I pasted all of the highjackthis report but Idont know if you can read it. I cant get my internet Explorer to download a single thing. I gat a message that IE cant find the file or the file doent exist. If someone could make heads or tails 0f this Im crossing my fingers.Thanks




Articles
Spyware
File Help
Startup DB
Tips
Forum
News


NEW HijackThis automated log analyzer! Get your logs analyzed INSTANTLY!
Key:
• "Y" - Normally leave to run at start-up
• "N" - Not required - typically infrequently used tasks that can be started manually if necessary
• "U" - User's choice - depends whether a user deems it necessary
• "X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
• "?" - Unknown


Page 0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40


41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79



Startup Name Process Name Details
X
system32.exe
Added by the AGOBOT-KU WORM! Note - has a blank entry under the Startup Item/Name field



Y !1_pgaccount
pgaccount.exe
DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks. You will see one instant of pgaccount.exe for every active account on your system, and this is essential for PG to work properly
Y !1_ProcessGuard_Startup
procguard.exe
DiamondCS ProcessGuard security software - stops malicious worms and trojans from being executed silently in the background, as well as a variety of other attacks
N !NoLoad
winrecon.exe
WinRecon - surveillance software that creates records of everything people do on a computer, ie, spying or monitoring depending upon how you call it
? $EnterNet
Enternet.exe
Connection manager for the EnterNet ISP. You can also use RASPPOE

X $WindowsRegKey%update
IEXPLORE.EXE
Added by the RBOT-EZ WORM! Note - this is not the legitimate Internet Explorer (iexplore.exe) process, which should not appear in Msconfig/Startup unless you add it manually!
N %cmpmixtitle%
%cmpmixstr%
Possibly related to C-Media Mixer Control panel?
? %FP%012-L2TP fts.exe
fts.exe
012.Net ISP software - what does it do and is it required?
? %FP%012-L2TP FWPortal.exe
FWPortal.exe
012.Net ISP software - what does it do and is it required?
? %FP%1776 Internet fts.exe
fts.exe
1776 Internet ISP software - what does it do and is it required?
? %FP%1776 Internet FWPortal.exe
FWPortal.exe
1776 Internet ISP software - what does it do and is it required?
? %FP%Barak013 fts.exe
fts.exe
Barak013 ISP software - what does it do and is it required?
? %FP%Barak013 FWPortal.exe
FWPortal.exe
Barak013 ISP software - what does it do and is it required?
? %FP%Friendly fts.exe
fts.exe
Friendly ISP software - what does it do and is it required?
X (*)API Machine
winSOCKS.exe
Homepage hijacker, see here (* = any digit)

X (*)Run
win32API.exe
Homepage hijacker, see here (* = any digit)

X (Default)
media_driver.exe
Added by the TUPEG VIRUS!

X (Default)
Shania.vbs
Added by the SHANIA TROJAN!

X (Default)
NOTEPAD.exe
Added by the RUSTY WORM! Note - not to be confused with the valid Windows "NOTEPAD" text editor

X (default)
[random filename].exe
Added by the BLACKMAL WORM!

X (default)
twunk_32.exe
Added by the BLACKMAL.C WORM!

X (default)
winhelp.exe
Added by the BLACKMAL.C WORM!

X (L4r1$$4) (4nt1) (V1ruz)
SP00Lsv32.pif
Added by the ASSIRAL.B WORM!

X *JanisRuckenbrodII
janis.com
Added by the POPS WORM!

Y *StateMgr
statemgr.exe
Windows ME default for System Restore. Do NOT disable!
X *windows update
wrauclt.exe
Added by the RBOT-QU WORM!

X *windows update
wuanclt.exe
Added by the RBOT-PG WORM!

X *windows update
wuaucrlt.exe
Added by the SPYBOT.HUR WORM!

X *windows update
wuraclt.exe
Added by the RBOT-PO WORM!

X *windows update
wurauclt.exe
Added by the RBOT-SY WORM!

X *windows update
wsctl.exe
Added by the SPYBOT.PR WORM!

X *WinLogon
[trojan path] ren time:[random number]
Added by the VUNDO TROJAN!

