Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HijackThis Log


  • Please log in to reply

#16
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
try those files one at a time in killbox, let me know which ones go through ok.
  • 0

Advertisements


#17
eaglet

eaglet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
I'll try that.

Edited by eaglet, 06 September 2005 - 08:12 AM.

  • 0

#18
eaglet

eaglet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Okay. Did the files one at a tiem through Killbox and they all showed up in the logfile.

Here's the revised HJT file after the fixes you told me to make.

I'll do a virus scan and see if I get any alerts.

Logfile of HijackThis v1.99.1
Scan saved at 15:44:11, on 06/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOW\System32\smss.exe
C:\WINDOW\system32\winlogon.exe
C:\WINDOW\system32\services.exe
C:\WINDOW\system32\lsass.exe
C:\WINDOW\system32\svchost.exe
C:\WINDOW\System32\svchost.exe
C:\WINDOW\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOW\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOW\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOW\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cpfc.prem...uk/page/Welcome
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOW\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOW\temp\NavBrowser.exe" /r /i "C:\WINDOW\temp\NavLoad.ini"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOW\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.na...pdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125476817452
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125476791795
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...566/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{540466FE-396D-4FAC-9EC3-A2617F8B5EFA}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{82FEEA85-2356-4BBB-BA15-CE11D19C9845}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{540466FE-396D-4FAC-9EC3-A2617F8B5EFA}: NameServer = 195.95.218.18,85.255.112.11
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOW\system32\drivers\KodakCCS.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
  • 0

#19
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
that looks clean, as long as there are no alerts we licked it. :tazz:
  • 0

#20
eaglet

eaglet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Hi bricat

I'm afraid not. I've just done a scan and found something called NTFSNLPA.exe.ren which ewido says has been deleted. BUT I've had another alert through McAfee showing C:\window\system32\rdsndin.exe.ren\rdsndin.exe.ren which it won't allow allow me to delete or quarantine.
  • 0

#21
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
boot up in safe mode and delete these 2, they should delete ok as they have been renamed.

C:\window\system32\rdsndin.exe.ren
C:\window\system32\ NTFSNLPA.exe.ren
  • 0

#22
eaglet

eaglet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
I have deleted these in safe mode and rebooted. Did another full scan with Ewido but, although that did not show anything, again, whilst the scan was running I got three alerts from McAfee showing these paths:

C:\System Volume Information\_restore{28D0AC64-3704-4FC9-8C88-C698CCEBD023}\RP46\A0015966.exe\A0015966.EXE
C:\System Volume Information\_restore{28D0AC64-3704-4FC9-8C88-C698CCEBD023}\RP46\A0015966.exe\A0015966.EXE
C:\System Volume Information\_restore{28D0AC64-3704-4FC9-8C88-C698CCEBD023}\RP46\A0016038.exe\A0016038.EXE

and when I asked it to delete them i got a message saying:
"The file could not be deleted. Please check access rights to media where file is located"

So far though no reppearance of rdsndin or hclean.
  • 0

#23
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
DISABLE SYSTEM RESTORE to flush out your restore points then
restart your system restore.(same page).then create a new restore point :-

click START\ALL PROGRAMS\ACCESSORIES\SYSTEM TOOLS\SYSTEM RESTORE. click on "create new restore point"
click on NEXT and follow the prompts.


that should be the end of them.:tazz:
  • 0

#24
eaglet

eaglet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Hi bricat

That seems to have done the trick. No more alerts so far! Many thanks for all your help with this - it's been brilliant. As a thank you, I've left a small Paypal donation.

Keep up the good work.
  • 0

#25
eaglet

eaglet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Hi bricat

That seems to have done the trick. No more alerts so far! Many thanks for all your help with this - it's been brilliant. As a thank you, I've left a small Paypal donation.

Keep up the good work. :tazz:
  • 0

Advertisements


#26
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
glad you're sorted. :tazz: and thanks for the donation. it's really appreciated.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP