Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

log file - please check


  • This topic is locked This topic is locked
20 replies to this topic

#1 mikexyz

mikexyz

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 03 March 2006 - 05:57 PM

Here is my log file. I will be really happy if someone would be kind enough to cast an eye over it. Thanks in advance, Mike Logfile of HijackThis v1.99.1 Scan saved at 8:49:11 AM, on 3/4/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\conime.exe C:\DOCUME~1\ll\LOCALS~1\Temp\AD-AWARE.EXE C:\DOCUME~1\ll\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe" /waitservice O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [HijackThis startup scan] C:\DOCUME~1\ll\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe /startupscan O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O18 - Protocol hijack: file - FILE>{79 C - 9- 1 - 82 00 0  } O18 - Protocol hijack: ftp - >IT{PH9NMHBIH9-1HTMG8I82-H0NMH0IHW90H} O18 - Protocol hijack: http - {7PHANMH5-HW{PH11GE-8{PH-00HAIH4{PH0M} O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH} O18 - Protocol hijack: mk - {7IT{PHEN-HAIH-11HT-GCI2-0HAN0H4IH90P} O18 - Protocol hijack: res - >I050H3NMH9IH5-1HTMGBI82-H0NMH0IHW{0H} O18 - Protocol hijack: tv - {HBIH08PH-MG4I-11H2-MHDIH00PH4MGBIT6P} O18 - Protocol hijack: wia - >I3{3HANMH9IH7-4H0MGAI76-H2NMHAIHW{PH} O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 March 2006 - 05:49 PM

Hello mikexyz, welcome to the forum

Important: Do this before any fix.

Please put your HijackThis in it's own folder, (I create a new folder in C:\ named HJT).
You can do a Right Click on any open area on the desktop, New> Folder, then rename the folder HJT.

Go to where your HijackThis is and Right Click on HijackThis.exe, select Cut, then open the new folder you just created (HJT) Right Click in the folder and select paste.

The reason we do this is Hijackthis creates backup files just in case you'd need to restore one and we'll be cleaning out the temp files.



After the above:

Click the link and Save. Once saved, double click the file you just download, Install, Update and run a full scan.
http://free.grisoft....ree_375a691.exe

Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 mikexyz

mikexyz

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 05 March 2006 - 07:28 PM

Thanks LDTate, I have followed the steps you advised. My computer is not behaving abnormally, but I am concerned at the "Protocol hijack" 018 listings in the report. Is it possible these have to do with IME? Or, is it possible that my communications protocols are indeed compromised? Well, here is the latest log, as requested; Logfile of HijackThis v1.99.1 Scan saved at 10:25:33 AM, on 3/6/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\Documents and Settings\ll\Desktop\HijackThis\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe" /waitservice O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [HijackThis startup scan] C:\DOCUME~1\ll\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe /startupscan O18 - Protocol hijack: file - FILE>{79PHCNMH-IHW9-H1MG-IT82H00MH0IHW{PHT} O18 - Protocol hijack: ftp - >IT{PH9NMHBIH9-1HTMG8I82-H0NMH0IHW90H} O18 - Protocol hijack: http - {7PHANMH5-HW{PH11GE-8{PH-00HAIH4{PH0M} O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH} O18 - Protocol hijack: mk - {7IT{PHEN-HAIH-11HT-GCI2-0HAN0H4IH90P} O18 - Protocol hijack: res - >I050H3NMH9IH5-1HTMGBI82-H0NMH0IHW{0H} O18 - Protocol hijack: tv - {HBIH08PH-MG4I-11H2-MHDIH00PH4MGBIT6P} O18 - Protocol hijack: wia - >I3{3HANMH9IH7-4H0MGAI76-H2NMHAIHW{PH} O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe Thanks again, Mike

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 March 2006 - 07:43 PM

Please run Notepad and paste the following Quote text into a new file: Be sure to include REGEDIT4



REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\cdo]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\cdo]
@="cdo: Asychronous KnowledgePluggable Protocol Handler"
"CLSID"="{CD00020A-8B95-11D1-82DB-00C04FB1625D}"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\file]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\file]
@="file:, local: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ftp]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ftp]
@="ftp: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e3-baf9-11ce-8c82-00aa004ba90b}"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\http]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\http]
@="http: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e2-baf9-11ce-8c82-00aa004ba90b}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\http\0x00000001]
@="Microsoft OLE DB Moniker Binder for Internet Publishing"
"CLSID"="{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\http\oledb]
"CLSID"="{E1D2BF40-A96B-11d1-9C6B-0000F875AC61}"
@="Microsoft OLE DB Provider for Internet Publishing"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\its]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\its]
@="its: Asychronous Pluggable Protocol Handler"
"CLSID"="{9D148291-B9C8-11D0-A4CC-0000F80149F6}"
[
-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\lid]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\lid]
@="MS TV ATVEF compliant lid: Protocol Handler"
"CLSID"="{5C135180-9973-46D9-ABF4-148267CBB8BF}"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\mk]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\mk]
@="mk: Asychronous Pluggable Protocol Handler"
"CLSID"="{79eac9e6-baf9-11ce-8c82-00aa004ba90b}"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\res]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\res]
"CLSID"="{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\tv]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\tv]
@="TV: Pluggable Protocol"
"CLSID"="{CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wia]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wia]
@="wia: Asychronous Pluggable Protocol Handler for WIA devices"
"CLSID"="{13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}"



Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.


Please post a new HJT log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 mikexyz

mikexyz

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 05 March 2006 - 08:00 PM

Thanks again, Now I have this; Logfile of HijackThis v1.99.1 Scan saved at 11:01:03 AM, on 3/6/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\Program Files\BitComet\BitComet.exe C:\Documents and Settings\ll\Desktop\HijackThis\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe" /waitservice O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [HijackThis startup scan] C:\DOCUME~1\ll\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe /startupscan O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe How does it look? Thanks again :-)

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 05 March 2006 - 08:02 PM

Looking a lot better :thumbup:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Reboot and "copy/paste" a new HijackThis log file into this thread.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 mikexyz

mikexyz

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 05 March 2006 - 09:23 PM

I followed all instruction. Uh Oh, They're back :blink: Here is the new log; Logfile of HijackThis v1.99.1 Scan saved at 12:22:28 PM, on 3/6/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe C:\Documents and Settings\ll\Desktop\HijackThis\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe" /waitservice O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [HijackThis startup scan] C:\DOCUME~1\ll\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe /startupscan O18 - Protocol hijack: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} O18 - Protocol hijack: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} O18 - Protocol hijack: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} O18 - Protocol hijack: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} O18 - Protocol hijack: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} O18 - Protocol hijack: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} O18 - Protocol hijack: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} O18 - Protocol: msdaipp - (no CLSID) - (no file) O18 - Protocol hijack: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} O18 - Protocol hijack: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} O18 - Protocol hijack: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe Thanks again

Edited by mikexyz, 05 March 2006 - 09:24 PM.


#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 06 March 2006 - 06:51 AM

Those 018's aren't hurting anything.

You can fix this one with HJT.

O4 - HKCU\..\Run: [HijackThis startup scan] C:\DOCUME~1\ll\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe /startupscan

Then lets make sure nothing is hidding.

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Empty Recycle Bin

Reboot and "copy/paste" a new HJT log as well as the Resullts from Spy Sweeper file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 mikexyz

mikexyz

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 06 March 2006 - 05:47 PM

O.K., I will do as you suggest. It may take a little time as I have quite a busy day here. Is it possible you can give me a little information as to what those 018's are? I have done a few searches, but have not found any decent info about their nature. Will repost log when I finish your instructions. Thanks again, Mike :-)

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 06 March 2006 - 05:54 PM

Status Name Path/File Description
Protocol {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} L file, ftp, gopher, http, https, local, mk urlmon.dll Items taken from whitelist of HijackThis

http://www.malwarehe...eting-hjt3.html

O18 - Extra protocols and protocol hijackers

This section of HijackThis looks for new or changed protocols used by Windows to 'talk' to programs, servers or itself. A protocol is one IE interprets as the beginning of an address like http://, https://, ftp://, gopher:// etc,. LOP.com uses this method to make IE load content using an "ayb:// whatever address" similarly CommonName uses cn://. Several legitimate programs also do this.

