Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Zer0_II


  • Please log in to reply
11 replies to this topic

#1 Zer0_II

Zer0_II

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 03 March 2005 - 09:15 AM

I've been getting a message from a-squared whenever I run either internet explorer or firefox. It says "possible backdoor behaviour". Here's my log. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 9:10:34 AM, on 3/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Stardock\Object Desktop\CursorXP\CursorXP.exe
C:\Program Files\a2\a2guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\Stardock\Object Desktop\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:52 PM

Posted 03 March 2005 - 02:34 PM

Dont see anything...is there any other info it gives?

#3 Zer0_II

Zer0_II
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 03 March 2005 - 05:55 PM

Just what I wrote above and this:

While executing the program aČ detected a possible malicious behavior. Normally this behavior is common for backdoors only. In rare cases this can be a false detection of legit server software. It's recommended to terminate the program and to submit it for further analysis.

I didn't get this message until I installed the newest version of internet explorer. I uninstalled that version, and now I'm not getting the message whenever I run IE, but I'm still getting it whenever I run firefox.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:52 PM

Posted 04 March 2005 - 12:35 AM

Is it saying what programs its detecting the malicious behaviour from?

#5 Zer0_II

Zer0_II
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 04 March 2005 - 01:34 PM

I thought the possible malicious behaviour was coming from firefox and IE. Do you mean a possible malicious behaviour from another source? It doesn't mention anything about that.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:52 PM

Posted 05 March 2005 - 12:01 AM

Do you have spywareblaster protecting firefox? If so its probably a false positive from a-squared

#7 Zer0_II

Zer0_II
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 05 March 2005 - 12:37 PM

No I don't. I was using the active protection offered by Microsoft's Anti-Spyware. Would you recommend that I use Spyware Blaster instead? I was also thinking that it might be a false positive, but I just wanted to be sure.

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:52 PM

Posted 05 March 2005 - 03:25 PM

Definitely install spywareblaster, but i am pretty sure this is a false positive. Follow the advice here:

http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

#9 Zer0_II

Zer0_II
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 05 March 2005 - 03:50 PM

I have followed 99% of the advice on the page already. One question though... If I rarely use IE do you think that I still need Spyware Blaster? I use Firefox as my default browser and don't use IE unless it's a page that Firefox can't access such as the Windows Update site.

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:52 PM

Posted 05 March 2005 - 04:00 PM

Spywareblaster should be installed as applications wil luse ie from time to time and it also contains support for blocking tracking cookies in firefox

#11 Zer0_II

Zer0_II
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 05 March 2005 - 05:36 PM

Okay I will use Spyware Blaster instead of Microsoft's Anti-Spyware. Thanks for all of your support.

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:52 PM

Posted 06 March 2005 - 11:04 AM

You can use them both. Its fine to do that




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users