Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With Analyzing Hjt Script


  • Please log in to reply
1 reply to this topic

#1 sdbrown219

sdbrown219

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 16 July 2008 - 12:25 PM

I have a system that is badly infected and OS reinstall is not a good option since the owner of the sytem did not keep any of the drivers when system was built. (it is a home built system) Tried to download drivers on line but was unable to locate the specific drivers for system board. Have ran Avast AV on the system and keep getting an infection from win32:swizzor TRJ. System is getting a ton of pop ups. Have ran DSS and came up with the following log file:


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 2600+
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 479.48 MiB / 134.47 MiB
Pagefile Memory (total/avail): 1168.29 MiB / 816.47 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.65 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 37.26 GiB total, 25.49 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - MDT MD400EB-00CPF0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirewallOverride is set.

AV: avast! antivirus 4.8.1201 [VPS 080716-0] v4.8.1201 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\InterVideo\\DVD6\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD6\\WinDVD.exe:*:Disabled:WinDVD"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Disabled:TrueVector Service"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager"
"C:\\Program Files\\BitDownload\\BitDownload.exe"="C:\\Program Files\\BitDownload\\BitDownload.exe:*:Enabled:Warez3"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Shine Electric\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_08\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JOHN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Shine Electric
LOGONSERVER=\\JOHN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_08\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\SHINEE~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\SHINEE~1\LOCALS~1\Temp
USERDOMAIN=JOHN
USERNAME=Shine Electric
USERPROFILE=C:\Documents and Settings\Shine Electric
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Shine Electric (admin)
QBDataServiceUser17
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> MsiExec.exe /I{71EEA108-09C9-4D81-8FA2-D48C70681242}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
1st Choice Electrical Estimating Software Residential Estimator V1.0 --> C:\WINDOWS\UnDeploy.exe "C:\Program Files\ResidentialEstimater\Deploy.log"
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop Elements 2.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.dll"
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
C-Media 3D Audio --> C:\WINDOWS\CMIUnInstall.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CiD Help --> C:\DOCUME~1\SHINEE~1\APPLIC~1\REALBA~1\JUNK FIND WARN.exe -uninstall
Creative DVD Audio Plugin for Audigy Series --> "C:\Program Files\Creative\CTDPlugin\CTUIDVD.exe " -u
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® 537EP Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP Modem"
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD 6 --> "C:\Program Files\InstallShield Installation Information\{6ACA2FD2-4C4A-42F3-AFB5-7B433BBDF6DB}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 8 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Lexmark Z600 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBCUN5C.EXE -dLexmark Z600 Series
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
Online Bible 10.10.09 --> C:\Program Files\Bible\OlbDel.Exe "Online Bible" "Online Bible" "C:\Documents and Settings\Shine Electric\My Documents\Bible\" "C:\Documents and Settings\All Users\Documents\Online Bible\"
QuickBooks Pro 2007 --> msiexec.exe /I {71EEA108-09C9-4D81-8FA2-D48C70681242} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2007" ADDREMOVE=1
QuickBooks Product Listing Service --> MsiExec.exe /I{91208A47-5D08-4C79-986F-1931940F51BB}
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
Rhapsody Player Engine --> MsiExec.exe /I{6A136B9A-1895-436F-83F8-30D9C68BB6EA}
SupportSoft Assisted Service --> MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VIA/S3G Display Driver --> C:\PROGRA~1\VIA\UChromeP\s3minset.exe /u C:\PROGRA~1\VIA\UChromeP\UChromeP.uns
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}


-- Application Event Log -------------------------------------------------------

Event Record #/Type8906 / Error
Event Submitted/Written: 07/16/2008 01:01:11 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type8905 / Error
Event Submitted/Written: 07/16/2008 01:01:11 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type8897 / Warning
Event Submitted/Written: 07/16/2008 00:29:56 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type8895 / Error
Event Submitted/Written: 07/16/2008 01:53:41 AM
Event ID/Source: 5000 / MPSampleSubmission
Event Description:
mptelemetry80240016begininstallinstall1.1.1593.0mpsigdwn.dll1.1.1593.0windows defenderNILNILNIL

Event Record #/Type8887 / Warning
Event Submitted/Written: 07/15/2008 06:38:08 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type19766 / Warning
Event Submitted/Written: 07/16/2008 01:01:33 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%JOHN27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JOHN27 can't undo changes that you allow.

For more information please see the following:
%JOHN275

Scan ID: {8C246C65-49C3-4AA8-8977-F12C0F537594}

User: JOHN\Shine Electric

Name: %JOHN271

ID: %JOHN272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JOHN276

Alert Type: %JOHN278

Detection Type: 1.1.1593.02

Event Record #/Type19765 / Warning
Event Submitted/Written: 07/16/2008 01:01:33 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%JOHN27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JOHN27 can't undo changes that you allow.

For more information please see the following:
%JOHN275

Scan ID: {7A7E489E-0CE0-4A54-B1EB-FB2DE43C91C0}

User: JOHN\Shine Electric

Name: %JOHN271

ID: %JOHN272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JOHN276

Alert Type: %JOHN278

Detection Type: 1.1.1593.02

Event Record #/Type19764 / Warning
Event Submitted/Written: 07/16/2008 01:01:33 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%JOHN27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JOHN27 can't undo changes that you allow.

For more information please see the following:
%JOHN275

Scan ID: {925C0A0D-0782-4839-9236-D1C5FA3101FA}

User: JOHN\Shine Electric

Name: %JOHN271

ID: %JOHN272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JOHN276

Alert Type: %JOHN278

Detection Type: 1.1.1593.02

Event Record #/Type19763 / Warning
Event Submitted/Written: 07/16/2008 01:01:30 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%JOHN27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JOHN27 can't undo changes that you allow.

For more information please see the following:
%JOHN275

Scan ID: {F775304F-AB38-458F-9746-81FB861CDDAB}

User: JOHN\Shine Electric

Name: %JOHN271

ID: %JOHN272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JOHN276

Alert Type: %JOHN278

Detection Type: 1.1.1593.02

Event Record #/Type19762 / Warning
Event Submitted/Written: 07/16/2008 01:01:30 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%JOHN27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %JOHN27 can't undo changes that you allow.

For more information please see the following:
%JOHN275

Scan ID: {084FC709-71B6-4E12-BB1F-ECDB6388C71D}

User: JOHN\Shine Electric

Name: %JOHN271

ID: %JOHN272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %JOHN276

Alert Type: %JOHN278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-07-16 13:02:15 ------------

Just need some expert help with what to do with this info since I'm a HJT noob. Any help would be greatly appreciated.

Thanks,

sdbrown219

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 05 August 2008 - 01:48 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
As you can probably see our HijackThis Team is incredibly busy at the moment, but I apologise for the delay you have experienced. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:
Preparation Guide For Use Before Posting A HijackThis Log
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users