new virus taking over friends comp help with log!!

TheCallmeKrum · May 1, 2005

i was just able to get him the hijackthis program he ran it here's his log please tell all he should get rid of.....thanks alot you guys have helped me out tremendously.<<<<<

Logfile of HijackThis v1.99.1

Scan saved at 12:11:55 PM, on 5/1/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss[Caution: ExecutableFile]

C:\WINDOWS\system32\winlogon[Caution: ExecutableFile]

C:\WINDOWS\system32\services[Caution: ExecutableFile]

C:\WINDOWS\system32\lsass[Caution: ExecutableFile]

C:\WINDOWS\system32\Ati2evxx[Caution: ExecutableFile]

C:\WINDOWS\system32\svchost[Caution: ExecutableFile]

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile]

C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile]

C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N[Caution: ExecutableFile]

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr[Caution: ExecutableFile]

C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr[Caution: ExecutableFile]

C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile]

C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: ExecutableFile]

C:\Program Files\Analog Devices\SoundMAX\SMAgent[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC[Caution: ExecutableFile]

C:\WINDOWS\system32\Ati2evxx[Caution: ExecutableFile]

C:\WINDOWS\Explorer[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]

C:\Program Files\Java\j2re1.4.2_05\bin\jusched[Caution: ExecutableFile]

C:\Program Files\Java\j2re1.4.2_05\bin\jucheck[Caution: ExecutableFile]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1[Caution: ExecutableFile]

C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3[Caution: ExecutableFile]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile]

C:\Program Files\Grisoft\AVG Free\avgcc[Caution: ExecutableFile]

C:\Program Files\Grisoft\AVG Free\avgwb.dat

C:\Program Files\Grisoft\AVG Free\avginet[Caution: ExecutableFile]

C:\Program Files\Internet Explorer\iexplore[Caution: ExecutableFile]

C:\DOCUME~1\JOHNKI~1\LOCALS~1\Temp\Temporary Directory 1 for

hijackthis.zip\HijackThis[Caution: ExecutableFile]

C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://red.clientapps.yahoo.com/customi ... ch/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://red.clientapps.yahoo.com/customi ... .yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.paomaha.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} -

C:\WINDOWS\vgadb.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program

Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp[Caution: ExecutableFile]"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched[Caution: ExecutableFile]

O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz[Caution: ExecutableFile]"

/GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1[Caution: ExecutableFile]

/P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"

O4 - HKLM\..\Run: [ePrint 3.0 Service] C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3[Caution: ExecutableFile]

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset[Caution: ExecutableFile]

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] /STARTUP

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]" /background

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL[Caution: ExecutableFile]/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop

O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) -

http://campaignlogic.truelogic.com.au/d ... fxIEAx.cab

O20 - Winlogon Notify: vgadb - C:\WINDOWS\vgadb.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx[Caution: ExecutableFile]

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile]

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile]

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile]

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccPwdSvc[Caution: ExecutableFile]

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile]

O23 - Service: EPrint III Service - Unknown owner - C:\Program Files\LEAD

Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N[Caution: ExecutableFile]

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company,

L.P. - C:\Program Files\HPQ\SHARED\HPQWMI[Caution: ExecutableFile]

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService[Caution: ExecutableFile]

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec

Corporation - C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile]

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec

Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: ExecutableFile]

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton

AntiVirus\SAVScan[Caution: ExecutableFile]

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ[Caution: ExecutableFile]

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile]

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -

Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent[Caution: ExecutableFile]

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: ExecutableFile]

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: ExecutableFile]

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\Security Center\SymWSC[Caution: ExecutableFile]

Phil · May 2, 2005

Fix the following after closing all the browsers.

O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} -

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c =Q105&bd=pavilion&pf=laptop

Also to get rid of the virus scan with an updated anti-virus (I see there is AVG on there). Use housecall for a free online scan.

Vape · May 2, 2005

BEFORE you delete the entires phil mentioned, move Hijackthis to its own folder (Eg: C:\Program Files\Hijackthis\Hijackthis[Caution: ExecutableFile])

zonda · May 2, 2005

BEFORE you delete the entires phil mentioned, move Hijackthis to its own folder (Eg: C:\Program Files\Hijackthis\Hijackthis[Caution: ExecutableFile]

Yuppers, other wise it won't create back ups... so if you end up needing those for some reason or another you are spit out of luck

Phil · May 2, 2005

oops, I was going to mention that but forgot, good spot :oops:

(we have the edit button back?) :?

zonda · May 2, 2005

oops, I was going to mention that but forgot, good spot :oops:

(we have the edit button back?) :?

Yea I noticed that too... maybe the people just can't edit the very first post? Doubt it though...

In any case I think that the 1st response to the post should be a quote... that way even if they do edit it and say "thanks, fixed!" it would still be in writing 1 post down. Whaddya think?

Vape · May 2, 2005

I think that the 1st response to the post should be a quote... that way even if they do edit it and say "thanks, fixed!" it would still be in writing 1 post down. Whaddya think?

Nah because when people search if they set it to just display the topic titles then all they see is "thanks, fixed" which is kinda useless.

zonda · May 2, 2005

I think that the 1st response to the post should be a quote... that way even if they do edit it and say "thanks, fixed!" it would still be in writing 1 post down. Whaddya think?
Nah because when people search if they set it to just display the topic titles then all they see is "thanks, fixed" which is kinda useless.

Stop correcting me... lol

*shakes fist* :wink:

Sign In

new virus taking over friends comp help with log!!

Recommended Posts

TheCallmeKrum

Link to comment

Share on other sites

Phil

Link to comment

Share on other sites

Vape

Link to comment

Share on other sites

zonda

Link to comment

Share on other sites

Phil

Link to comment

Share on other sites

zonda

Link to comment

Share on other sites

Vape

Link to comment

Share on other sites

zonda

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Browse

Activity

Important Information