X ,main drive Loader
wininfo.exe
Suspected malware as it appears in 3 different registry locations - see here

X .mscdr
lassa.exe
Added by the WEBUS.C TROJAN!

X .mscdr
lsvchost.exe
Added by the WEBUS.D TROJAN!

X .mssecure
mssecure.exe
Added by the DDOS_BOXED.X TROJAN!

? .NET config
sysmon32.exe
??
X .norton
rchost.exe
Added by a variant of the BOXED-A TROJAN!

X .Prog
services.exe
Added by the NEVEG.B or NEVEG.C WORMS! Note - this is not the legitimate services.exe process, which should not appear in Msconfig/Startup!
X .Prog
winlogon.exe
Added by the NEVEG.A WORM! Note - this is not the legitimate winlogon.exe process, which should not appear in Msconfig/Startup!

X .TEXTCONV
csrss.exe
Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process, which should not appear in Msconfig/Startup!

X .TEXTCONV
lsass.exe
Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process, which should not appear in Msconfig/Startup!

X .WMAudio
csrss.exe
Added by the WEBUS TROJAN! Note - this is not the legitimate csrss.exe process, which should not appear in Msconfig/Startup!

X .WMAudio
lsass.exe
Added by the WEBUS.B TROJAN! Note - this is not the legitimate lsass.exe process, which should not appear in Msconfig/Startup!

N /l:eng
N/A
Related to the Dell OEM version of the Sound Blaster Audigy 2 sound card. If this item is listed and checked in startup, the System32 Folder will appear on every startup. A patch is available - filename R75304.EXE - that fixes the issue. You can find that file at support.dell.com by typing that name in the 'Search' box available there. It addresses the root of the problem in Creative's software and corrects it. Unfortunately there is no direct link to the file, but it's easily available using the search function
X 000hpdllhos
hpdllhost.exe
LZIO.com adware downloader

U 000StTHK
000StTHK.exe
Toshiba Hot key functionality for the function keys (Fn-Esc, Fn-F1 (lock), Fn-F2, Fn-F3, Fn-F4, Fn-F5 (switching between laptop and CRT display output), etc...)
U 00THotkey
00THotKey.exe
For Toshiba Satellite notebook series to use the front buttons, play, stop, next, prev.
U 0190 Warner
WARN0190.EXE
Anti-dialer program (Germany)

U 0900 Warner
WARN0900.EXE
Anti-dialer program (Germany)

X 123456
rundll32.exe shell32.dll, Control_RunDLL ...123456.cpl
Added by the KITRO.C (or DANDI.A) WORM! 123456 can be any random 3 to 6 digit number
U 12Ghosts Popup-Killer
12popup.exe
12Ghosts Popup-Killer

? 17779Proj2002
N/A
??
X 180adsolution
180adsolution.exe
180Solutions/N-Case adware variant

X 180ax
180ax.exe
180Solutions/N-Case adware variant

N 1:
hpdrv.exe
HP utility for monitoring when and how many recoveries have been done
N 1A:MacVisionTrayMonitor
TrayMonitor.exe
Comes with the MacVision program for monitoring tray icons (Note : program is by Stardock)
Y 1Atardock MCP
mcpserver.exe
Master Control Program for Stardock apps, in development. People should leave it running if they're using any of the Stardock applications
Y 1Atardock TrayMonitor
TrayServer.exe
For monitoring tray icons - if disabled icons will not be displayed in ObjectBar or DesktopX
? 1CmailS
NETMAIL.EXE
??
X 1on1
1on1.exe
Adult content dialler
U 1Srv32
SpyAgent4.exe
SpyTech SpyAgent monitoring software. "Spy software that allows you to monitor EVERYTHING users do on your PC."
U 1Win32Cfg
SpyBuddy.exe
SpyBuddy monitoring software

U 1Win32Cfg
Keyloggerpro.exe
KeyloggerPro - monitoring software

X 1WinCfg32
WebMailSpy.exe
WebMailSpy spyware

X 2020Downloader
mssvr.exe
2020Search Toolbar related. Reported to be auto-installed
X 2thousandbuck
[path to file]
Added by the RANKY.L TROJAN!

U 2wSysTray
2portalmon.exe
2Wire Homeportal user interface

X 32-bit Thunking service
thunk32.exe
Added by the DERDERO.A WORM!

? 39ELTFH25Z8SKF
Ezg1q5.exe
Seems to be associated with software by Resplendence SP ?

Y 3c1807pd
3cmlink.exe 3cpipe-3c1807pd
3Com WinModem driver. See here for more WinModem information

Y 3capplnk
3capplnk.exe
US Robotics Modem driver
N 3cdminic
3CDMINIC.EXE
3Com DMI (DynamicAccess Desktop Management Interface) Agent associated with 3Com network cards
? 3CM Link
3cmcnkw.exe
??
Y 3Cmlink
3CmlinkW.exe
For a US Robotics WinModem. Provides the link to Windows as the CPU does the processing on WinModems - won't work without it. See here for more WinModem information

N 3ComDMIAgent
3CDMINIC.EXE
3Com DMI (DynamicAccess Desktop Management Interface) Agent associated with 3Com network cards
Y 3cpipe-USRpdA
USRmlnkA.exe
Modem driver files from US Robotics
X 3D Text
3D Text.scr
Added by the JERMY.A WORM!

U 3Deep Control Panel
3DeepCTL.EXE
From LightSurf Technologies (nee E-Color) - 3Deep corrects lighting, shading and color for all your 2D and 3D games
X 3Dfx Acc
GFXACC.EXE
Added by the GIBE WORM!

N 3dfx Task Manager
3dfxMan.exe
System Tray application for 3dfx Voodoo 3/4/5 functions. Available via Start -> Programs
Y 3dfx Tools
3dfxCmn.dll
Updates the registry with information that can't be held for Voodoo 3/4/5 series graphics cards. Important for owners of these cards
Y 3dfxv2ps.dll
3dfxv2ps.dll
Updates the registry with info that can't be held for 3dfx Voodoo 2 video cards. Important for owners of these cards
? 3Dlabs Taskbar Display Manager
3DLman.exe
3DLabs graphics driver related. System Tray access to display settings?
U 3DLabsHelperDemon
3dldemon.exe
Directly from the programs author "It is a tiny program that is installed by the Permedia2/3 and probably other Oxygen-series cards. Normally it sits in the background doing nothing at all (sleeping on a semaphore), so it should take zero CPU time and virtually zero memory, since it will all be paged out to the hard drive." In most cases it can be safely disabled
U 3qdctl.exe
3qdctl.exe
Provided with Terratec 128i PCI and similar sound cards. Loads a sound profile at bootup, restoring volume and other audio settings to a pre-determined default. Similar to Creative Lab's AudioHQ
Y 3ware 3DM
3dm.exe
Monitors status of the disk array on 3ware IDE RAID controllers
X 4wd!!!
Natal!.pif
Added by the OPASERV.AI WORM!

X 5-1-61-96
members-area.exe
Adult content dialler
X 5-2-46-112
5-2-46-112.exe
Adult content pop-up dialler. Removal instructions here

X 666
Ska.exe
Added by the PIPES TROJAN!

X 9xHtProtect
AVprotect9x.exe
Added by the NETSKY.M WORM!

X ;Rundll
[filename]
Added by the PWSLEGMIR.E TROJAN!

X @
regedit -s ..win.dll
Added by the SEEKER.K TROJAN!

N @Hoc Toolbar
AtHoc.exe
One-click activated browsing toolbar used by various web-sites. See here for more info

