HJT log

fourfivefour · 07-13-2005, 10:01 AM

Hi, someone told me that I should post my log up here. My computer was infected with a trojan, but just to make sure it's completely gone...

Logfile of HijackThis v1.99.1
Scan saved at 9:45:35 AM, on 13/07/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\YAHOO!\YIP2\HP\ENCWAR\PROGRAM\YR.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\LVCOMSX.EXE
C:\PROGRAM FILES\LOGITECH\VIDEO\LOGITRAY.EXE
C:\PROGRAM FILES\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\LOGITECH\VIDEO\FXSVR2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\SYSTEM\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Yahoo HP Reminder 1.0] C:\PROGRAM FILES\YAHOO!\YIP2\HP\ENCWAR\PROGRAM\YR.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\PROGRAM FILES\LOGITECH\VIDEO\MANIFESTENGINE.EXE" boot
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab

oddjob · 07-13-2005, 10:08 AM

Hi fourfivefour and welcome to TSF

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p.

Please be patient with me during this time.

We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

OJ

fourfivefour · 07-13-2005, 10:12 AM

Okay, THANK YOU!

oddjob · 07-14-2005, 07:48 AM

Hi again Fourfivefour

Nothing in your log concerns me greatly. Is your PC performing as it should now?

Are you seeing any error messages? Other “operational” difficulties of any kind?

Do you have any particular concerns?

If not I would say all is well.

Please do let me know.

Regards.

OJ

fourfivefour · 07-15-2005, 02:48 PM

Thank you very much for checking it out for me.
No, I haven't been getting any error messages or difficulties.

Theres something that I question though: when I check my firewall, it tells me that it blocked 3 intrusions and 3 access attempts. Do I have to be concerned about that? Where is it coming from?

fourfivefour · 07-15-2005, 02:51 PM

And another thing I forgot to add. I get an average of 10 tracking cookies whenever I scan my computer on Ad-Aware. How do I stop them from coming to my computer in the first place? Can you recommend a program?

oddjob · 07-16-2005, 01:23 AM

Hi

Good to know all is well.

As to stopping attempted intrusions that's exactly what your firewall is supposed to do. It shows your firewall is working. I also use Zone Alarm Free personal firewall and I've just checked the statistics - up to now it tells me that, since the last upgrade a while ago, it has blocked 24230 intrusions of which 7514 have been classified as "high rated".

On the cookies you might like to read this for a view....

http://www.pcreview.co.uk/forums/thread-1899651.php

Mostly you needn't worry about them too much. Just make sure you do regular scans and remove them if you don't want them. Spybot Search & Destroy should do the job.

Hope that helps.

Best wishes.

OJ

Lifeismusic · 07-16-2005, 01:50 AM

Yeah, don't be worried about zone alarm blocking things. I have had 79,388 "access attemps" but they don't nessaraly mean that each one is a hacker or someone trying to take over my computer.

Another good program that blocks tracking cookies automaticly is "Spy Sweeper" available HERE, just click on the "Free Trial" button in the upper middle of the page. If they have changed the trial so that it expires after a few days, I can give you and older version that I use which never expires, it only asks you to suscribe once in a while. Even though it is a bit older, it still blocks the tracking cookies.

07-13-2005, 10:01 AM	#1 (permalink)
fourfivefour Registered User Join Date: Jul 2005 Posts: 28 OS: WinME	HJT log Hi, someone told me that I should post my log up here. My computer was infected with a trojan, but just to make sure it's completely gone... Logfile of HijackThis v1.99.1 Scan saved at 9:45:35 AM, on 13/07/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\PROGRAM FILES\YAHOO!\YIP2\HP\ENCWAR\PROGRAM\YR.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\AVAST4\ASHSERV.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE C:\WINDOWS\SYSTEM\HIDSERV.EXE C:\WINDOWS\SYSTEM\HPSYSDRV.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SYSTEM\LVCOMSX.EXE C:\PROGRAM FILES\LOGITECH\VIDEO\LOGITRAY.EXE C:\PROGRAM FILES\AVAST4\ASHWEBSV.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE C:\PROGRAM FILES\LOGITECH\VIDEO\FXSVR2.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\HJT\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\SYSTEM\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\AVAST4\ASHWEBSV.EXE O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\ZoneAlarm\zlclient.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [Yahoo HP Reminder 1.0] C:\PROGRAM FILES\YAHOO!\YIP2\HP\ENCWAR\PROGRAM\YR.EXE O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Avast4\ashServ.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\PROGRAM FILES\LOGITECH\VIDEO\MANIFESTENGINE.EXE" boot O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab

07-16-2005, 01:23 AM	#7 (permalink)
oddjob Registered User Join Date: Jan 2005 Location: London, UK Posts: 305 OS: WinXP SP2/98/98SE	Hi Good to know all is well. As to stopping attempted intrusions that's exactly what your firewall is supposed to do. It shows your firewall is working. I also use Zone Alarm Free personal firewall and I've just checked the statistics - up to now it tells me that, since the last upgrade a while ago, it has blocked 24230 intrusions of which 7514 have been classified as "high rated". On the cookies you might like to read this for a view.... http://www.pcreview.co.uk/forums/thread-1899651.php Mostly you needn't worry about them too much. Just make sure you do regular scans and remove them if you don't want them. Spybot Search & Destroy should do the job. Hope that helps. Best wishes. OJ Last edited by oddjob; 07-16-2005 at 01:25 AM.

07-13-2005, 10:08 AM	#2 (permalink)
oddjob Registered User Join Date: Jan 2005 Location: London, UK Posts: 305 OS: WinXP SP2/98/98SE	Hi fourfivefour and welcome to TSF I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p. Please be patient with me during this time. We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". OJ

07-13-2005, 10:12 AM	#3 (permalink)
fourfivefour Registered User Join Date: Jul 2005 Posts: 28 OS: WinME	Okay, THANK YOU!

07-14-2005, 07:48 AM	#4 (permalink)
oddjob Registered User Join Date: Jan 2005 Location: London, UK Posts: 305 OS: WinXP SP2/98/98SE	Hi again Fourfivefour Nothing in your log concerns me greatly. Is your PC performing as it should now? Are you seeing any error messages? Other “operational” difficulties of any kind? Do you have any particular concerns? If not I would say all is well. Please do let me know. Regards. OJ

07-15-2005, 02:48 PM	#5 (permalink)
fourfivefour Registered User Join Date: Jul 2005 Posts: 28 OS: WinME	Thank you very much for checking it out for me. No, I haven't been getting any error messages or difficulties. Theres something that I question though: when I check my firewall, it tells me that it blocked 3 intrusions and 3 access attempts. Do I have to be concerned about that? Where is it coming from?

07-15-2005, 02:51 PM	#6 (permalink)
fourfivefour Registered User Join Date: Jul 2005 Posts: 28 OS: WinME	And another thing I forgot to add. I get an average of 10 tracking cookies whenever I scan my computer on Ad-Aware. How do I stop them from coming to my computer in the first place? Can you recommend a program?

07-16-2005, 01:50 AM	#8 (permalink)
Lifeismusic Registered User Join Date: Jul 2005 Posts: 159 OS: XP Home My System	Yeah, don't be worried about zone alarm blocking things. I have had 79,388 "access attemps" but they don't nessaraly mean that each one is a hacker or someone trying to take over my computer. Another good program that blocks tracking cookies automaticly is "Spy Sweeper" available HERE, just click on the "Free Trial" button in the upper middle of the page. If they have changed the trial so that it expires after a few days, I can give you and older version that I use which never expires, it only asks you to suscribe once in a while. Even though it is a bit older, it still blocks the tracking cookies.