Re: Hijackthis log. I found one nasty. What is it ? in Security

Re: Hijackthis log. I found one nasty. What is it ? in Security http://www.dslreports.com/forum/r13807483 en Sat, 05 Dec 2009 06:50:32 EDT Sat, 05 Dec 2009 06:50:32 EDT I upgraded my PC security. http://www.dslreports.com/forum/remark,13815285 email scope : I am now using that hosts file, and avg free as well as sp2. On top of the other security I described.

I reformatted too.

The pc is slower, but not too much.

I think a new firewall is too much. It'll slow my pc down too much.

Thank you Joker, and the rest of you kind people for your help. :)]]> http://www.dslreports.com/forum/remark,13815285 Tue, 05 Jul 2005 05:05:55 EDT Re: Hijackthis log. I found one nasty. What is it http://www.dslreports.com/forum/remark,13812696 TheJoker :

said by email scope

:

I use ....the xp firewall.

That is not a full featured firewall. It only checks incoming connections. You are much better off with a real firewall that checks both incoming and outgoing connections. With a rules based firewall, if a program you have not authorized for internet access tries to go out (worm, adware, or even a legitimate program), you are notified and allowed the chance to either allow it, or to stop it. The XP firewall won't do that as it doesn't check anything going out.

quote:
I don't use a anti-virus, I guess I should

Absolutely!

quote:
SP2 slows down the pc according to theinquirer.net, and other places, so I don't use it.

SP2 has the security patches to prevent many of the exploits that malware uses to get on your system. You are not secure without it, and will likely become infected again without it, the only question is how long it will take before you run across malware that your system is unnecessarily vulnerable to. The only thing that might be slower with SP2 is that there is a limit to the number of concurrent connections (10) to slow the progress of worms from infected systems. That can affect P2P programs, but not significantly from what I've seen, and there are patches to bypass that limitation if that's what you are referring to. With your system clean, you shouldn't be doing any connecting with your system until you do install SP2. You have no antivirus, no real firewall, and don't have SP2 installed. Your system is a threat to others on the Internet should you become infected. There have even been cases where users have become infected, and with no firewall to stop the outgoing connection, tried to infect other systems, and their ISP rightfully terminated their access until their system was cleaned. I would run, not walk, to Windows Update and install SP2.
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,13812696 Mon, 04 Jul 2005 19:06:01 EDT Re: Hijackthis log. I found one nasty. What is it http://www.dslreports.com/forum/remark,13812070 Reverend Ike :

said by email scope

:

I don't use IE, so I don't need a hosts file.

The Hosts file is not IE-dependent.

The level of user expertise, whether a system has a single user or multiple users, etc. may affect the importance of using a resident AV and/or updating to SP2. However, as general advice, I think most in the Security forum would recommend including both components on the basis that the benefits of each usually outweigh any negative effects. ]]> http://www.dslreports.com/forum/remark,13812070 Mon, 04 Jul 2005 17:13:55 EDT Re: Hijackthis log. I found one nasty. What is it http://www.dslreports.com/forum/remark,13811937 email scope : I use a limited account, and prevx free. I have a dlink-604 router, and use the xp firewall. I do have spywareblaster, and ad aware. As well as the protection included in the picture.

I don't use a anti-virus, I guess I should, but I haven't seen the need too.
SP2 slows down the pc according to theinquirer.net, and other places, so I don't use it.
I don't use IE, so I don't need a hosts file.

I think my pc is clean.

]]> http://www.dslreports.com/forum/remark,13811937 Mon, 04 Jul 2005 16:45:29 EDT Re: Hijackthis log. I found one nasty. What is it ? http://www.dslreports.com/forum/remark,13809258 TheJoker : You aren't through quite yet. You need to improve your security.

Your version of Internet Explorer is old and needs to be updated, and you need to install Service Pack 2 (SP-2). You need to go to Windows Update (Start button > Windows update) and install all critical updates. Not updating your system puts it at risk for MANY exploits.

You need to run an antivirus program and keep it up-to-date. I don’t see one in your HijackThis log. If cost is an issue, try AVG 7 Free available at »free.grisoft.com/doc/2/lng/us/tpl/v5 or Free avast! 4 Home Edition at »www.avast.com/eng/avast_4_home.html.

You also need a software firewall; I don't see one in your HijackThis log. Two free firewalls are Zone Alarm from zonelabs.com »www.zonelabs.com/store/content/c···load.jsp or Kerio Personal Firewall available from »www.kerio.com/us/kpf_home.html. There is a tutorial on understanding firewalls at »www.bleepingcomputer.com/forums/···l60.html.

There are several free utilities you can use to help keep malware off your system:

A HOSTS file will prevent Internet Explorer from communicating with sites associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at »www.mvps.org/winhelp2002/hosts.htm.

IE/SPYAD adds sites associated with ads and spyware to your Internet Restricted Zone and you can download that at »https://netfiles.uiuc.edu/ehowes/www/res···#IESPYAD.

A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at »www.javacoolsoftware.com/products.html.

I recommend reading Tony Klein's article How did I get Infected? at »www.computercops.biz/postlite7736-.html

Please let me know if your problem appears solved.
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,13809258 Mon, 04 Jul 2005 08:57:28 EDT Re: Hijackthis log. I found one nasty. What is it http://www.dslreports.com/forum/remark,13807719 email scope : »www.virustotal.com/flash/index_en.html

That scanner was busy, so I used this one. It found no nasties. And tds anti trojan found nothing. :)

Thank you for your help. If I every find anything again. I'll run it through one of those scanners before I post anything here. :D]]> http://www.dslreports.com/forum/remark,13807719 Sun, 03 Jul 2005 23:33:42 EDT Re: Hijackthis log. I found one nasty. What is it ? http://www.dslreports.com/forum/remark,13807483 TheJoker : Your log looks fine now (although it is an unusually short log).

