[sahyd2don]

I had 2 operating systems on my pc.win 98 and win xp professionsl,when i bought my nic card i had to upgrade my win98 to win xp.Now i have 2 operating systems both win xp both infected with syn_sent virus.I am posting hijack this of one operating system.My system configuration is p4 1.7 GHz,256 Mb Ram ,40 Gb HDD.My system is running very slow i suspect some malware on my pc.I have run trend office scan and spybot but didn't find any thing.Recently i ran command at command prompt netstat -an where i discovered a virus or some thing local address was 10.14.8.226 and forein address was 210.210.67.73:8080 state Syn_sent.the tecnetion said syn_sent is a virus.I am posting my hijack this please help me clean my pc.



Logfile of HijackThis v1.99.1
Scan saved at 12:29:14 AM, on 3/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\PO81ED.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\cobler\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slashmyse...com/earn/id/373
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:8080/proxyconf
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ACROBATREADRE\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F1E12F2-C0A3-4F75-9769-0CF3BFBB9C0E}: NameServer = 202.144.105.4,202.144.10.50
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

[Advertisements]

Hello sahyd2don and welcome to the G2G HijackThis forum. I see no signs of viruses or malware in the log.

A syn_sent message simply means that the operating system sent a request to a server and has not received a replay back (an ACK message). The ip of the server the request is going to is that of the ISP which is normal. The server has simply not replied to the request.

This file: C:\WINDOWS\TEMP\PO81ED.EXE makes me curious. It could be part of a software update but normally programs do not run from the temp folders. Let's clean those out while you are here.

Download ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Other than that you are good to go.

Cheers.

OT

[OldTimer]

Hello sahyd2don and welcome to the G2G HijackThis forum. I see no signs of viruses or malware in the log.

A syn_sent message simply means that the operating system sent a request to a server and has not received a replay back (an ACK message). The ip of the server the request is going to is that of the ISP which is normal. The server has simply not replied to the request.

This file: C:\WINDOWS\TEMP\PO81ED.EXE makes me curious. It could be part of a software update but normally programs do not run from the temp folders. Let's clean those out while you are here.

Download ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Other than that you are good to go.

Cheers.

OT

[sahyd2don]

Hello sahyd2don and welcome to the G2G HijackThis forum. I see no signs of viruses or malware in the log.

A syn_sent message simply means that the operating system sent a request to a server and has not received a replay back (an ACK message). The ip of the server the request is going to is that of the ISP which is normal. The server has simply not replied to the request.

This file: C:\WINDOWS\TEMP\PO81ED.EXE makes me curious. It could be part of a software update but normally programs do not run from the temp folders. Let's clean those out while you are here.

Download ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Other than that you are good to go.

Cheers.

OT

I have ATF cleaner i saw you people sugesting to use it to deleted unwanted file from the folder.I always do delete them when i logoff the internet but still my firs windowsXP installations hijack this which i has posted is very slow than the second windows xp installation.Please tell me what could have made it very slow.

[OldTimer]

Hi sahyd2don. It could be any number of things that impact a computer's performance. Since we have ruled out an infection I would suggest posting a question in the XP forum here: http://www.geekstogo...2003_NT-f5.html . They can assist with analyzing non-malware related system performance issues and recommend any changes or adjustments that might need to be made. They have the tools and technical talent there to look at all areas of the system.

Cheers.

OT