\AudioCommander.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\WinPortrait\floater.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\PROGRA~1\ZONEAL~1\zlclient.exe
    C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Roxio\GoBack\GBTray.exe
    C:\Program Files\ShortCuts\ShortCut.exe
    C:\WINDOWS\System32\svchost.exe
    E:\Downloadhere\Hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6.0&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://CookieCop:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;localhost
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: CookieCop3 - {D7EEF1C5-B053-4a70-B378-3462074D3226} - C:\Program Files\PC Magazine Utilities\CookieCop\CookieHlpr.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
    O4 - HKLM\..\Run: [RevoTaskbarApp] C:\WINDOWS\System32\RevoTask.exe
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [AudioCommander] C:\Program Files\Andrea Electronics\AudioCommander\AudioCommander.exe /tray
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - Startup: ShortCut.lnk = C:\Program Files\ShortCuts\ShortCut.exe
    O4 - Global Startup: 3Com Connection Assistant.lnk = C:\Program Files\3com\Connection Assistant\bin\matcli.exe
    O4 - Global Startup: Font Reserve Startup.lnk = C:\Program Files\Font Reserve\FontReserve.exe
    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
    O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {13A6F8EA-E2D0-40EE-B7CF-ECE5600F18B4} (SightSpeed_Check.System_Test) - https://www.sightspeed.com/files/SightSpeed_Check.CAB
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,458
    Do you know what this entry is?

    O4 - HKLM\..\Run: [RevoTaskbarApp] C:\WINDOWS\System32\RevoTask.exe

    Cookie
     
  14. Cris_Cr0ss

    Cris_Cr0ss

    Joined:
    Jan 30, 2004
    Messages:
    820
  15. gyurika

    gyurika Thread Starter

    Joined:
    Apr 25, 2004
    Messages:
    14
    RevoTask, is M-Audio Revolution 7.1 board's driver stuff.
    I still believe the culprit is not malware. Having said that it was nice to gain some expertise in the field thanks to your coaching. Thanks to both of you. Any further ideas will be appreciated I still have the problem, lost 3 weeks of my life so far... Thanks, gyurika
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/223671

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice