system
March 5, 2005, 3:38am
1
when recently playing a game, which had virus/hack protection, it wouldn’t let me play and closed up, and an error for explorer.dll as a virus/whatever came up.
heres my hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 7:33:05 PM, on 3/4/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\csrss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\System32\Ati2evxx.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\ProcessGuard\dcsuserprot.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\Ati2evxx.exe
E:\WINNT\Explorer.exe
E:\WINNT\SOUNDMAN.EXE
E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\ProcessGuard\pgaccount.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Eraser\eraser.exe
E:\Program Files\ProcessGuard\procguard.exe
E:\Program Files\Linksys\Wireless-B PCI Adapter\OdHost.exe
E:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
E:\Program Files\Valve\Steam\Steam.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Documents and Settings\BH\Desktop\ProcExp.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Documents and Settings\BH\Desktop\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll ,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\system32\msdxm.ocx
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [ATICCC] “E:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime
O4 - HKLM..\Run: [HPDJ Taskbar Utility] E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM..\Run: [!xSpeed] C:!xSpeed!xSpeed.exe reg
O4 - HKLM..\Run: [QuickTime Task] “E:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [!1_pgaccount] “E:\Program Files\ProcessGuard\pgaccount.exe”
O4 - HKLM..\Run: [hProtect.exe] E:\WINNT\System32\hProtect.exe
O4 - HKLM..\Run: [SpyHunter] E:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [MsnMsgr] “E:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [Eraser] E:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU..\Run: [!1_ProcessGuard_Startup] “E:\Program Files\ProcessGuard\procguard.exe” -minimize
O4 - Global Startup: ATI CATALYST System Tray.lnk = E:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = E:\Program Files\Linksys\Wireless-B PCI Adapter\Startup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINNT\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - E:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: NICSer_WMP11 - Unknown owner - E:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
so, can anyone tell me if i have anything to be worried about?
system
March 5, 2005, 11:15am
2
Hi Paladin,
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
o4 - HKLM..\Run: [SpyHunter] E:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
o4 - HKLM..\Run: [hProtect.exe] E:\WINNT\System32\hProtect.exe
o4 - HKLM..\Run: [!xSpeed] C:!xSpeed!xSpeed.exe reg
o16 - dpf: {04e214e5-63af-4236-83c6-a7adcbf9bd02} (housecall control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
o16 - dpf: {48884c41-efac-433d-958a-9fadac41408e} (egamesplugin class) - https://www.e-games.com.my/com/egamesplugin.cab
o16 - dpf: {b38870e4-7ecb-40da-8c6a-595f0a5519ff} (msnmessengersetupdownloadcontrol class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :
o4 - hklm..\run: [loadqm] loadqm.exe
o4 - hklm..\run: [quicktime task] “e:\program files\quicktime\qttask.exe” -atboottime
o4 - hkcu..\run: [msnmsgr] “e:\program files\msn messenger\msnmsgr.exe” /background
Also if you don’t know what “!xSpeed.exe” is, then i suggest you delete the below folder :
C:[b]!xSpeed[/b]
Also i would suggest uninstalling Spyhunter, as it has a bit of a bad reputation, see link for more info: http://www.spywarewarrior.com/rogue_anti-spyware.htm#sh_note
Also you may want to run though the malware removal steps here: http://members.home.nl/edeijl/ache/cleaning.htm
Also i can see that you use WIFI (wireless network), you may want to look into securing it more if you feel you are under threat from hacks, if you are intersted see the link below, its a little old now, but it has links to upto date info as well:
http://www.g4tv.com/screensavers/features/40616/Secure_Your_WiFi.html
Then redo and repost your hijackthis log so we can confirm your system is clean.
–lee
DavidR
March 5, 2005, 1:14pm
3
A visit to windows update would be advised as your win2k has had a number of SPs also you should update IE, even if you don’t intend to use it (I see the entry for firefox). IE is highly integrated in to windows so a vulnerability in IE could lead to an OS vulnerability.
Eddy
March 5, 2005, 1:16pm
4
What David has said also goes for MS-Office. Keeping your system up-to-date is nowadays a must for computer users.
system
March 5, 2005, 2:48pm
5
I could be wrong, but isn’t it better to make sure all malware is gone first before trying windowsupdate?, as i was told if you are infected it could direct you to a “bad” website or “fake” update site?
Or is this only with host file hijacks?
–lee
DavidR
March 5, 2005, 6:15pm
6
Chicken and egg, which came first?
The order doesn’t really matter, but the longer you are exposed vulnerabilities the greater the risk of virus infection, which may well be much more serious than adware/spyware/malware. You could well be chasing your tail cleaning up malware rather than closing vulnerabilities.
Ultimately the user decides.
system
March 5, 2005, 7:24pm
7
ok, here’s the new one:
Logfile of HijackThis v1.99.1
Scan saved at 11:18:23 AM, on 3/5/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\System32\Ati2evxx.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\ProcessGuard\dcsuserprot.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\Ati2evxx.exe
E:\WINNT\Explorer.exe
E:\WINNT\SOUNDMAN.EXE
E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\ProcessGuard\pgaccount.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Eraser\eraser.exe
E:\Program Files\ProcessGuard\procguard.exe
E:\Program Files\Linksys\Wireless-B PCI Adapter\OdHost.exe
E:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
E:\Documents and Settings\BH\Desktop\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll ,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\system32\msdxm.ocx
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [ATICCC] “E:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime
O4 - HKLM..\Run: [HPDJ Taskbar Utility] E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM..\Run: [!xSpeed] C:!xSpeed!xSpeed.exe reg
O4 - HKLM..\Run: [QuickTime Task] “E:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [!1_pgaccount] “E:\Program Files\ProcessGuard\pgaccount.exe”
O4 - HKLM..\Run: [hProtect.exe] E:\WINNT\System32\hProtect.exe
O4 - HKLM..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [MsnMsgr] “E:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [Eraser] E:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU..\Run: [!1_ProcessGuard_Startup] “E:\Program Files\ProcessGuard\procguard.exe” -minimize
O4 - Global Startup: ATI CATALYST System Tray.lnk = E:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = E:\Program Files\Linksys\Wireless-B PCI Adapter\Startup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINNT\system32\ati2sgag.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - E:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: NICSer_WMP11 - Unknown owner - E:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
uh…and i think i have a problem with avast home edition, it says it can’t find ashAvast.dll
any help with that?
(actually it’s a MUCH longer messege)
The dynamic link library ashBase.dll could not be found in the specified path E:\Program Files\Alwil Software\Avast4;.;E:\WINNT\system32…etc…
edit: fixed that messege.
i downloaded the home edition and got it to work, how do i register it?
i already got the key from my email, i just don’t know where to put it.
Eddy
March 5, 2005, 7:37pm
8
You still haven’t updated your system.
This is the result of my HijackThis log analyzer:
CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:
You are using the latest version of HijackThis.
Old version of Internet Explorer detected, please update.
Your operating system is not up to date. (Latest service pack not installed)
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.
THESE ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
o16 - dpf: {04e214e5-63af-4236-83c6-a7adcbf9bd02} (housecall control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
o16 - dpf: {48884c41-efac-433d-958a-9fadac41408e} (egamesplugin class) - https://www.e-games.com.my/com/egamesplugin.cab
o16 - dpf: {b38870e4-7ecb-40da-8c6a-595f0a5519ff} (msnmessengersetupdownloadcontrol class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:
o4 - hklm..\run: [loadqm] loadqm.exe
o4 - hklm..\run: [quicktime task] “e:\program files\quicktime\qttask.exe” -atboottime
o4 - hkcu..\run: [msnmsgr] “e:\program files\msn messenger\msnmsgr.exe” /background
system
March 5, 2005, 7:39pm
9
ok, i know what those things are, and i need them, so no problems there.
so all thats left to do is update?
thanks for all your help!
Eddy
March 5, 2005, 7:44pm
10
Yup, go HERE and keep going there until you have ALL security patches/updates have installed. (including the service pack[s])
At the top of that site is also a link to the Office update. Do the same there.