Am posting the results of a spybot search of my computer's files as required. Hope this will allow you to be able to help me get rid of the trojan horse "downloaderJU" that has infected my computer. Will now download hijackthis and I'll post the log from that scan as soon as I can. Hope you can help me and thanks a million for even having a site like this for people to come to.



DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1004336348-527237240-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi

Here's the log of the results of the scan of my pc using the hijackthis program. Hope you can tell me how to get rid of this thing. Thanks again, in advance, for all your help with this problem. You are life savers. :thumb:


Logfile of HijackThis v1.98.2
Scan saved at 5:43:26 PM, on 10/27/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sal\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [dxmrtp] C:\WINDOWS\System32\dxmrtp.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1092950021499
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...401/mcfscan.cab

Some one will help analzye you highjackthis log soon..


for those call outs by sypbot for these entires..
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1004336348-527237240-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


Do not be concerned. :)


They will reappear even if you clean them off.. i suggest you check them all one time..then right click on the wording and left click again on to be excluded and you will not see them come up again on a scan.

see here how to do that..

http://www.safer-networking.org/en/howto/exclude.html


more info here on why..

http://forums.net-integration.net/index.php?showtopic=17159

Did you update your Spybot with the latest definitions after you installed it and before you ran a scan ?

Here is a tutorial on Spybot.

http://www.safer-networking.org/en/tutorial/index.html

This is how you update spybot


http://www.safer-networking.org/en/howto/update.html

Hi maxxooxx,

Run HijackThis, click on "Scan" and check the boxes next to all these items.

You have PowerReg Scheduler in your log. This is a registration reminder that is used by a number of different companies. It is not needed and some people think that it reports back to the company about your computer, so I suggest fixing it...

O4 - Startup: PowerReg SchedulerV2.exe

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Open Windows Explorer, navigate to the folder "C:\WINDOWS\System32" and find the file "dxmrtp.exe". Right click on the file and select "Properties" from the menu. Select the "Version" tab and copy the information it gives here.

As for the Spybot issue. Spybot has released an update that will take care of these DSO exploits. http://www.safer-networking.org/en/spybotsd/index.html.

Thanks so much for telling me what to do to get rid of this problem. Will go and do what you've told me to and I'll report back to let you know how it all worked out. I'm sure this will take care of the problem but I'd like to come back and thank you all again and tell you how much I appreciate what you've done for me (and a lot of other people too). :thx:

and post one more log please just to make sure..

then keep these in mind..

It is recommended that you do a couple of things after a serious infection.

Just to be sure.

Clear out your Temporary internet files and other temp files. Go to Start > Settings > Control Panel >
Internet Options. Under the General tab click the Delete temporary internet files,
choose to delete all Offline content. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all ->
File > delete.

Empty the contents of the C:\Windows\temp folder and C:\temp folder, if you have one.

This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\

Empty the Recycle Bin.

This will result in your having to re-enter passwords at forums, banks, and the like.

A small price to pay if it gets rid of any bad guys.

Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.

Explained here:
http://service1.symantec.com/SUPPORT/tsgen...001111912274039

Also if you have sunjava installed it's cache should be cleared too.
> control panel java-plugin > cache tab > hit clear!
And make sure you have the latest version if you have sunjava.

Adjust your security settings for ActiveX:
a. Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set/click the options as follows:
Download signed ActiveX controls > prompt
Download unsigned ActiveX controls > disable
Initialize and Script ActiveX controls not marked as safe > disable
b. In your Restricted Sites Zone set everything that can be to "disable". Set anything that cannot be disabled to "prompt".
c. Never add any site to your Trusted Sites Zone.

I would also recommend, In your own self defense and to reduce the potential for spyware infection in the future, installing both SpywareBlaster and SpywareGuard.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation and browser hijack attempts. Both have free ongoing updates.

More info and download is available at:
SpywareBlaster: http://www.majorgeeks.com/download.php?det=2859
SpywareGuard: http://www.majorgeeks.com/download.php?det=3045

Maybe consider this as well:
IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit
innocent-looking sites that aren't really innocent at all.
https://netfiles.uiuc.edu/ehowes/www/resource.htm
Also some info on that page to tighten your IE security.

Be sure to also keep up with Windows and IE updates.

Windows security and critical updates.
http://v4.windowsupdate.microsoft.com/en/default.asp

Internet Explorer security and critical updates.
http://www.microsoft.com/windows/ie/default.asp

Keep all of these programs updated, its free.

Hunter and Bobbi - I promise I'll come back and post another log but I'm running late tonite so I'll have to do it later tonite or tomorrow.

However, I followed your instructions and checked all the items and had hijackthis clear them all. Ran another scan and it came up w/nothing. So far, so good. Then I went in and opened the WINDOWS\System32 program and went looking for the dxmtp.exe file so I could copy it and post it. Problem is, the file isn't there. Ran a search and it also came up w/nothing. My next question is, is this going to cause problems? And if so, how can I fix it?

Also, couldn't get the spybot to exclude those 5 items from coming up during a scan. When I right clicked on the words the box came up as you said it would but the line for excluding the items from subsequent scans wasn't enabled and so I couldn't click on it. But since you said those items were nothing to worry about I'm not terribly concerned that I can't exclude them.

Do you still want me to post a log from another scan of the hijackthis results even though there's nothing there? If so, I certainly will. But as I said, I can't post the copy of the dxmtp file cause it's not there. Don't know what else I can do but I'll wait for you to let me know what the next step is.

