Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

unwanted carp** on my computer


  • This topic is locked This topic is locked
1 reply to this topic

#1 RussJ

RussJ

    New Member

  • New Member
  • Pip
  • 1 posts

Posted 03 March 2007 - 11:15 PM

My home page is hijacked. I have spybot, but it doesn't find it. I have another program that I was forced to download, process explorer, because something mysteriously caused my task manager to be disabled by the administrator (I am the adminstrator). This program helps me identify programs running and who is responsible. There are programs running that I can't find- so I can't delete them. This program also shows CPU usage and internet usage and some program (which I can't identify) is nearly stopping me from doing anything else. I suspect I have many trojan type programs and don't know what to do about it! The list of services running is not complete, I see; I have already stopped the ones I know don't need to run- this is another thing that irks me. Some thing causes a "Generic Host Process" error that causes my modem to stop working and also my sound card quits.

Logfile of HijackThis v1.99.1
Scan saved at 10:34:38 PM, on 3/3/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SHA256\secure.exe
C:\WINDOWS\smss.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\system32\sndvol32.exe
C:\Documents and Settings\Russell\My Documents\My Received

Files\ProcessExplorerNt\procexp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\PROGRA~1\ISP50\dialer\dialer.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\PeoplePC Accelerated\propelac.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Russell\Local

Settings\Temp\Temporary Directory 1 for

hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search

Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start

Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start

Page = http://yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local

Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local

Page = about:blank
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = http=localhost:8080
F2 - REG:system.ini: Shell=explorer.exe



"C:\Program Files\Common Files\Microsoft

Shared\Web Folders\ibm00003.exe", msmsgs.exe
F3 - REG:win.ini: run=C:\WINDOWS\inet20079\winlogon.exe
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}

- C:\WINDOWS\System32\hp36CC.tmp
O3 - Toolbar: Norton AntiVirus -

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant -

{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program

Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

(file missing)
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program

Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program

Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program

Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [PPCRunonce]

C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [SmallAndSecure] mssecure.exe
O4 - HKLM\..\Run: [Windows Update]

C:\WINDOWS\System32\jmfbo.exe
O4 - HKLM\..\Run: [Microsoft Update] wudmate.exe
O4 - HKLM\..\Run: [lsasss.exe] C:\WINDOWS\lsasss.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common

Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check]

C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common

Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft

Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program

Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection]

C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink

Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media

Experience\PCMService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup]

C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Propel Accelerator]

"C:\PROGRA~1\PEOPLE~1\propelac.exe"
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer]

KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eTrust Realtime Monitor]

C:\WINDOWS\System32\realmon.exe /start
O4 - HKLM\..\Run: [Recguard] C:\Program

Files\HP\recguard.exe
O4 - HKLM\..\Run: [Apvxdwin]

C:\WINDOWS\System32\APVXDWIN.EXE
O4 - HKLM\..\Run: [IPSecMon] C:\Program Files\Common

files\VPN Network\IPSecMon.exe /vpncheck
O4 - HKLM\..\Run: [Windows Update AutoUpdate Client]

C:\WINDOWS\System32\winupd\wuauclt.exe
O4 - HKLM\..\Run: [SHA256] C:\Program

Files\SHA256\secure.exe
O4 - HKLM\..\Run: [Microsoft standard protector]

C:\WINDOWS\inet20079\socks.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program

Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SysTray] C:\Program Files\qbojgwg.exe
O4 - HKLM\..\Run: [c1bf19dd.exe]

C:\WINDOWS\System32\c1bf19dd.exe
O4 - HKLM\..\Run: [Microsoft Windows Session Manager

Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [termcaps]

C:\WINDOWS\System32\termcaps.exe
O4 - HKLM\..\Run: [ISUSScheduler]

"C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [Microsoft Windows Logon Process]

C:\WINDOWS\winlogon.exe
O4 - HKLM\..\RunServices: [SmallAndSecure] mssecure.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wudmate.exe
O4 - HKLM\..\RunServices: [termcaps]

C:\WINDOWS\System32\termcaps.exe
O4 - HKCU\..\Run: [SmallAndSecure] mssecure.exe
O4 - HKCU\..\Run: [Microsoft Update] wudmate.exe
O4 - HKCU\..\Run: [c1bf19dd.exe] C:\Documents and

Settings\Russell\Local Settings\Application

Data\c1bf19dd.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common

Files\Microsoft Shared\Web Folders\ibm00003.exe"
O4 - HKCU\..\Run: [termcaps]

C:\WINDOWS\System32\termcaps.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft

Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [WinMedia]

C:\DOCUME~1\Russell\LOCALS~1\Temp\85907438.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk =

C:\Program Files\Sony\Sony Picture

Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: Sonic INSTALLit! Setup.lnk =

C:\WINDOWS\Temp\VIES7953\Setup.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment

Check 2.lnk =

C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program

Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk

= ?
O8 - Extra context menu item: Refresh Pa&ge with Full

Quality - C:\Program Files\PeoplePC

Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full

Quality - C:\Program Files\PeoplePC

Accelerated\pac-image.html
O9 - Extra button: Related -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINDOWS\web\related.htm
O16 - DPF: Yahoo! Blackjack -

http://download.game...nts/y/jt0_x.cab
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC

Web Installer) -

http://www.peoplepc....oad/ppcwebi.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{7125A1E8-584D-4A4C-9328-

790EFDAFD429}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: Sebring -

C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -

Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -

Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2

(EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program

Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Windows Logon Process Service

(MSWinLogonProcService) - Unknown owner -

C:\WINDOWS\winlogon.exe" -service (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service

(navapsvc) - Symantec Corporation - C:\Program Files\Norton

AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel®

Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService)

- Symantec Corporation - C:\Program Files\Norton

AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: RegSrvc - Intel Corporation -

C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) -

Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program

Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) -

Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -

Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\Security Center\SymWSC.exe

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 15 March 2007 - 03:45 PM

Hello and welcome to the forum. Sorry about the delay in responding :( Please turn Word Wrap off in Notepad. If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread. Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users