N @loha
reminder.exe
Registration reminder for @loha@home E-mail utility

X @tour_ww
@tour_ww[1].exe
Adult content dialler
X a
a.exe
Commercials file that registers itself in the system registry and redirects IE to a certain commercial website
U a-squared
a2guard.exe
a-Squared antitrojan - can be run on demand but necessary in Startup if you prefer the a² 'Background Guard' real time protection feature
Y a-winpoet-service
winpppoverethernet.exe
WinPoET is the industry's first Windows-based PPP over Ethernet client. Developed by iVasion, WinPoET is attractive to equipment providers, modem suppliers, RBOCs and ISPs. For more info read here. It uses dial-up networking for new high-speed internet customers who are more familiar with analogue modems. If unchecked in MSCONFIG it reports Error 360 - Hardware Error in dial-up networking
U A1000 Settings Utility
cpqa1000.exe
Compaq A1000 Print Fax All-in-One copy scan printer software. Required in the Startup in order to scan, print, copy and fax. Only required if you use these features
U A4Proxy
A4Proxy.exe
Anonymity 4 Proxy - local proxy server that makes you anonymous when visiting web sites
? AAACLEAN
AAACLEAN.INF
??
? AAAKeyboard
??
??
N AAATraySaver
TraySaver.exe
System Tray management utility from Mike Lin which allows you to hide, show, restore icons that are lost in an Explorer crash, remove dead tray icons, minimize any window to the System Tray

DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. I will not be held responsible if changes you make cause a system failure.

This is NOT a list of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a list of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try WinTasks 5 Standard/Professional from LIUtilities or the list at AnswersThatWork. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSCONFIG or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.
Powered By Pac's Startup list






Archive 2 - Archive 4 - Archive 5 - Archive 6 - Archive 7

Copyright 2000-2005 I Am Not A Geek
SPONSORED LINK
what's this?

Free Spyware Scan!

Keep your computer free of unwanted programs and downloads. PCTools' Spyware Doctor provides the complete protection solution.
www.pctools.com

Let's skip the automated log analyser; it's honestly better for us to work from your original log.

Please do the following:

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system. Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

Man Let me tell you that I cant download anything. i get a message after it starts downloading that says IE cannot download the file because it cant locate it or the file doesnt exist. I found a website last night that ran hjt on ny computer while I was there. I copied the results and posted the in the forum here. I recently tried to find that same website with no luck. Back to square one. How do I find a way to get HJt on my computer and scan it so that I can post it in the virus forum here? If you can eMail me the downloaded file would I be able to open It and run it on my computer? any suggestions welcome. Thanks

It sounds like you'll need to download HijackThis onto a different computer, copy it to a floppy, and install/run it on the infected computer that way.

Once the HJT scan is done, you'll need to save the logfile back to the floppy, take the floppy back to a computer with working Internet access, and post the log from there.

I have a copy of the current HJT program on my FTP site. If you need me to email it to you I can do that. Please don't post your email address in this thread though; send it to me privately via my email address or a PM.

Hey Dave, he had another thread going on this ( http://www.daniweb.com/techtalkforums/thread20949.html ), but couldn't download HJT; I tried to email it to him, but his Outlook Express wouldn't allow him to open it, saying it was a harmful file.

He doesn't have access to another computer to download to, so I suggested he post the above log so we could see what's going on (and it's not pretty!).

I'm open to some suggestions here; should we try to attack the bad files manually, email him some tools (if OE will let even let him open them), or is it time for a reinstall?

I received another E-mail that had the hjt file attached. Again the message said, " outlook has blocked the attachment because it is a potentially harmful file. Is this a virus that si aware of me trying to eliminate it an preventing any application that may do so? Still looking for a solution. I could reload all of my original disk that were loaded at first. The only problem with that is I really dont know how to back up files, delete, reload and all the must not or must do's in the process. I wish we could come up with an easier way. I really appreciate the help. Thanks

open outlook /tools /options /security and uncheck do not allow attachments to be saved that could be harmful or a virus , then someone resend the files .

I'm waiting for the opinions of a couple other mods here as what the best direction to go would be. If a reinstall is deemed the best solution, we will help you with backing up and reloading.

If you had access to another computer where you could download some utilities, it would be very helpful... maybe a library or friend?

Edit -- what Caperjack said might work, I don't know much about OE.

I sent dlh6213 an address of a friend that will download hjt and save it to a floppy for me to run on my machine. Hopefully this will be the beginning of my computer recovery. Thanks

I went to tools and then options and then security and every other spot there in options and I did not see a single thin that even looked like a box for attachments to be accepted even if harmful. If their is another name for attachments i dont know It. I tried to go over everything that mentions IE and downloads that would let things go through.