Solved

hijackthis.log

Posted on 2004-10-17
5
215 Views
Last Modified: 2010-04-11
Anything wrong? Take a look...

Logfile of HijackThis v1.97.6
Scan saved at 18:04:04, on 17/10/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\S4TSR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN APPS\UPDATER\01.02.3000.1001\PT-BR\MSNAPPAU.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\ARQUIVOS DE PROGRAMAS\MSN APPS\MSN TOOLBAR\01.02.3000.1001\PT-BR\MSNTB.DLL
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O3 - Toolbar: @msdxmLC.dll,-1@1046,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\ARQUIVOS DE PROGRAMAS\MSN APPS\MSN TOOLBAR\01.02.3000.1001\PT-BR\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
O4 - HKLM\..\Run: [DisableEHCI] C:\WINDOWS\S4TSR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\ARQUIV~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "C:\Arquivos de programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\ARQUIV~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Programas\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Programas\MRU-Blaster\mrublaster.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
0
Comment
Question by:superquestions
  • 2
  • 2
5 Comments
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 65 total points
ID: 12334298
Hello superquestions =)

>> Anything wrong?
Yes version is too old :)

So Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines and click on Fix Checked !!

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)

!! GOOD LUCK !!
0
 
LVL 1

Author Comment

by:superquestions
ID: 12335753
There were four unknown running processes.

C:\WINDOWS\SM56HLPR.EXE    
Unknown   running process. (SM56HLPR.EXE)
   This is a unknown process.
  C:\WINDOWS\S4TSR.EXE    
Unknown   running process. (S4TSR.EXE)
   This is a unknown process.
  C:\WINDOWS\SYSTEM\ICSMGR.EXE    
Unknown   running process. (ICSMGR.EXE)
   This is a unknown process.
O4 - HKLM\..\Run: [DisableEHCI] C:\WINDOWS\S4TSR.EXE    
Unknown   The entered application DisableEHCI was identified: None. Hit rate: 5 % (result)   Unknown application.
0
 
LVL 1

Author Comment

by:superquestions
ID: 12335758
I am sorry. 3 unknown running processes and 1 unknown application.
0
 
LVL 65

Assisted Solution

by:SheharyaarSaahil
SheharyaarSaahil earned 65 total points
ID: 12335832
>> C:\WINDOWS\SM56HLPR.EXE
this is valid >> http://computercops.biz/startuplist-3395.html

>> C:\WINDOWS\SYSTEM\ICSMGR.EXE
valid >> http://computercops.biz/startuplist-1543.html

>> O4 - HKLM\..\Run: [DisableEHCI] C:\WINDOWS\S4TSR.EXE
Fix this entry, its not reported as nasty or suspisious,,,, but its not a known or identified process. so better fix it !!

anything else :)
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 60 total points
ID: 12337765
Getting rid of the problem...

1)  Run a full Stinger scan in Safe Mode - http://vil.nai.com/vil/stinger/
2)  Install and run LavaSoft AdAware - http://www.lavasoftusa.com/support/download/
3)  Download and run latest version of HijackThis (HJT) http://www.tomcoyote.org/hjt/
4)  Post the log at http://www.hijackthis.de/index.php?langselect=english
5)  Run MSBA - http://www.microsoft.com/technet/security/tools/mbsahome.mspx & take appropriate patching action

Stopping it happen again...

1)  Ensure WindowsUpdate is set to update your system
2)  Download a pop-up blocker - eg toolbar.google.com
3)  Install Lavasoft AdAware and run regular scans, or just leave it and have it handy for when problems start recurring.
4)  Keep your AV software up to date - daily updates recommended
5)  Enable Internet Connection Firewall, or use ZoneAlarm if you don't use XP
6)  Stay vigilant.  Don't bother opening non-work related email attachments, or install an on-access virus scanner so that it doesn't matter if you do.
7)  Look at a host IPS - eg www.prevx.com to cover your machine between when a virus hits the wild and when a patch is finally released that fixes it.  Average time is roughly 6 days.
8)  Take an online privacy test http://www.anonymizer.com/privacytest/2.0/privacytest.cgi?test=2
9)  Set IE Privacy to High - IE > Tools > Internet Options > Privacy
10)  Reset Internet Zone Security to High - IE > Tools > Internet Options > Security > Custom > (Select High) > Reset
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now