Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • This topic is locked This topic is locked
3 replies to this topic

#1 ifacchini

ifacchini

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 13 May 2008 - 03:09 PM

Logfile of

Trend Micro HijackThis v2.0.2
Scan saved at 3:46:38 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00

(7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile

Device

Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Tasks\Control.{21EC2020-3AEA-1069-

A2DD-08002B30309D}\winsock.ocx.{B12AE898-D056

-4378-A844-6D393FE37956}\csrss.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Tasks\Control.{21EC2020-3AEA-1069-

A2DD-08002B30309D}\winsock.ocx.{B12AE898-D056

-4378-A844-6D393FE37956}\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ambicom\Bluetooth

Software\bin\btwdins.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\usnsvc.exe
C:\PROGRA~1\GoVideo\MEDIAS~1\ImmsService.exe
C:\Program Files\Common

Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Nero\Nero8\Nero

BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common

Files\Protexis\License

Service\PsiService_2.exe
C:\Program Files\TightVNC\WinVNC.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TBPanel.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\MSI\Live Update

3\LMonitor.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\WebSearch\WebSearch.exe
C:\Program

Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common

Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Ambicom\Bluetooth

Software\BTTray.exe
C:\Program Files\Common

Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Microsoft Broadband

Networking\MSBNTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program

Files\Symantec_Client_Security\Symantec

AntiVirus\vpc32.exe
C:\Program Files\Internet

Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\Software\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =

file://C:\WINDOWS\system32\sb.htm
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersio

n\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat

5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O2 - BHO: (no name) -

{7E853D72-626A-48EC-A868-BA8D5E23E045} - (no

file)
O2 - BHO: FDMIECookiesBHO Class -

{CC59E0F9-7E43-44FA-9FAA-8377850BF205} -

C:\Program Files\Free Download

Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Gainward]

C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program

Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [LiveMonitor] C:\Program

Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [NvMediaCenter]

RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarIni

t
O4 - HKLM\..\Run: [zBrowser Launcher]

C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility]

Logi_MwX.Exe
O4 - HKLM\..\Run: [IEDriver]

C:\WINDOWS\system32\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [WebSearch] C:\Program

Files\WebSearch\WebSearch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program

Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\Program Files\Common

Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program

Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run:

[BluetoothAuthenticationAgent] rundll32.exe

bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program

Files\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program

Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run:

[IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A5

6B10AA}] "C:\Program Files\Common

Files\Nero\Lib\NMIndexStoreSvr.exe"

ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Ceedo AutoDetect]

C:\DOCUME~1\IFACCH~1\LOCALS~1\Temp\AutoDetect

.exe /active
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: GoVideo Media Server.lnk

= C:\Program Files\GoVideo\Media

Server\MediaServer.exe
O4 - Global Startup: Logitech Desktop

Messenger.lnk = C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Broadband

Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk =

C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all

with Free Download Manager -

file://C:\Program Files\Free Download

Manager\dlall.htm
O8 - Extra context menu item: Download

selected with Free Download Manager -

file://C:\Program Files\Free Download

Manager\dlselected.htm
O8 - Extra context menu item: Download video

with Free Download Manager -

file://C:\Program Files\Free Download

Manager\dlfvideo.htm
O8 - Extra context menu item: Download with

Free Download Manager - file://C:\Program

Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to

Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE

/3000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program

Files\Java\j2re1.4.1_07\bin\npjpi141_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console

- {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program

Files\Java\j2re1.4.1_07\bin\npjpi141_07.dll
O9 - Extra button: (no name) -

{1A00C40B-DA85-4aa3-A67F-582D9347EECD} -

C:\WINDOWS\system32\IEDriver\TD.exe (file

missing)
O9 - Extra 'Tools' menuitem: MaxSpeed -

{1A00C40B-DA85-4aa3-A67F-582D9347EECD} -

C:\WINDOWS\system32\IEDriver\TD.exe (file

missing)
O9 - Extra button: @btrez.dll,-4015 -

{CCA281CA-C863-46ef-9331-5C8D4460577F} -

C:\Program Files\Ambicom\Bluetooth

Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017

- {CCA281CA-C863-46ef-9331-5C8D4460577F} -

C:\Program Files\Ambicom\Bluetooth

Software\btsendto_ie.htm
O9 - Extra button: (no name) -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no

file)
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem:

@xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file

missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger

- {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file

missing)
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows

Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program

Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF:

{44990301-3C9D-426D-81DF-AAB636FA4345}

(Symantec Script Runner Class) -

https://www-secure.symantec.com/techsupp/asa/

ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF:

{6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://www.update.microsoft.com/microsoftupda

te/v6/V5Controls/en/x86/client/wuweb_site.cab

?1201465683390
O16 - DPF:

