Options

Not sure if I need help here

Unknown
edited April 2007 in Spyware & Virus Removal
I ran a quick scan with CCleaner today and checked the startup programs, found something I'm not to sure about and was wondering if it may be a problem.

The process in question is :

O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513

This is my complete hijackthis log :

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:25:57, on 15/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\nvsvc32.exe
E:\PROGRA~1\DrWeb\SpiderNT.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\htpatch.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\PROGRA~1\DrWeb\spidernt.exe
E:\Program Files\DrWeb\spiderml.exe
E:\Program Files\DrWeb\DRWEBSCD.EXE
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\WINDOWS\system32\rundll32.exe
E:\WINDOWS\system32\RunDLL32.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
E:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
E:\Program Files\MUSTEK 1248UB\Driver\WATCH.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\CCleaner\ccleaner.exe
D:\Tmp Music\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://accountservices.passport.net/reg.srf?xpwiz=true&lc=2057&fid=RegXPWizCredOnly
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [HTpatch] E:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] E:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpIDerNT] E:\PROGRA~1\DrWeb\spidernt.exe /agent
O4 - HKLM\..\Run: [SpIDerMail] "E:\Program Files\DrWeb\spiderml.exe"
O4 - HKLM\..\Run: [DrWebScheduler] "E:\Program Files\DrWeb\DRWEBSCD.EXE"
O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] E:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Firefox Preloader.lnk = E:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O4 - Global Startup: Watch.lnk = E:\Program Files\MUSTEK 1248UB\Driver\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - E:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - E:\WINDOWS\system32\browseui.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SpIDer Guard for Windows NT (spidernt) - Doctor Web, Ltd. - E:\PROGRA~1\DrWeb\SpiderNT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4933 bytes

Hope you can help.

Regards

Comments

  • peku006
    edited April 2007
    Hi Fugazi and welcome to Short-Media. I'm checking your log, so please be patient.
  • peku006
    edited April 2007
    :D Hi Fugazi

    Trend Micro HijackThis v2.0.0 is still in beta and not be used here yet

    Click here to download HJTsetup.exe and save it to your Desktop.
    * Double click on the HJTsetup.exe icon on your desktop.
    * By default it will install to C:\Program Files\Hijack This.
    * Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
    * Put a check by Create a desktop icon then click Next again.
    * Continue to follow the rest of the prompts from there.
    * At the final dialogue box click Finish and it will launch Hijack This.
    * Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    * Name the log "HJTLog" (or something similar:) ) and save it to your desktop.

    DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
  • Fugazi
    edited April 2007
    Ok, sorry I didn't realize that the version I used was still in Beta.

    Here is the log from the version you said to download.

    Logfile of HijackThis v1.99.1
    Scan saved at 18:06:47, on 15/04/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\WINDOWS\Explorer.EXE
    E:\WINDOWS\htpatch.exe
    E:\WINDOWS\system32\RUNDLL32.EXE
    E:\PROGRA~1\DrWeb\spidernt.exe
    E:\Program Files\DrWeb\spiderml.exe
    E:\Program Files\DrWeb\DRWEBSCD.EXE
    E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    E:\WINDOWS\system32\RunDLL32.exe
    E:\WINDOWS\system32\rundll32.exe
    E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
    E:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
    E:\Program Files\MUSTEK 1248UB\Driver\WATCH.exe
    E:\Program Files\Mozilla Firefox\firefox.exe
    E:\WINDOWS\system32\nvsvc32.exe
    E:\PROGRA~1\DrWeb\SpiderNT.exe
    E:\WINDOWS\system32\ZoneLabs\vsmon.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\system32\wuauclt.exe
    E:\Program Files\Mozilla Thunderbird\thunderbird.exe
    E:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://accountservices.passport.net/reg.srf?xpwiz=true&lc=2057&fid=RegXPWizCredOnly
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O4 - HKLM\..\Run: [HTpatch] E:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [SiSUSBRG] E:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SpIDerNT] E:\PROGRA~1\DrWeb\spidernt.exe /agent
    O4 - HKLM\..\Run: [SpIDerMail] "E:\Program Files\DrWeb\spiderml.exe"
    O4 - HKLM\..\Run: [DrWebScheduler] "E:\Program Files\DrWeb\DRWEBSCD.EXE"
    O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
    O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
    O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] E:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Firefox Preloader.lnk = E:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
    O4 - Global Startup: Watch.lnk = E:\Program Files\MUSTEK 1248UB\Driver\WATCH.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: e:\windows\system32\drwebsp.dll
    O10 - Unknown file in Winsock LSP: e:\windows\system32\drwebsp.dll
    O10 - Unknown file in Winsock LSP: e:\windows\system32\drwebsp.dll
    O10 - Unknown file in Winsock LSP: e:\windows\system32\drwebsp.dll
    O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SpIDer Guard for Windows NT (spidernt) - Doctor Web, Ltd. - E:\PROGRA~1\DrWeb\SpiderNT.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

    Regards
  • peku006
    edited April 2007
    :)
    Hi Fugazi

    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
    This program is for XP and Windows 2000 only!
    Double-click ATF Cleaner.exe to open it.
    Under Main select the following:
    * Windows Temp
    * Current User Temp
    * All Users Temp
    * Temporary Internet Files
    * Prefetch
    * Java Cache
    *The other boxes are optional*
    Then click the Empty Selected button.
    Click Exit on the Main menu to close the program.

    Print out these instructions or save them with notepad or Word

    Your log seems to be clean. To make sure, please download AVG Anti-Spyware to your desktop. When ready, do following:
    • Start AVG Anti-Spyware
    • Click the Update icon
    • Click Start update
    • Wait until updates are downloaded
    • Click the Scanner icon
    • Open the Settings tab
      • Make sure that under "How to act?" read Quarantine
        (If not, click the text and choose Quarantine)
      • Under "How to scan?" all checkboxes should be ticked
      • Under "Reports" select Automatically generate report after every scan
        and uncheck Only if threats were found
      • Under "What to scan?" select Scan every file
    • Click the Shield icon
    • Under the "Resident shield is" click active to make it inactive
    • Close AVG Anti-Spyware
    =========================================
    Reboot to safe mode
    • If the computer is running, shut down Windows, and then turn off the power
    • Wait 30 seconds, and then turn the computer on
    • Start tapping the F8 key
    • The Windows Advanced Options Menu appears
    • Ensure that the Safe Mode option is selected
    • Press Enter. The computer then begins to start in Safe mode
    • Login on your usual account
    =========================================
    • Close all open windows / programs / folders
    • Start AVG Anti-Spyware
    • Click the Scanner icon
    • Click Complete System Scan
    • Let the program scan the machine
    • When the scan has finished, follow the instructions below
      • Make sure that under "Set all elements to" read Quarantine
        (If not, click the text and choose Quarantine)
      • Click Apply all actions
      • Click Save Report
      • Click Save reports as
      • Save report to your Desktop
    =========================================


    Download Deckard's System Scanner to your Desktop.

    * Close all applications and windows.
    * Double-click on Dss.exe to run it, and follow the prompts.
    * The scan may take a minute. When the scan is complete, a text file will open - Main.txt and extra.txt

    Post fresh HijackThis log , Dss Main.txt and the AVG Anti-Spyware report;)
Sign In or Register to comment.