email scope
join:2005-03-06
Canada
| Hijackthis log. I found one nasty. What is it ?
Logfile of HijackThis v1.99.1
Scan saved at 6:34:25 PM, on 7/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Prevx Home\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx Home\SAGUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Dell PC\My Documents\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrevxHome] C:\Program Files\Prevx Home\SAGUI.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···42952226
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\Prevx Home\PXAgent.exe" -f (file missing)
-------------------------
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
This is the nasty. How do I fix it ? Is this a Trojan, or Virus ?
I found it using this web site: »hijackthis.de/index.php?langselect=english |
|
CajunTek
Insane Cajun
Premium,MVM
join:2003-08-08
Arlington, TX
 ·RoadRunner Cable
| Re: Hijackthis log. I found one nasty. What is it
This nasty
wmplayer.exe
is »www.liutilities.com/products/win···mplayer/
windows media player...
--
Lost in Texas |
|
email scope
join:2005-03-06
Canada
| I wonder why other hijackthis forums say to delete it ? Oh, and this comes after wmplayer.exe //ICWLaunch
What's the significance of that if any ? |
|
CajunTek
Insane Cajun
Premium,MVM
join:2003-08-08
Arlington, TX | If you are talking about that automated hijackthis analyzer.. I don't trust'em.. Darned thing wants me to delete my firewall.. :|
--
Lost in Texas |
|
email scope
join:2005-03-06
Canada | Ok. I see other hijackthis forums say to delete it. More than one...makes me nervous. 
How would I delete it. Is there a special way ? |
|
email scope
join:2005-03-06
Canada | I couldn't stand it. I had to fix it, so I did, and it's gone. Ha heh. Good riddence too.  |
|
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| reply to email scope
Re: Hijackthis log. I found one nasty. What is it ?
R1 is for Internet Explorers Search functions and other characteristics. I don't think wmplayer.exe belongs there. There are also several nasites with the same file name.
Use Windows Search (Start > Search > For Files or Folders), to search for each instance of wmplayer.exe
Please submit each instance of wmplayer.exe to the following link for a scan and post the results, along with the full path for any instance that was found to contain malware.
»virusscan.jotti.org/
In the meantime:
Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries:
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.
The two items you fixed were malicious entries that had replaced your default Windows Related links buttons. If you want to restore the Microsoft "Related Links" here is a tool to fix it. »www.mvps.org/winhelp2002/alexa.zip
Unzip, place "related.htm" into your "\WINDOWS\Web" folder Right-click on "RestoreAlexa.reg", select: Merge, and reboot.
Please restart your system and post a new HijackThis log
--
Proud ASAP member since 2005 |
|
email scope
join:2005-03-06
Canada
| Re: Hijackthis log. I found one nasty. What is it
Logfile of HijackThis v1.99.1
Scan saved at 7:28:47 PM, on 7/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Prevx Home\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx Home\SAGUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Dell PC\My Documents\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrevxHome] C:\Program Files\Prevx Home\SAGUI.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »update.microsoft.com/windowsupda···42952226
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\Prevx Home\PXAgent.exe" -f (file missing)
-------------
wmplayer.exe //ICWLaunch
Is gone. I already fixed it. I didn't know I should submit it. That other poster said it was fine. 
There's no use in me submitting anything now. It's gone ! |
|
ronob
I'M Fixin It
join:1999-10-18
Fort Lauderdale, FL
| said by email scope  :wmplayer.exe //ICWLaunch Is gone. I already fixed it. I didn't know I should submit it. That other poster said it was fine. There's no use in me submitting anything now. It's gone ! "Use Windows Search (Start > Search > For Files or Folders), to search for each instance of wmplayer.exe
Please submit each instance of wmplayer.exe to the following link for a scan and post the results, along with the full path for any instance that was found to contain malware.
»virusscan.jotti.org/ "
--
I've been to the end of the internet! |
|
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| reply to email scope
Re: Hijackthis log. I found one nasty. What is it ?
Your log looks fine now (although it is an unusually short log).
That line may be gone from your HijackThis log, but did you actually delete the file (there was no file path in the line)? In my case, I have several different copies of wmplayer.exe on my system. Unless you searched for and deleted all instances of wmplayer.exe from your system (and you would have actually deleted Windows Media Player's executable if you did that), you should still search for each copy of the file and submit it for the scan to be certain one of them isn't malware.
--
Proud ASAP member since 2005 |
|
email scope
join:2005-03-06
Canada
| Re: Hijackthis log. I found one nasty. What is it
»www.virustotal.com/flash/index_en.html
That scanner was busy, so I used this one. It found no nasties. And tds anti trojan found nothing. 