That line may be gone from your HijackThis log, but did you actually delete the file (there was no file path in the line)? In my case, I have several different copies of wmplayer.exe on my system. Unless you searched for and deleted all instances of wmplayer.exe from your system (and you would have actually deleted Windows Media Player's executable if you did that), you should still search for each copy of the file and submit it for the scan to be certain one of them isn't malware.
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,13807483 Sun, 03 Jul 2005 22:46:03 EDT Re: Hijackthis log. I found one nasty. What is it http://www.dslreports.com/forum/remark,13807480 ronob :

said by email scope

:

wmplayer.exe //ICWLaunch
Is gone. I already fixed it. I didn't know I should submit it. That other poster said it was fine. :hmm:

There's no use in me submitting anything now. It's gone ! :huh:

"Use Windows Search (Start > Search > For Files or Folders), to search for each instance of wmplayer.exe

Please submit each instance of wmplayer.exe to the following link for a scan and post the results, along with the full path for any instance that was found to contain malware.

»virusscan.jotti.org/ "
--
I've been to the end of the internet!]]> http://www.dslreports.com/forum/remark,13807480 Sun, 03 Jul 2005 22:45:43 EDT Re: Hijackthis log. I found one nasty. What is it http://www.dslreports.com/forum/remark,13807416 email scope : Logfile of HijackThis v1.99.1
Scan saved at 7:28:47 PM, on 7/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Prevx Home\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx Home\SAGUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Dell PC\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrevxHome] C:\Program Files\Prevx Home\SAGUI.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···42952226
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\Prevx Home\PXAgent.exe" -f (file missing)
-------------

wmplayer.exe //ICWLaunch
Is gone. I already fixed it. I didn't know I should submit it. That other poster said it was fine. :hmm:

There's no use in me submitting anything now. It's gone ! :huh:]]> http://www.dslreports.com/forum/remark,13807416 Sun, 03 Jul 2005 22:33:32 EDT Re: Hijackthis log. I found one nasty. What is it ? http://www.dslreports.com/forum/remark,13807371 TheJoker : R1 is for Internet Explorers Search functions and other characteristics. I don't think wmplayer.exe belongs there. There are also several nasites with the same file name.

Use Windows Search (Start > Search > For Files or Folders), to search for each instance of wmplayer.exe

Please submit each instance of wmplayer.exe to the following link for a scan and post the results, along with the full path for any instance that was found to contain malware.

»virusscan.jotti.org/

In the meantime:

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

The two items you fixed were malicious entries that had replaced your default Windows Related links buttons. If you want to restore the Microsoft "Related Links" here is a tool to fix it. »www.mvps.org/winhelp2002/alexa.zip
Unzip, place "related.htm" into your "\WINDOWS\Web" folder Right-click on "RestoreAlexa.reg", select: Merge, and reboot.

Please restart your system and post a new HijackThis log
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,13807371 Sun, 03 Jul 2005 22:22:42 EDT Re: Hijackthis log. I found one nasty. What is it http://www.dslreports.com/forum/remark,13807326 email scope : I couldn't stand it. I had to fix it, so I did, and it's gone. Ha heh. Good riddence too. :o]]> http://www.dslreports.com/forum/remark,13807326 Sun, 03 Jul 2005 22:14:43 EDT Re: Hijackthis log. I found one nasty. What is it http://www.dslreports.com/forum/remark,13807199 email scope : Ok. I see other hijackthis forums say to delete it. More than one...makes me nervous. :huh:

How would I delete it. Is there a special way ?]]> http://www.dslreports.com/forum/remark,13807199 Sun, 03 Jul 2005 21:55:11 EDT Re: Hijackthis log. I found one nasty. What is it http://www.dslreports.com/forum/remark,13807177 CajunTek : If you are talking about that automated hijackthis analyzer.. I don't trust'em.. Darned thing wants me to delete my firewall.. :|
--
Lost in Texas]]> http://www.dslreports.com/forum/remark,13807177 Sun, 03 Jul 2005 21:51:36 EDT Re: Hijackthis log. I found one nasty. What is it http://www.dslreports.com/forum/remark,13807151 email scope :

said by CajunTek

:

This nasty
wmplayer.exe
is »www.liutilities.com/products/win···mplayer/
windows media player...

I wonder why other hijackthis forums say to delete it ? Oh, and this comes after wmplayer.exe //ICWLaunch
What's the significance of that if any ?]]> http://www.dslreports.com/forum/remark,13807151 Sun, 03 Jul 2005 21:46:17 EDT Re: Hijackthis log. I found one nasty. What is it http://www.dslreports.com/forum/remark,13807142 CajunTek : This nasty
wmplayer.exe
is »www.liutilities.com/products/win···mplayer/
windows media player...
--
Lost in Texas]]> http://www.dslreports.com/forum/remark,13807142 Sun, 03 Jul 2005 21:43:42 EDT Hijackthis log. I found one nasty. What is it ? http://www.dslreports.com/forum/remark,13807127 email scope : Logfile of HijackThis v1.99.1
Scan saved at 6:34:25 PM, on 7/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Prevx Home\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx Home\SAGUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Dell PC\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrevxHome] C:\Program Files\Prevx Home\SAGUI.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···42952226
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\Prevx Home\PXAgent.exe" -f (file missing)
-------------------------
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

This is the nasty. How do I fix it ? Is this a Trojan, or Virus ?
I found it using this web site: »hijackthis.de/index.php?langselect=english]]> http://www.dslreports.com/forum/remark,13807127 Sun, 03 Jul 2005 21:41:02 EDT