Results 1 to 6 of 6
  1. #1
    Member
    Join Date
    Jul 2006
    Posts
    3
    Points
    0

    Default highjack this logfile, can anyone help

    can anyone understand my high jack this log file as i don't understand what
    it all means.
    thanks in advance.
    bennyc

    Logfile of HijackThis v1.99.1
    Scan saved at 10:04:25 PM, on 24/07/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINNT\system32\ishost.exe
    C:\WINNT\system32\isnotify.exe
    C:\WINNT\system32\issearch.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINNT\system32\internat.exe
    C:\WINNT\system32\ismon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\ZipGenius 6\zipgenius.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ZGTemp\HijackThis.exe

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINNT\system32\ixt0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.ap.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1153619750640
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{36652F78-51BF-4123-B072-A9C65C3382FF}: NameServer = 203.0.178.191
    O21 - SSODL: contraposition - {3dab4d3e-1d45-406e-9cda-25227a7a2633} - C:\WINNT\system32\onofub.dll (file missing)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

  2. #2
    Member Spyware Fighter Clark76's Avatar
    Join Date
    Feb 2006
    Location
    Cleveland, Ohio
    Posts
    1,359
    Points
    239

    Default

    Hello

    You are running Hijack This from a temporary directory. It needs to be in a permanent folder. Please go into Windows Explorer, click on C:\ then click on File > New > Folder and call it HJT , or another name of your choice. The program creates backup files that we may need to use later. If the program is in a Temporary folder, files may be deleted by you or automatically if your system is set to empty temp files.

    benc

  3. #3
    Member Oddjob's Avatar
    Join Date
    May 2004
    Location
    London, U.K.
    Posts
    1,981
    Points
    248

    Default

    Do as benc says and move the HJT folder to a permanent location.

    I recommend you print out these instructions to help you follow them.

    ----------------------

    Then disable Spybot's TeaTimer. To disable it right click the icon in the lower right corner of your screen then left click on “Exit Spybot – S&D Resident”.

    >>> Remember to re-enable TeaTimer after log is fixed

    ----------------------

    Download SmitfraudFix (by S!Ri) to your Desktop from here …..

    http://siri.urz.free.fr/Fix/SmitfraudFix.zip

    Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

    Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool". It is not a virus but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs therefore they may alert the user.

    ----------------------

    Turn on "Show all files and folders, including hidden and system"…
    http://www.bleepingcomputer.com/forums/tutorial62.html

    ----------------------

    Reboot into Safe Mode
    You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

    How to start the computer in Safe mode ....

    http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

    ----------------------

    Once in Safe mode open the SmitfraudFix folder and double-click smitfraudfix.cmd

    Select option #2 - Clean by typing 2 and press Enter.
    Wait for the tool to complete and disk cleanup to finish.
    You will be prompted : "Registry cleaning - Do you want to clean the registry ?" ... answer Yes by typing Y and hit Enter.
    The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

    A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

    The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

    ----------------------

    Once back into normal mode please re-scan with HijackThis to produce a log.


    In your next post please include ….

    the rapport.txt,

    a fresh HijackThis log

    and

    an update on how your computer is operating now.


    OJ
    PLEASE DONATE. Help keep our site alive without ads.

    Help keep your computer protected. Read this > http://www.help2go.com/article152.html

  4. #4
    Member
    Join Date
    Jul 2006
    Posts
    3
    Points
    0

    Default

    Thanks for the reply guys.
    Here is the new High Jack This log file

    Logfile of HijackThis v1.99.1
    Scan saved at 6:04:51 PM, on 25/07/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\ishost.exe
    C:\WINNT\system32\issearch.exe
    C:\WINNT\system32\ismon.exe
    C:\WINNT\system32\isnotify.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ZipGenius 6\zipgenius.exe
    C:\HJT\HijackThis.exe

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINNT\system32\ixt0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.ap.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1153619750640
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{36652F78-51BF-4123-B072-A9C65C3382FF}: NameServer = 203.0.178.191
    O21 - SSODL: contraposition - {3dab4d3e-1d45-406e-9cda-25227a7a2633} - C:\WINNT\system32\onofub.dll (file missing)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

    Will post the rest of the stuff later just got in from work.
    Once again thanks in advance

  5. #5
    Member
    Join Date
    Jul 2006
    Posts
    3
    Points
    0

    Default

    Sorry about the other post (thought it would take longer)
    Her is the new high jack this log

    Logfile of HijackThis v1.99.1
    Scan saved at 6:28:54 PM, on 25/07/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINNT\system32\wuauclt.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.ap.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1153619750640
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{36652F78-51BF-4123-B072-A9C65C3382FF}: NameServer = 203.0.178.191
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe


    Here is the rapport.txt log

    SmitFraudFix v2.75b

    Scan done at 18:22:26.67, Tue 25/07/2006
    Run from C:\Documents and Settings\administrator\Desktop\SmitfraudFix
    OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
    Fix ran in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "contraposition"="{3dab4d3e-1d45-406e-9cda-25227a7a2633}"


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri

    C:\WINNT\system32\onofub.dll -> Missing File


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINNT\system32\ishost.exe Deleted
    C:\WINNT\system32\ismon.exe Deleted
    C:\WINNT\system32\isnotify.exe Deleted
    C:\WINNT\system32\issearch.exe Deleted
    C:\WINNT\system32\ixt?.dll Deleted
    C:\WINNT\system32\ot.ico Deleted
    C:\WINNT\system32\components\flx?.dll Deleted
    C:\DOCUME~1\ADMINI~1\FAVORI~1\Antivirus Test Online.url Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End

    The pc seems to be ok no icons in the task bar no pop ups the only problem i can see is avast will not update it says (Can't select any server for downloading (from 0) )
    This also happend yesterday but all looks good so far.
    once again Thanks for all your help
    bennyc

  6. #6
    Member Oddjob's Avatar
    Join Date
    May 2004
    Location
    London, U.K.
    Posts
    1,981
    Points
    248

    Default

    Disable TeaTimer again as you did before.

    ----------------------

    Open HijackThis ... click on "scan" ... put a tick/check mark next to the following two entries IF they are present ...

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm


    Remember to ensure ALL browser windows are closed (including this one) before clicking on "Fix Checked".

    ----------------------

    >>Remember to re-enable TeaTimer after this.

    ----------------------

    Reboot to normal mode.

    ----------------------

    As to your avast problem I don't know the answer. Have you tried a reinstall?

    You might try posting here ...

    http://forum.avast.com/

    and see if they have a solution.

    ----------------------

    Apart from that your logs are clean.

    I suggest you read through this now ...

    http://www.help2go.com/component/opt...topic/t,13775/


    Let us know if you need any more help.

    OJ
    PLEASE DONATE. Help keep our site alive without ads.

    Help keep your computer protected. Read this > http://www.help2go.com/article152.html