Look at this link with graphics on How to exclude products from the search

http://www.safer-networking.org/en/howto/exclude.html

but I think you must also first put a check mark in the box in front of that (those) line items you do wish to exclude before it will work..that was a new saftey feature they put in recently.

Posting another hijack this log is optional..just thought you might like to do that making sure there was nothing else that came up.

Wave.gif

Hi Hunter - did as you requested and ran another scan both late last nite and again just now. Last nite there was nothing in the scan but today I came up with the following:

Logfile of HijackThis v1.98.2
Scan saved at 5:02:54 PM, on 10/29/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\AlogServ.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\DOCUME~1\Sal\LOCALS~1\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

When I clicked on the info button two of the three items came up as suspicious so my question is, should I delete them? And should I delete just the two or all three new items?

Also tried to exclude those other items from future spybot scans. Even though the items are checked, the "exclude" button still isn't enabled. Once again, since you've told me that those things aren't really a problem I'm not concerned. Thanks anyway.

Am now working on doing all the other things you told me to do - deleting temps files/recycle bin, etc. But I won't touch the items in the new scan until I hear back from you again. Thanks much......Maxx

Hi Maxxx,

well you know for sure never delete anything in your hijacklog scan unless bobbi or one of the other gurus tell you specifically to do that..

The hijack log you just did post seems short..compared to last one.. in any case, i would not worry about that spybot problem for now..as you understand it is not important..but if anything else ever comes up with a spybot scan that is in red you can try to safely delete those. Wave.gif

Hi maxxooxx,

your log is incomplete. Please post a whole log.

Hunter - I'd never delete anything that came up unless one of you guys told me to; I wouldn't want to risk deleting something that I shouldn't have. And now that I'm aware that those items in the spybot log are harmless I'll just ignore them when I do future scans.

Bobbi - I posted everything that came up in my latest hijackthis scan so I'm not sure what you mean by asking me to post a complete log. What should I do that will make my log post complete? And one last question; should I leave those three items from my latest scan alone or should I delete one, two or all of them? I'm not touching anything until I hear back from you.

Hi Maxx,

Bobbi and I, I think are both confused here..what three items arre you talking about to delete ???

Is it these ??
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

If so the answer is NO keep all of those..if not what ones are you talking about and please post information on them.

For the hijack log we are questioning...the one you just posted above looks incomplete..and we were trying to figure out why it is not as long as the previous one you had posted...


In any case...If you run hijackthis just after you have reboot your PC and it looks the same as the one you just last posted..then you do not hae to do another one..but if it is longer with nore entries..then yes please post another.

The mystery for us is here ...Your first log posted looked like this..

Logfile of HijackThis v1.98.2
Scan saved at 5:43:26 PM, on 10/27/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sal\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [dxmrtp] C:\WINDOWS\System32\dxmrtp.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1092950021499
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...401/mcfscan.cab



Tell me please why your hijackthis is now not still in your "my documents folder" compared to the last log you posted..and where are the other entires as above ?

You seems to now be running hijack this from a

C:\DOCUME~1\Sal\LOCALS~1\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe





Are you logged into your PC as Admin and fulluser account when you posted that last hijackthis log ?

How many user accounts do you have set up on the PC..and are you the only one using that PC ?

Thanks Wave.gif

Tell me please why your hijackthis is now not still in your "my documents folder" compared to the last log you posted..and where are the other entires as above ?

You seems to now be running hijack this from a

C:\DOCUME~1\Sal\LOCALS~1\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe





Are you logged into your PC as Admin and fulluser account when you posted that last hijackthis log ?

How many user accounts do you have set up on the PC..and are you the only one using that PC ?




To answer your last question first, I'm the only one using this machine and I was logged in as the Admin when I posted my first log.

I did run the hijackthis program from a different folder the second time because, and I know I'm going to sound stupid here but I've got to tell you what I did, I thought the first folder I created was a temp folder and wanted to make another that would be a ProgramFile folder as you told me to do. Looks like I screwed up and did it backwards. Anyway, I have run a scan from both folders and I get the same shortened version of a log as I posted. I have no idea why it doesn't give me all the info that it did the first time I ran the scan but it doesn't. I'm obviously doing something wrong but I'm not sure what it is. Am going to try to go back and run another scan and see if I can get it to come up with a complete log. Will come back and let you know how I made out.

OK, went back and ran it from the original copy I made and here are the log results:


Logfile of HijackThis v1.98.2
Scan saved at 2:27:07 PM, on 10/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee\McAfee VirusScan\AlogServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sal\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe

That looks a lot more like the original log I posted so I hope that this gives you the info you wanted. Let me know if this is what you needed to see and if there's anything I need to do based on the results.

And thanks for being so patient with me.

Hi maxxooxx,

This log is clean! I still have the idea that I'm missing a lot, but I can base an answer only on what you give. ;)

This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

This can be accessed by going to http://windowsupdate.microsoft.com/ and following the prompts. If you are running Windows XP get updated to SP-2

Please post back if you are still having any problems....

Hi Bobbi - Thanks again to you and Hunter for all your help in getting my machine uninfected. I've already done most of the things you've suggested to keep it protected and what I haven't done yet I'll do today. Even though the last scan I ran had more info than the previous one you obviously think that there should be more in the log. To try to come up with all the info you need I ran one last scan just now and here are the results. Hope this gives you what you were looking for. I am forever in your debt. :thumb:

Logfile of HijackThis v1.98.2
Scan saved at 12:18:09 PM, on 10/31/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sal\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MP-- The nicest hobby on Earth ;) --e] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab

Hi maxxooxx,

this log is clean as well.

Glad we could help. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.