Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

An Ounce Of Prevention?


  • This topic is locked This topic is locked
4 replies to this topic

#1 flywho

flywho

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 01 October 2008 - 10:20 PM

Hi, being a newbie here, I wonder if this idea has any value. First, some of my history:
About 3 weeks ago, I found my system unusable and reinstalled the OS and programs, which took a few days. Afterwards, I decided I didn't want to repeat this process ever again, and I've been reading this and other forums that deal with malware.

I now think I have a clean system - I scanned with Ad-aware and followed the preparation instructions.
I also set a system restore point and ran the Windows Vista disk cleanup utility.

Then I ran a HJT scan, as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:26 PM, on 10/1/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Users\admin\Programs\Art Plus\Wallpaper5\wallpaper.exe
C:\Users\admin\AppData\Local\Temp\AutoDetect.exe
C:\ProgramData\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\DeskPins\DeskPins.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\admin\AppData\Roaming\U3\0000184A88710B9E\LaunchPad.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Art Plus Wallpaper Calendar] "C:\Users\admin\Programs\Art Plus\Wallpaper5\wallpaper.exe" /a
O4 - HKCU\..\Run: [Ceedo AutoDetect] C:\Users\admin\AppData\Local\Temp\AutoDetect.exe /active
O4 - Startup: DeskPins.lnk = C:\Program Files\DeskPins\DeskPins.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 5330 bytes

This looks pretty clean to me, but then again, I'm not an expert. At this time, I see no problems with performance or anything.

If I save this log and, at any time I notice problems on my machine, run a new log and compare the contents, would I be correct in assuming that the changes in the new log would point out possible problems to deal with? Perhaps, with this method, I may be able to identify and fix certain things that creep up and may be pretty obvious, before I take up the valuable time of the moderators here.

If you don't mind, please, could you look over this HJT log file and confirm or deny to me that it is indeed clean? Also, please let me know if my idea has any value, or whether it is completely idiotic (I wouldn't be surprised since I'm learning from scratch here) :thumbsup:

Thanks a lot,

Flywho

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:27 AM

Posted 12 October 2008 - 07:07 AM

Log looks clean. This program should not be running from a temp folder:

O4 - HKCU\..\Run: [Ceedo AutoDetect] C:\Users\admin\AppData\Local\Temp\AutoDetect.exe /active

It may get deleted by accident when running programs that clean out the temp folders.

As for comparing this log to future logs, that will work, but there are malware loading points that do not show in a HJT log.

All I can say is that you appear clean right now.

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:27 AM

Posted 16 October 2008 - 08:43 AM

Do you still need help or should I close this topic?

#4 flywho

flywho
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 18 October 2008 - 02:32 AM

Hi, sorry to leave this open for so long. I had tried to reply to my email notifications, only to notice that this wasn't possible (as I received bounce notifications 2 days later). So I'm logging in just to say THANKS so much again, and at this time I think I'm OK, so please close the topic.
Despite what I think may be good ideas, I'm a bloody novice - so thanks for your patience.
I would like to repeat what I tried to send via email: you guys deserve extra special blessings for all you do!

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:27 AM

Posted 18 October 2008 - 08:49 AM

Thanks for letting us know and thanks for the compliments!

I will close this topic. Sorry again for the delay.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users