Thank you for your help. If I every find anything again. I'll run it through one of those scanners before I post anything here.  |
|
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| reply to email scope
Re: Hijackthis log. I found one nasty. What is it ?
You aren't through quite yet. You need to improve your security.
Your version of Internet Explorer is old and needs to be updated, and you need to install Service Pack 2 (SP-2). You need to go to Windows Update (Start button > Windows update) and install all critical updates. Not updating your system puts it at risk for MANY exploits.
You need to run an antivirus program and keep it up-to-date. I don’t see one in your HijackThis log. If cost is an issue, try AVG 7 Free available at »free.grisoft.com/doc/2/lng/us/tpl/v5 or Free avast! 4 Home Edition at »www.avast.com/eng/avast_4_home.html.
You also need a software firewall; I don't see one in your HijackThis log. Two free firewalls are Zone Alarm from zonelabs.com »www.zonelabs.com/store/content/c···load.jsp or Kerio Personal Firewall available from »www.kerio.com/us/kpf_home.html. There is a tutorial on understanding firewalls at »www.bleepingcomputer.com/forums/···l60.html.
There are several free utilities you can use to help keep malware off your system:
A HOSTS file will prevent Internet Explorer from communicating with sites associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at »www.mvps.org/winhelp2002/hosts.htm.
IE/SPYAD adds sites associated with ads and spyware to your Internet Restricted Zone and you can download that at »https://netfiles.uiuc.edu/ehowes/www/res···#IESPYAD.
A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at »www.javacoolsoftware.com/products.html.
I recommend reading Tony Klein's article How did I get Infected? at »www.computercops.biz/postlite7736-.html
Please let me know if your problem appears solved.
--
Proud ASAP member since 2005 |
|
email scope
join:2005-03-06
Canada
| Re: Hijackthis log. I found one nasty. What is it
I use a limited account, and prevx free. I have a dlink-604 router, and use the xp firewall. I do have spywareblaster, and ad aware. As well as the protection included in the picture.
I don't use a anti-virus, I guess I should, but I haven't seen the need too.
SP2 slows down the pc according to theinquirer.net, and other places, so I don't use it.
I don't use IE, so I don't need a hosts file.
I think my pc is clean. |
|
Reverend Ike
Premium
join:2001-08-24
Sacramento, CA
| said by email scope :I don't use IE, so I don't need a hosts file. The Hosts file is not IE-dependent.
The level of user expertise, whether a system has a single user or multiple users, etc. may affect the importance of using a resident AV and/or updating to SP2. However, as general advice, I think most in the Security forum would recommend including both components on the basis that the benefits of each usually outweigh any negative effects. |
|
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
1 edit | reply to email scope
said by email scope :I use ....the xp firewall. That is not a full featured firewall. It only checks incoming connections. You are much better off with a real firewall that checks both incoming and outgoing connections. With a rules based firewall, if a program you have not authorized for internet access tries to go out (worm, adware, or even a legitimate program), you are notified and allowed the chance to either allow it, or to stop it. The XP firewall won't do that as it doesn't check anything going out.
quote:
I don't use a anti-virus, I guess I should
Absolutely!
quote:
SP2 slows down the pc according to theinquirer.net, and other places, so I don't use it.
SP2 has the security patches to prevent many of the exploits that malware uses to get on your system. You are not secure without it, and will likely become infected again without it, the only question is how long it will take before you run across malware that your system is unnecessarily vulnerable to. The only thing that might be slower with SP2 is that there is a limit to the number of concurrent connections (10) to slow the progress of worms from infected systems. That can affect P2P programs, but not significantly from what I've seen, and there are patches to bypass that limitation if that's what you are referring to. With your system clean, you shouldn't be doing any connecting with your system until you do install SP2. You have no antivirus, no real firewall, and don't have SP2 installed. Your system is a threat to others on the Internet should you become infected. There have even been cases where users have become infected, and with no firewall to stop the outgoing connection, tried to infect other systems, and their ISP rightfully terminated their access until their system was cleaned. I would run, not walk, to Windows Update and install SP2.
--
Proud ASAP member since 2005 |
|
email scope
join:2005-03-06
Canada
| reply to email scope
I upgraded my PC security.
I am now using that hosts file, and avg free as well as sp2. On top of the other security I described.
I reformatted too.
The pc is slower, but not too much.
I think a new firewall is too much. It'll slow my pc down too much.
Thank you Joker, and the rest of you kind people for your help. |
|
