Hey guys and gals, My computer is acting up. The firewall (Sygate) will shut down as soon as I boot up, I can't back-up movies as I get errors (which was working fine before). I'll post a HijackThis log. Any suggestions would be great. Thanks in advance. Logfile of HijackThis v1.99.1 Scan saved at 7:57:40 PM, on 6/4/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\PeerGuardian2\pg2.exe C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe C:\Program Files\Palm\HOTSYNC.EXE C:\Program Files\Common Files\Teleca Shared\Generic.exe C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\**\Desktop\HijackThis\Scanner.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\KGB Keylogger\winlogons.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
Well, A*** R*******, I know know your real name, and so does whoever planted KGB keylogger on your system. I suggest you cancel all your credit cards, and change all your passwords.
Okay, I took my name out, and I know about the keylogger being put on it. Although, I thought I took it off. How would I go about getting it off my computer? Anything else popping out at you guys?
Please work through these steps and see if that improves your situation. Set your system to show hidden files. Scroll down the instructions here to find the ones for your operating system: http://www.bleepingcomputer.com/tutorials/tutorial62.html You can reverse these setting changes after you finish cleaning your system. (Edited to fix link error.) Get ATF cleaner here: http://www.atribune.org/content/view/25/2/ Print the instructions. (I am going to ask you to run an online scan, my objective with this cleaner is to have you clean all the temporary file locations and all the cookies you do not have a reason to save. This will reduce the amount of “infected” items the online scan will catch. You do not need to clean the history and prefetch files if you do not want to. For the keylogger: O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\KGB Keylogger\winlogons.exe First check the add/remove programs for anything relating to it. If you find anything, run the remove. Next, go to C:\Program Files\KGB Keylogger and try to delete that folder. If the folder will not delete, delete as many files inside of it as you can. If the winlogons.exe file will not delete because it is in use, HijackThis has a delete file on reboot option in its misc tool section. Try that on the winlogons file. I’ll get you more instructions on that if you need them. After you get the keylogger folder removed, have HijackThis fix these lines. (The only reason I included the last two is because they indicated missing files.) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\KGB Keylogger\winlogons.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) Then reboot the system. Please run the atf cleaner. Then please do an online scan. This one will not fix anything, but it is a good scan for catching things. Infections will show up on the screen report as little skulls. Those are the lines we will be interested in. Please do an online scan with Kaspersky Online Scanner: http://www.kaspersky.com/virusscanner 1. Click on Kaspersky Online Scanner. 2. You will be prompted to install an ActiveX component from Kaspersky, click Yes. 3. The program will launch and then begin downloading the latest definition files. 4. Once the files have been downloaded click on Next. 5. Now click on Scan Settings. 6. In the scan settings make sure that the following are selected: o Scan using the following Anti-Virus database: Extended o Scan Options: Scan Archives Scan Mail Bases 7. Click OK. 8. Now under select a target to scan: o Select My Computer. 9. This program will start and scan your system. 10. The scan will take a while so be patient and let it run. 11. Once the scan is complete it will display if your system has been infected. o Now click on the Save Report As button. o In the File name: field, type kavscan. o In the Save as type: field, select Text file (*.txt). 12. Save the file to your desktop. 13. Copy and paste that information in your next post. Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%. Then I think you should do a check for rootkits. If something shows up, I’ll probably have to ask for help in advising you on getting rid of it, but the first thing is just to check it out. Let AVG Antirootkit scan • Download the Beta Version of AVG AntiRootkit and save it to your desktop. • (at the bottom of this link • http://free.grisoft.com/doc/5390#avg-anti-rootkit-free ) • Install the program. All applications must be closed. You will have to restart your system. • Start antiRootkit.exe in its own folder. • Click onto the button "Search for Rootkits". • When the scan is finished, click the button "Save result to file", rename this log to log1. • Click the button "Perform in-depth search". You may not do anything on your machine while the scan is running. • When the scan is finished, click onto the button "Save result to file", rename this log to log2. • Locate avgark.log in the Grisoft folder, copy its content and post it. Then post a fresh hjt log, the Kaspersky scan log, and the rootkit log. Thanks. bc
Thanks for the response. I noticed the last 2 files you mention when I posted. Should I un & reinstall Avast since it has missing files? I'll get to work on your suggestions when I get home (at work now). Thanks again.
Hi, I don't have the experience to give you a good answer on the avast question, just thinking about what I would do if it was my computer, I think I would do the scans first and fix the things they find and then do the avast reinstall. bc
Just wanted to leave a little update. I set it to show hidden files, already knew how to do that (BTW your link just brings me to this thread). Got the ATF cleaner and ran it. Though you should know I have Firefox set to clean everything everytime I close the browser. I also have a program for IE for when I have to use it (rarely). I think it's called IE privacy keeper. Cool little program. I don't remember how I removed the key logger before (uninstall, add & remove, ect.) but obviously it didn't get everything. I looked in add & remove, nothing. I tried going to it's location, nothing. Any ideas? I should be doing the rest tonight. If it makes any difference, it seems to crash everytime I run DVD Shrink.
