Logfile of hijackthis

hi all knowledgable people. i've been directed to hijackthis from the good people at the annoyance forum. see, this was my problem.

i'm having unprecedented trouble with windows xp pro. my internet is always on. as is kazaa lite & pop-up stopper. - i cant save any downloads nor can i even save ANYTHING in any programs. it hangs when i i try to open something also. when i press on save, i get program not responding. and then i gotta click the button 'end now'. -anything i typed straight into the internet explorer will not take effect. funny cos if i were to open a site from a link or favorites, it's ok. -if i were to ctrl-alt-delete, the task manager will not load it stays in system tray so i cant end any task.this has been happening for the past 2 weeks. i've already tried the following: -search this forum extensively for similiar problems-FixMyDoom -AdAware -Spybot -Online virus scan wif http://housecall.trendmicro.com and pandascan -tried Type into RUN...sfc(space)/scannow... for missing windows files wif my winxp cd BUT ALL TO NO AVAIL. if there are any suggestions on how to interract with this problem i would be VERY VERY grateful.they have told me to take off kazaa lite and i've done that. ​

i've also used hijackthis and below is my log file.i sincerely hope anyone can help me interpret the log file and instruct me on what to do next. Thanks alot in advanced reallly. /a computer idiot, stipey.
Logfile of HijackThis v1.97.7
Scan saved at 12:03:45 AM, on 3/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\drivers\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Al Sim\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe -a
O4 - Startup: Shortcut to Prolink 8000.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://gemssharepoint2.ntu.edu.sg/igems/Portal/resources/msddsc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{60F753C7-3649-4BBD-80B6-D6BDD8DD2831}: NameServer = 165.21.83.88 165.21.100.88

 

just had a quick look and you have a variant of the welchia worm
C:\WINDOWS\System32\drivers\svchost.exe
should only be found in system32 not with the drivers

worm info

please read that info concerning removal and make sure you disable system restore first and afterwards make sure you go and get all your windows updates

 

thanks a lot xflat!!!! i've removed uninstalled that evil plaxo. i've also installed and registered the panda antivirus platinum 7 w/ firewall. and this is what came up -
virus found W32/Nachi.b.worm
path: C:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\tpvwldfu\wkspatch[1].exe
results: disinfected


here's my processes off the windows task manager
notepad.exe
ctfmon.exe
psfree.exe
apvxdwin.exe
iface.exe
point32.exe
notifyphonebook.exe
rundll32.exe
avengine.exe
iexplore.exe
pavsrv51.exe
pavfires.exe
nvsvc32.exe
explorer.exe
spoolsv.exe
iexplore.exe
svchost.exe local service
svchost.exe network service
svchost.exe system
svchost.exe system
taskmgr.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
pavproxy.exe
system
system idle process


and here's the latest hijackthis log i just did 5 mins ago

Logfile of HijackThis v1.97.7
Scan saved at 1:24:00 PM, on 3/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Al Sim\Desktop\HijackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Shortcut to Prolink 8000.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://gemssharepoint2.ntu.edu.sg/igems/Portal/resources/msddsc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{60F753C7-3649-4BBD-80B6-D6BDD8DD2831}: NameServer = 165.21.83.88 165.21.100.88

Thanks really for helping somemore!!!!!!!!!

 

Thanks General!!!!!!
as stated below i've gotten rid of the virus u mentioned hopefully as found by the panda antivirus platinum 7 w/ firewall.

virus found W32/Nachi.b.worm
path: C:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\tpvwldfu\wkspatch[1].exe
results: disinfected

is this it? or did panda not find the virus u mentioned???

THANKS ALOT!!!!

 

hi stipey yes thats the one if you read the link i posted it will explain it better looks like your sorted now with panda
Anyway just a spot of housekeeping if you like close all browser windows re-run hijack this and check and fix these
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O4 - Startup: Shortcut to Prolink 8000.lnk = ?
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
the last one you can leave if you are planning on doing an online scan again but shouldn't be necessary with panda installed
thats all i can see at the moment someone else may drop by and spot something so keep a check over the next day or so

Agreed with my MONKey m8 you have a lot of programs auto running if you feel you need to trim the list to free up ram goto start menu-run-type msconfig and select the start-up tab you can there cross reference with the list at this site here
http://www.sysinfo.org/startuplist.php?filter=&count=&type=
read the description and disable any you don't need bearing in mind most of these programs will still work from their shortcuts just wont be clogging up your system tray
if you disable any you will be prompted to reboot after applying and closing msconfig,after reboot you will receive a po-up from windows don't worry about that just check the box not to show msg again and press ok


good luck and happy surfing

 

thanks xflat!

Thanks once again xflat!!! i do have several things to kill like u mentioned as the puter is indeed running a tad slow.
anyhow i think it's all the fault of my greed and kazaa that got me to where i am. thank god for kind people like u and General that i can still remedy this box!
however, i do need your guidance on what that notifyphonebook.exe is and how to get it off! i mean i tried going to the file adn seeing what it's about but nothing happens after i double click it! i feel sorry for my ignorance really.

THANKS!

 

thanks general!!!!

THANKS A MILLION, GENERAL!!!
thanks for your kind helping hand. your step by step guide is most wonderful!!!! cant thank u enuff!
anyway the pc is running ok now except it's slightly slower than b4. so i did what u told and fix up
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab

though not
O4 - Startup: Shortcut to Prolink 8000.lnk = ?
cos it's just my internet connection i placed in my startup tab in programs.

however that no good F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, still appears in my latest hijackthis log.

here it is, thanks for taking a look once again!

C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\PROGRA~1\POP-UP~1\PSFREE.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Documents and Settings\Al Sim\Desktop\HijackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Shortcut to Prolink 8000.lnk = ?
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://gemssharepoint2.ntu.edu.sg/igems/Portal/resources/msddsc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{60F753C7-3649-4BBD-80B6-D6BDD8DD2831}: NameServer = 165.21.83.88 165.21.100.88

sadly i dunnno what most of the above are.
then i tot i'd give that msconfig u mentioned a try as i do have alot of unwanted programs
running. however, that sysinfo.org site is totally down so i'm at a loss again!

 

Ok hi stipey the f2 line is harmless enough just housekeeping really but try fixing again and making sure all browser windows are closed

one thing i would reccomend is go to start-run-type services.msc--enter
look for the Nvidia driver helper service right click on it and select properties
then in the centre change the start-up tab from automatic to disabled
this service serves no real function is a resource hog and causes more problems than its worth

Right as for your Msconfig start ups i reccomend you disable these
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
They are installed with your graphic card drivers and disabling these will not affect your graphics unless you overclock your card
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
this is not needed on start-up and will not affect your burning cds
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
this loads the modem control panel applet not needed unless you make a lot of changes to the way your internet connection works
4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
not needed on start up quick time will still work with no problems

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
this is really a personal choice please read here

all the rest leave alone


as for the
:\WINDOWS\System32\NotifyPhoneBook.exe
this is installed with your ADSL software so you are more or less stuck with it

any more questions please ask

 

And to jump in here after those guys hijacked the thread

Stipey please do not forget to visit Windows Update and get all the newest patches thats one of the reasons you became infected with the Nachi worm in the first place