Hijackthis log - anyone help translate it

uksosa · 20 May 2006 00:24

Hi I’m a newbie

and have no ‘educated’ knowledge bout IT etc. I came across you guys via the ‘hackers’ who invaded my pc and left embedded msn messenger etc with email .NET passport contacts as Teamphoenix@hotmail.co.uk

Having emailed DT… Thanks for advice I dowloaded hijackthis and my LOG is as follows: please note that I have deleted much suspicious stuff yet am certain they still lurk, any help or advice would be most gratefully received:

Logfile of HijackThis v1.99.1
Scan saved at 22:52:18, on 19/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Documents and Settings\Charles\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.channel4.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM…\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra ‘Tools’ menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/en-us/wlscbase7617.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140317946243
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)

Thanks again

Sosa

Curly99 · 20 May 2006 00:35

Welcome to the forums, pity you had to find us this way though, try HERE and paste the hijack this log into the analizer, just tried it myself but can’t link to the results it gives, most things look ok to me.

hth, Curly

uksosa · 20 May 2006 02:07

Curly

Thanks for advice

Here are the results: it seems that all is now fine except OSE.EXE which is stated at the bottom of the results. Thanks again

  	http://www.hijackthis.de/logfiles/676257de8d76fd325e37abd314e5ae53.html

What is OSE.EXE ?

Steve_Harthon · 20 May 2006 04:37

its sopost be part of Microsoft Office

http://www.hijackfree.com/en/processdetails/?id=123

good way to find out what any proccess is to just enter then name IE “ose.exe” in to google all most aways find many sites giveing u info on it

MrTFWitt · 20 May 2006 11:04

uksosa:

Curly

Thanks for advice

Here are the results: it seems that all is now fine except OSE.EXE which is stated at the bottom of the results. Thanks again
  	http://www.hijackthis.de/logfiles/676257de8d76fd325e37abd314e5ae53.html
What is OSE.EXE ?

Its the MS Office Source Engine service as part of Office 2003.
Since the file is missing anyway you could remove the entry with HijackThis.

If you have Office2003 installed its a damaged install.
Instructions to repair the install are here