please take a look at this
I have run spybot and ad-ware, here's the hijack file. THanks in advance!
Logfile of HijackThis v1.98.0
Scan saved at 9:00:43 PM, on 8/4/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\svchosts.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\WINNT\System32\raofim.exe
C:\WINNT\System32\NotifyPhoneBook.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\hjtlog.exe
c:\hijackthis\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nus.edu.sg/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.nus.edu.sg/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pcwebtools.support.hp.com/goto/?Platform=hpaddon&ObjectType=us&Name=Buttonwww
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [Windows Config] svchosts.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [zmcihozlt] C:\WINNT\System32\raofim.exe
O4 - HKLM\..\RunServices: [Windows Config] svchosts.exe
O4 - Startup: folder.htt
O4 - Global Startup: folder.htt
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26B64F17-BDF4-43AD-A732-7BD57B760BA9}: NameServer = 192.169.34.181 203.120.90.40
O17 - HKLM\System\CS1\Services\Tcpip\..\{26B64F17-BDF4-43AD-A732-7BD57B760BA9}: NameServer = 192.169.34.181 203.120.90.40
Logfile of HijackThis v1.98.0
Scan saved at 9:00:43 PM, on 8/4/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\svchosts.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\WINNT\System32\raofim.exe
C:\WINNT\System32\NotifyPhoneBook.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\hjtlog.exe
c:\hijackthis\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nus.edu.sg/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.nus.edu.sg/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pcwebtools.support.hp.com/goto/?Platform=hpaddon&ObjectType=us&Name=Buttonwww
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [Windows Config] svchosts.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [zmcihozlt] C:\WINNT\System32\raofim.exe
O4 - HKLM\..\RunServices: [Windows Config] svchosts.exe
O4 - Startup: folder.htt
O4 - Global Startup: folder.htt
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26B64F17-BDF4-43AD-A732-7BD57B760BA9}: NameServer = 192.169.34.181 203.120.90.40
O17 - HKLM\System\CS1\Services\Tcpip\..\{26B64F17-BDF4-43AD-A732-7BD57B760BA9}: NameServer = 192.169.34.181 203.120.90.40
0
This discussion has been closed.
Comments
First, stop these services (hit CTRL-ALT-DEL to bring up the Task Manager. Right-click on the entries below and select End Process)
C:\WINNT\System32\svchosts.exe
C:\WINNT\System32\raofim.exe
Next, go into HiJackThis and delete these entries:
O4 - HKLM\..\Run: [Windows Config] svchosts.exe
O4 - HKLM\..\Run: [zmcihozlt] C:\WINNT\System32\raofim.exe
O4 - HKLM\..\RunServices: [Windows Config] svchosts.exe
Reboot and post another log.
My CPU was 100% before deleting svchost, now it's back to almost 0% already!
I often notice a process called 'NotifyPhoneBook' in my task manager. Can I delete it permanently? How to do that?
If possible, could you please recommend a few good antivirus software?
here's the new hijack log file, thanks once again!
Logfile of HijackThis v1.98.0
Scan saved at 10:33:43 PM, on 8/4/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\WINNT\System32\NotifyPhoneBook.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nus.edu.sg/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.nus.edu.sg/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pcwebtools.support.hp.com/goto/?Platform=hpaddon&ObjectType=us&Name=Buttonwww
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - Startup: folder.htt
O4 - Global Startup: folder.htt
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26B64F17-BDF4-43AD-A732-7BD57B760BA9}: NameServer = 192.169.34.181 203.120.90.40
O17 - HKLM\System\CS1\Services\Tcpip\..\{26B64F17-BDF4-43AD-A732-7BD57B760BA9}: NameServer = 192.169.34.181 203.120.90.40
can I just delete it?
sorry for asking so many questions, but i am pretty hopeless in this :banghead:
Short-Media Selects: Anti-Virus Software
Pick an AV package. If you have some money to spend, get Norton. If you are being a cheapskate, then use the free AVG. With over 100,000 viruses on the internet, it is better to spend some money though, you might as well support companies who seek to make your computer safer, and it's hard to feel sorry for anyone who does not have anti-virus software.
Run a scan with whatever you select, then re-post your log. The scan may solve the other problems you are having.
Dexter...
Try to delete it if you can, but do not delete the legitimate file SVCHOST.exe.
If you cannot delete svchosts.exe normally, try it in SAFE MODE.
Also, remove these 2 entries in HJT:
O4 - Startup: folder.htt
O4 - Global Startup: folder.htt
Dexter...
But I cant delete the following using HijackThis:
O4 - Startup: folder.htt
O4 - Global Startup: folder.htt
This is the new log file
Logfile of HijackThis v1.98.0
Scan saved at 2:21:38 PM, on 8/6/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\WINNT\System32\NotifyPhoneBook.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nus.edu.sg/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.nus.edu.sg/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pcwebtools.support.hp.com/goto/?Platform=hpaddon&ObjectType=us&Name=Buttonwww
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Startup: folder.htt
O4 - Global Startup: folder.htt
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26B64F17-BDF4-43AD-A732-7BD57B760BA9}: NameServer = 192.169.34.181 203.120.90.40
O17 - HKLM\System\CS1\Services\Tcpip\..\{26B64F17-BDF4-43AD-A732-7BD57B760BA9}: NameServer = 192.169.34.181 203.120.90.40
Did AVG detect and repair anything else?
Dexter...
Thanks once again
Results of Complete Test, date and time 8/6/2004 13:39:37 :
Testing C:\ volume OICRP10ABA serial 4259-140F
C:\WINNT\NEM219.DLL Trojan horse Downloader.Dyfica.2.AA
C:\WINNT\ALCHEM.EXE repaired
C:\WINNT\SYSTEM32\WINHLP~1.EXE repaired
C:\WINNT\SYSTEM32\TFTP3092 repaired
C:\WINNT\SYSTEM32\RAOFIM.EXE repaired
C:\Documents and Settings\Administrator\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\Administrator\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\Administrator\Local Settings\TEMP\ALCHEM.EXE repaired
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\CONTENT.IE5\JNSPY98T\BETTER~1.EXE repaired
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\CONTENT.IE5\4VZHV362\ISTSVC~1.EXE Trojan horse Downloader.Istbar.4.H
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\CONTENT.IE5\7G4PZOV7\NEM219~1.DLL Trojan horse Downloader.Dyfica.2.AA
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\RECYCLED\DC192\FOLDER.HTT Virus found VBS/Redlof
Testing E:\ volume STORAGE serial AC91-36CE
Test finished, duration 00:34:28.5 s
33090 objects tested, 10 found infected
Dexter...