HijackThis

**NDraper** · July 15th, 2004, 01:10 PM

Hi I have the javascript problem
This is the log from Hijackthis, please will someone advise me on what to selete.
Thanks

Logfile of HijackThis v1.97.7
Scan saved at 19:02:37, on 15/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\apvxdwin.exe
C:\My Downloads\WinZip\WZQKPICK.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Program Files\eDonkey2000\edonkey2000.exe
C:\Program Files\BulletProofSoft.com\SpywareRemover\Spyware.e xe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVLTMAIN.EXE
C:\MYDOWN~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - Global Startup: WinZip Quick Pick.lnk = C:\My Downloads\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7DAF58B-CE62-4F4C-908A-CD9E4967E6A7}: NameServer = 80.189.92.2 80.189.94.2

**hudsonsmith** · July 15th, 2004, 02:13 PM

Looks pretty clean to me. The biggest threat is C:\Program Files\eDonkey2000\edonkey2000.exe (as is any peer to peer service), although I don't see it listed in the registry, only as a running service.

I would try deleting this:
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7DAF58B-CE62-4F4C-908A-CD9E4967E6A7}: NameServer = 80.189.92.2 80.189.94.2

and possibly these:
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll

**tyr888** · July 16th, 2004, 01:05 AM

first, i wanna say, i am no expert. take my advice with a grain of salt.

i don't really know what your problem is, but i can give some advice for what i see.

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

what is this?

C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe

what is this?

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

do you really need this to start?

C:\My Downloads\WinZip\WZQKPICK.EXE
C:\MYDOWN~1\WINZIP\winzip32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\My Downloads\WinZip\WZQKPICK.EXE

you don't need winzip starting with the cpu, it'll come on when you need it.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R3 - Default URLSearchHook is missing

You really don't need these. the about blank page suggests a browser hacker though. google BHODemon, and use that.

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

This is for your video card. DO _N_O_T_ DELETE THIS! you need it.

**GrandDad** · July 16th, 2004, 01:34 AM

Originally Posted by tyr888

first, i wanna say, i am no expert. take my advice with a grain of salt.

i don't really know what your problem is, but i can give some advice for what i see.
what is this?

what is this?

do you really need this to start?

you don't need winzip starting with the cpu, it'll come on when you need it.

You really don't need these. the about blank page suggests a browser hacker though. google BHODemon, and use that.

This is for your video card. DO _N_O_T_ DELETE THIS! you need it.

I would suggest you try Google ,
you will find "CDANTSRV.EXE" is 'C-Dilla Ltd / Macrovision'
"\Ulead Systems\DVD\ULCDRSvr.exe" is probably related to above

you find "Iomega" is his Zip drive

"R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R3 - Default URLSearchHook is missing"
that only suggest it hasn't been set or deleted

Do a little research please before suggesting to people to delete or turn-off things without knowing what they are , Ok .

**NooNoo** · July 16th, 2004, 03:57 AM

Good advice Grandad

Ndraper, you have wintools

C:\WINDOWS\system32\winlogon.exe

you need to get rid of it and edonkey!

the last link in the first post here has a link to removing wintools.

You should read the rest of the post so that you know how to deal with future spyware.

**hudsonsmith** · July 16th, 2004, 06:13 AM

You sure about the wintools Noo? C:\WINDOWS\system32\winlogon.exe is a valid windows system file. I thought it was bad only when not in the system32 directory.

http://www.answersthatwork.com/Taskl...tasklist_w.htm

**NooNoo** · July 16th, 2004, 06:24 AM

http://www.liutilities.com/products/...rary/winlogin/

hmmm where is my coffee?

**ANumber1** · July 16th, 2004, 02:00 PM

The bad one is winlogin.exe

**Cry** · July 16th, 2004, 07:57 PM

Well first off GET A BETTER AV god... get Kaspersky its the bests HANDS DOWN. i use kav to test hexing Servers. and Tds-3 is very good for scaning. use google to get them trial

**tyr888** · July 17th, 2004, 02:31 PM

Originally Posted by GrandDad

I would suggest you try Google ,
you will find "CDANTSRV.EXE" is 'C-Dilla Ltd / Macrovision'
"\Ulead Systems\DVD\ULCDRSvr.exe" is probably related to above

you find "Iomega" is his Zip drive

Do a little research please before suggesting to people to delete or turn-off things without knowing what they are , Ok .

(i erased the middle part, with the start pages)

i never told him to delete those, i said i didn't know what it was,
and said it so that he would look into it, in the event that he didn't
know what it was either.

i'm not mad though, like many people who get oversensitive about
being rebuked, but yea, i could have checked further into
that myself. that is why at the top, i posted that i am not an
expert.

also, my zip drive doesn't show up on my hijack log, and it works fine,
that's why i ask if he needs them there.

**GrandDad** · July 17th, 2004, 03:01 PM

Originally Posted by tyr888

(i erased the middle part, with the start pages)

i never told him to delete those, i said i didn't know what it was,
and said it so that he would look into it, in the event that he didn't
know what it was either.

i'm not mad though, like many people who get oversensitive about
being rebuked, but yea, i could have checked further into
that myself. that is why at the top, i posted that i am not an
expert.

also, my zip drive doesn't show up on my hijack log, and it works fine,
that's why i ask if he needs them there.

I understand that .

The whole thing is to be careful of what and how you may say or tell somebody to do , many that come here may be a first time PC buyer or user and have no idea of what or how to do something .

I'm no expert either

and I and others have been asked to be more careful .
so your not the first

or will be the last one .

Your more than welcome to help around here if you wish to .

Like they say The more the merry .

**NDraper** · July 18th, 2004, 02:48 PM

I have removed the panda titanium antivirus software, but still am not sure what to delete as I had mixed messages.
Here is the most recent log.
Thanks

Logfile of HijackThis v1.97.7
Scan saved at 20:47:06, on 18/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\My Downloads\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Downloads\Apps\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\My Downloads\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7DAF58B-CE62-4F4C-908A-CD9E4967E6A7}: NameServer = 80.189.92.2 80.189.94.2

**NooNoo** · July 18th, 2004, 04:47 PM

O17 - HKLM\System\CCS\Services\Tcpip\..\{B7DAF58B-CE62-4F4C-908A-CD9E4967E6A7}: NameServer = 80.189.92.2 80.189.94.2

Is the only one I would get rid of....everything else looks fine.

**tyr888** · July 19th, 2004, 12:31 AM

O17 - HKLM\System\CCS\Services\Tcpip\..\{B7DAF58B-CE62-4F4C-908A-CD9E4967E6A7}: NameServer = 80.189.92.2 80.189.94.2

on an ip lookup, 80.189.92.2 and 80.189.94.2 appears to come from
http://brightview.com/home/index.html . Ndraper, do you know who they are? are they your email company or something?