I have a router yes it’s right.
192.168.0.1 is my routers IP.
When i search with HiJack there’s no smss.exe found.
So everything is ok for now i think?
Am i right?
Really thank you all.
Its looking good and if you’re satisfied with that so be it.
But I would still run the extra scans I mentioned to double check, then post one last HJT log. And for sure fix the 04 entry and get the firewall and updates. Its up to you.
Hi,
I’m having exactly the porblem as vbs. I use XP Pro. My firewall is ZoneAlarm. I had shut it down for about an hour, I think that’s when I got infected though I’m not sure how. Below is my Hijackthis log. I would really appreciate your insights before doing anything on my own.
Logfile of HijackThis v1.99.1
Scan saved at 18:53:19, on 27.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\STRATE~1\daemon14.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\GamePark\gameparkclient_en.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.zonelabs.com/downloadrequest?updtConfId=4&updtReqId=828709123
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ttnet.net.tr:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM..\Run: [Daemon14] C:\PROGRA~1\MI948F~1\GAMECO~1\STRATE~1\daemon14.exe
O4 - HKLM..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime
O4 - HKLM..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Registration Prince of Persia Warrior Within.LNK = C:\Program Files\Ubisoft\Prince of Persia Warrior Within\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: ATI CATALYST Sistem Tepsisi.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra ‘Tools’ menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O15 - Trusted Zone: http://www..com
O15 - Trusted Zone: http://www..com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.ntvmsnbc.com/download/nm1228.cab
O16 - DPF: {2FF18E30-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.02) - http://www.ntvmsnbc.com/download/nm0321.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip..{675E63BA-D9CA-4D8A-ABB4-866691398B00}: NameServer = 62.248.102.190,195.175.37.14
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)
Thank you really very much for your attention. I look forward to receiving your comments.
By the way, I have run a full scan with AdAware, and it didn’t come up with the solution either.
Welcome to the forum QoL. Sorry for the delay - I was away for a few days.
My advice regarding C:\WINDOWS\system\smss.exe is the same for you. Copy the file to CD and delete it (in safe mode if necessary) making sure you do not delete the file with the same name in the System32 folder.
Also fix this line with HijackThis
O4 - HKLM..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
Your Trusted Zone has been set to an insecure level and the lines
O15 - Trusted Zone: http://www.***.com
can be fixed unless you have a specific purpose for this (there are two lines that read the same).
Your version of java is a little old and should be updated
http://www.java.com/en/download/manual.jsp
Make sure you uninstall the old version after installing the new.
This line
O17 - HKLM\System\CCS\Services\Tcpip..{675E63BA-D9CA-4D8A-ABB4-866691398B00}: NameServer = 62.248.102.190,195.175.37.14
needs your attention. Do you recognize the addresses? They are registered to Turk Telekom which may be your ISP.
You also need to decide if you want Download Accelerator Plus and IMesh on your computer. The free versions of the programs are a source of adware and spyware but if you want the programs and are willing to accept the risks then leave them alone.
Strange, the owner is Alwil Software :
:
Ignore any references to 023 entries for avast, this is a bug in the HJT 1.99.1. Hijackthis is searching for ‘C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service’ (including double quotes and ‘/service’ parameter) as a file, this causes ‘file missing’, because only present is ‘C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe’.
I have done these and the Avast alert for trojan has stopped, thank you:)
Your Trusted Zone has been set to an insecure level and the linesO15 - Trusted Zone: http://www.***.com
can be fixed unless you have a specific purpose for this (there are two lines that read the same).
I didn’t want the addresses to be exposed on the internet, so I put the “***” instead of the real url’s.
Your version of java is a little old and should be updatedhttp://www.java.com/en/download/manual.jsp
Make sure you uninstall the old version after installing the new.
I am currently installing the Java Runtime Environment Update 10. After finishing that installation am I supposed to uninstall the J2SE Runtime Environment 5.0 Update 2 (117 MB), J2SE Runtime Environment 5.0 Update 4 (118 MB), J2SE Runtime Environment 5.0 Update 6 (119 MB) that I see on the Add/Remove programs in Control panel?
This lineO17 - HKLM\System\CCS\Services\Tcpip..{675E63BA-D9CA-4D8A-ABB4-866691398B00}: NameServer = 62.248.102.190,195.175.37.14
needs your attention. Do you recognize the addresses? They are registered to Turk Telekom which may be your ISP.
My ISP is Turk Telekom, yes, does that mean that I need not pay attention to that line? Or should I investigate further?
You also need to decide if you want Download Accelerator Plus and IMesh on your computer. The free versions of the programs are a source of adware and spyware but if you want the programs and are willing to accept the risks then leave them alone.I'll take your advise regarding these programs as well.
Thank you very much for all the time and effort you spent in helping me. They have been invaluable really…
OK. No problem.
Yes, uninstall all versions older than Update 10.
As long as you can confirm that this is your ISP there’s no need to do anything further.
If you’re uninstalling these try add/remove programs first. After unistalling DAP look for any remnants in C:\Program Files\DAP and C:\Program Files\SideFind. Delete these manually if found. With iMesh make sure you uninstall both iMesh 5 and iMesh Bar. Delete your temp files and do a light registry cleaning afterward. CCleaner should be sufficeint for this
If you’re installing CCleaner for the first time make sure to un-check the Yahoo Toolbar option since you probably don’t want this.
And your welcome for the help. Come back often.
Although this may not be the right place to ask, I’ll take a chance.
I have installed and used cccleaner a few weeks ago, but I think I made a mistake somewhere. I can’t use any run commands any more (like msconfig), Windows gives error “cannot be found” or something similar. How can I solve that issue? Should I use the Windows Xp CD for repair function?
I would be surprised if CCleaner caused this but you could try restoring the registry back up (assuming you created one) to see if this helps.
Otherwise your idea sounds like its worth a try.