{67DABFBF-D0AB-41FA-9C46-CC0F21721616}

(DivXBrowserPlugin Object) -

http://download.divx.com/player/DivXBrowserPl

ugin.cab
O16 - DPF:

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://www.update.microsoft.com/microsoftupda

te/v6/V5Controls/en/x86/client/muweb_site.cab

?1201465672203
O16 - DPF:

{D27CDB6E-AE6D-11CF-96B8-444553540000}

(Shockwave Flash Object) -

https://fpdownload.macromedia.com/pub/shockwa

ve/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Unknown

owner - C:\Program Files\Common Files\Adobe

Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple,

Inc. - C:\Program Files\Common

Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: Windows Socket Manager

(AppToService_Windows Socket Manager) - Basta

Computing -

C:\WINDOWS\Tasks\Control.{21EC2020-3AEA-1069-

A2DD-08002B30309D}\winsock.ocx.{B12AE898-D056

-4378-A844-6D393FE37956}\csrss.exe
O23 - Service: Bonjour Service - Apple Inc. -

C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) -

WIDCOMM, Inc. - C:\Program

Files\Ambicom\Bluetooth

Software\bin\btwdins.exe
O23 - Service: DefWatch - Symantec

Corporation -

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Help and Support Service

(hasvc) - Unknown owner -

C:\WINDOWS\usnsvc.exe
O23 - Service: Integrated Multimedia Server -

Unknown owner -

C:\PROGRA~1\GoVideo\MEDIAS~1\ImmsService.exe
O23 - Service: iPod Service - Apple Inc. -

C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo -

C:\Program Files\Common

Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Macromedia Licensing Service -

Unknown owner - C:\Program Files\Common

Files\Macromedia Shared\Service\Macromedia

Licensing.exe
O23 - Service: Nero BackItUp Scheduler 3 -

Nero AG - C:\Program Files\Nero\Nero8\Nero

BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG -

C:\Program Files\Common

Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client

(Norton AntiVirus Server) - Symantec

Corporation -

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service

(NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2

(PSI_SVC_2) - Protexis Inc. - C:\Program

Files\Common Files\Protexis\License

Service\PsiService_2.exe
O23 - Service: Seagate Sync Service - Unknown

owner - C:\Program

Files\Seagate\Sync\SeaSyncServices.exe (file

missing)
O23 - Service: VNC Server (winvnc) -

Constantin Kaplinsky - C:\Program

Files\TightVNC\WinVNC.exe
O23 - Service: Windows Live Setup Service

(WLSetupSvc) - Unknown owner - C:\Program

Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 11397 bytes

BC AdBot (Login to Remove)

 


#2 ifacchini

ifacchini
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 13 May 2008 - 03:23 PM

Hi guys, I didn't want to write anything on the log posted above, in case there was an automation to read the logs or something. :thumbsup:

Well, the basic problem is my symantec can't delete the "usnsvc.exe" found in c:\windows\, which is supposed to be infected. I've read that some worms name themselves after legit system files, but because of location, they are known to be harmful files.

I already did the basic "update virus definitions, scan, then remove" what Symantec detected, but it cannot fix the usnsvc.exe. I'm using Symantec Corporate Edition 8.1.

I tried to enable the xp firewall (as indicated in your Preparation Guide), but I get an error message. I found a fix for it, but it requires a reboot (I didn't want to restart because the Hijackthis info shows that actions were taken to stop services or delete registry accordingly, even though I just highlighted the entries and clicked "info on selected item". Please let me know what should I do next.


Thanks in advance,

Isa

Edited by ifacchini, 13 May 2008 - 05:40 PM.


#3 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 24 May 2008 - 03:47 PM

Welcome to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

I apologize for the wait,if your issues are not resolved, read the instructions posted above and then follow the directions below. If you no longer need help, I would appreciate a quick post letting me know so I can close your topic.

1) Please provide information about the symptoms you are having, "Please Help Diagnose" tells me nothing.

2) usnsvc.exe: http://www.processlibrary.com/directory/files/usnsvc
http://www.google.com/search?hl=en&q=u...G=Google+Search
Of course the hackers can call their junk what they wish, often files need to be scanned before you know they are bad.

3) Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced. single-spaced - (of type or print) not having a blank space between lines.
It is preferable, and the log easier to read, if you do not use the [code=auto:0] or [php] options.

4) C:\Downloads\Software\HiJackThis.exe <<< not a safe location, follow these directions to place HJT in a safe location:

Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijac.../HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply using Add Reply.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#4 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 31 May 2008 - 07:37 PM

There has been no response to this topic in a week
This topic is closed
Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users