Example of 018 entries from HijackThis logs



O18 - Protocol: ayb - {07C0D34D-11D7-43F7-832B-C6BB41726F5F}
O18 - Protocol: pcn - {D540F040-F3D9-11D0-95BE-00C04FD93CA5} - C:\PROGRAM FILES\ENCOMPASS\V1MK.DLL


Recommendation: Only a few hijackers show up here. The known baddies are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should have HijackThis fix those. Other things that show up are either not confirmed safe yet, or are hijacked. If you are in doubt get an expert opinion before fixing it.

The 018 items can be researched at CastleCops - O18 Extra protocols and protocol hijackers list.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove


#11 mikexyz

mikexyz

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 06 March 2006 - 06:01 PM

Thanks again for the info., LDTate. I'm running the sweeper now. Cheers, Mike

#12 mikexyz

mikexyz

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 06 March 2006 - 06:16 PM

A couple of these seem multimedia related. Could the installation of Ace Mega Codec Pack have been reponsible do you think? Cheers (still sweeping)

Edited by mikexyz, 06 March 2006 - 06:17 PM.


#13 mikexyz

mikexyz

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 06 March 2006 - 06:50 PM

These logs are immediately after Spysweeper scan. Will reboot and run HJThis and post another log ... in a couple of minutes ------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------ Spysweeper log; ******** 8:59 AM: | Start of Session, Tuesday, March 07, 2006 | 8:59 AM: Spy Sweeper started 8:59 AM: Sweep initiated using definitions version 625 8:59 AM: Starting Memory Sweep 9:03 AM: Memory Sweep Complete, Elapsed Time: 00:04:19 9:03 AM: Starting Registry Sweep 9:03 AM: Registry Sweep Complete, Elapsed Time:00:00:24 9:03 AM: Starting Cookie Sweep 9:03 AM: Found Spy Cookie: falkag cookie 9:03 AM: ll@as-us.falkag[1].txt (ID = 2650) 9:03 AM: ll@sel.as-us.falkag[1].txt (ID = 2650) 9:03 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00 9:04 AM: Starting File Sweep 9:41 AM: File Sweep Complete, Elapsed Time: 00:37:04 9:41 AM: Full Sweep has completed. Elapsed time 00:42:01 9:41 AM: Traces Found: 2 9:43 AM: Removal process initiated 9:43 AM: Quarantining All Traces: falkag cookie 9:43 AM: Removal process completed. Elapsed time 00:00:01 ******** 8:55 AM: | Start of Session, Tuesday, March 07, 2006 | 8:55 AM: Spy Sweeper started 8:56 AM: Your spyware definitions have been updated. 8:59 AM: | End of Session, Tuesday, March 07, 2006 | ---------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------- Hijackthis log; Logfile of HijackThis v1.99.1 Scan saved at 9:48:35 AM, on 3/7/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\taskmgr.exe C:\Documents and Settings\ll\Desktop\HijackThis\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe" /waitservice O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O18 - Protocol: msdaipp - (no CLSID) - (no file) O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe ----------------------------------------------------------------------------------------------------------------- -----------------------------------------------------------------------------------------------------------------

#14 mikexyz

mikexyz

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 06 March 2006 - 07:14 PM

Here we go; Logfile of HijackThis v1.99.1 Scan saved at 10:15:20 AM, on 3/7/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Documents and Settings\ll\Desktop\HijackThis\HijackThis.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE C:\WINDOWS\system32\NOTEPAD.EXE O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe" /waitservice O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O18 - Protocol: msdaipp - (no CLSID) - (no file) O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#15 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 06 March 2006 - 07:16 PM

Good Job :thumbup:

Log looks good :D :thumbup: How is it running any issues?

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.





If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users