Hijackthis Log

[premier69]

please help me identify and remove some.crap if any.

There is something on my computer that keeps regenerating some win.gaebot virus or worm and I would like to identify if its anything that boots up with windoz

Logfile of HijackThis v1.99.0

Scan saved at 14:28:31, on 2005-02-20

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\system32\svchost.exe

C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe

C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\LEXBCES.EXE

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\LEXPPS.EXE

C:\WINNT\system32\CTsvcCDA.EXE

C:\Program\Symantec AntiVirus\DefWatch.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\Program\No-IP\DUC20.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\Smartscaps.exe

C:\WINNT\system32\stisvc.exe

C:\Program\Symantec AntiVirus\Rtvscan.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\MsPMSPSv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\System32\SCardSvr.exe

C:\WINNT\Explorer.EXE

C:\Program\SysMetrix\SysMetrix.exe

C:\Program\Lexmark\PHOTOC~1\LXBLKsk.exe

C:\Program\NetLimiter\NetLimiter.exe

C:\Program\D-Tools\daemon.exe

C:\Program\Delade filer\Symantec Shared\ccApp.exe

C:\Program\SYMANT~2\VPTray.exe

C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe

C:\Program\Sony Ericsson\Mobile\audevicemgr.exe

C:\Program\Winamp\Winamp.exe

c:\Program\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE

C:\Program\G6 FTP Server\G6FTPSrv.exe

C:\Program\tclock\TClock.exe

C:\Program\No-IP\DUC20.exe

C:\Program\SnapTo\SnapTo.exe

C:\Program\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE

C:\WINNT\system32\svchost.exe

C:\Program\MICROS~2\OFFICE11\OUTLOOK.EXE

C:\Program\Sony Ericsson\Mobile\SyncIndicator.exe

C:\Program\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program\Miranda IM\miranda32.exe

C:\Program\Xitami\xiwin32.exe

C:\Program\Azureus\Azureus.exe

C:\Program\Java\j2re1.4.2_03\bin\javaw.exe

C:\Program\SONYER~1\Mobile\CONNEC~1\CapMan.exe

C:\Program\SONYER~1\Mobile\CONNEC~1\ElogErr.exe

C:\Program\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE

C:\Program\SONYER~1\Mobile\CONNEC~1\SCRFS.exe

C:\Program\SONYER~1\Mobile\AUFILE~1.EXE

C:\Program\SONYER~1\Mobile\CONNEC~1\Ecfmserv.exe

C:\Program\Mozilla Firefox\firefox.exe

C:\Program\RealVNC\VNC4\WinVNC4.exe

C:\Program\RevConnect\DCPlusPlus.exe

C:\Program\Logitech\iTouch\iTouch.exe

C:\Program\totalcmd\TOTALCMD.EXE

F:\Prem recovery\Win OS Related\Win2k\ie6setup.exe

C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\IXP000.TMP\ie6wzd.exe

C:\WINNT\SYSTEM32\DNTUS26.EXE

C:\WINNT\system32\cmd.exe

C:\WINNT\nc.exe

C:\WINNT\system32\cmd.exe

C:\WINNT\system32\windllshost.exe

C:\WINNT\system32\msdsec.exe

C:\WINNT\system32\msdsec.exe

C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\Rar$EX00.000\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [xitami] C:\Program\Xitami\xiwin32.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [sysMetrix] C:\Program\SysMetrix\SysMetrix.exe

O4 - HKLM\..\Run: [LXBLKsk] C:\Program\Lexmark\PHOTOC~1\LXBLKsk.exe

O4 - HKLM\..\Run: [MemoryCardManager] C:\Program\Lexmark\Lexmark Photo Center\MemoryCardManager.exe -startup

O4 - HKLM\..\Run: [NetLimiter] C:\Program\NetLimiter\NetLimiter.exe /s

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\Program\SYMANT~2\VPTray.exe

O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINNT\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\ADMINI~1\LOKALA~1\Temp\IXP000.TMP\"

O4 - HKLM\..\RunOnce: [brandClearStubs] RUNDLL32 IEDKCS32.DLL,BrandCleanInstallStubs >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS

O4 - HKLM\..\RunOnce: [Regsister WScript] wscript -regserver

O4 - Startup: ALLA.lnk = D:\Mp3\ALLA.m3u

O4 - Startup: Genväg till G6FTPSrv.lnk = C:\Program\G6 FTP Server\G6FTPSrv.exe

O4 - Startup: Genväg till miranda32.lnk = C:\Program\Miranda IM\miranda32.exe

O4 - Startup: Genväg till TClock.lnk = C:\Program\tclock\TClock.exe

O4 - Startup: No-IP DUC.lnk = C:\Program\No-IP\DUC20.exe

O4 - Startup: SnapTo.lnk = C:\Program\SnapTo\SnapTo.exe

O4 - Startup: Utforskaren.lnk = C:\WINNT\explorer.exe

O4 - Global Startup: Certificate Mover.lnk = C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O17 - HKLM\System\CCS\Services\Tcpip\..\{BB6561FC-0ECD-487D-9EFD-DB1674A4CB04}: NameServer = 81.216.65.11,81.216.65.12

O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown - C:\WINNT\system32\ati2sgag.exe

O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE

O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program\Symantec AntiVirus\DefWatch.exe

O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: DameWare NT Utilities 2.6 - DameWare Development - C:\WINNT\SYSTEM32\DNTUS26.EXE

O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE

O23 - Service: Distributed NT LM Security Manager - Unknown - C:\WINNT\system32\msdsec.exe

O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program\No-IP\DUC20.exe

O23 - Service: SAVRoam - symantec - C:\Program\Symantec AntiVirus\SavRoam.exe

O23 - Service: SmartTrust Smart Card Server - SmartTrust - C:\WINNT\system32\Smartscaps.exe

O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Winset DNS Server - Unknown - C:\WINNT\system32\windllshost.exe

O23 - Service: VNC Server Version 4 - RealVNC Ltd. - C:\Program\RealVNC\VNC4\WinVNC4.exe

[firefoxthebomb]

have you tried updating your anti virus definitions and running a full system scan.

Also download and intstall Microsoft Antispyware Tool Beta and run it, it help clean my computers very well.

[jaclaz]

To have an analysis of a Hijackthis log, go here:

http://www.hijackthis.de/index.php?langselect=english

Call me hypercautious, if you like, but I do not find a good idea to publicly post what processes are running on my machine.

jaclaz

[Tarun]

Try and download this. It's an awesome freeware pc maintenance package.

Refer to this page for the settings and instructions.

PM me with questions that you might encounter, your Hijack This log or post here.