Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

my HijackThis scan results... help!


  • This topic is locked This topic is locked
7 replies to this topic

#1 Howitzer

Howitzer

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 29 April 2005 - 09:12 AM

I'm running Windows XP Home Edition.

I ran updated versions of Ad Aware SE, Spybot S & D, and microsoft's Antispyware.... is my malware gone?

check it out:
Logfile of HijackThis v1.99.1
Scan saved at 8:05:29 AM, on 4/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Logan\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [MSN Messages] msnmessag.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunServices: [MSN Messages] msnmessag.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYCA_ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 AM

Posted 29 April 2005 - 12:23 PM

Hello Howitzer, Welcome to BleepingComputer. Keep in mind that Microsoft product is still Beta!!
You do have some nasties onboard including this one: http://www3.ca.com/securityadvisor/virusin...s.aspx?id=42511 Make sure you read this information so you will understand how it got onboard, and how it spreads.
I suggest you do not use your MSNIM until you are clean.
If you wish help removing the nasties then follow these directions:

1) HJT needs it's own permanent folder to store HJT.exe, logs and backups for safety. You are running a .zip file from at Temporary Directory and the backups may not be available if needed. Please view the information in the following link to fix this: http://www.bleepingcomputer.com/tutorials/how-to-post-a-hijackthis-log/

2) Download CCleaner from this link: http://www.ccleaner.com/ Take the time to review the instructions on the download page so that when I ask you to run it you will know what you are doing.

3) Microsoft AntiSpyware will block the HJT fix we must make, use these instructions to turn it off until you are finished:
To disable the program, follow the instructions below:
A.) Right click on the Microsoft Antispyware tray icon (a little red and yellow circle looking thing)
B.) Click on Security Agents Status (Enabled)
C.) Click on Disable Real-time Protection.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O4 - HKLM\..\RunServices: [MSN Messages] msnmessag.exe
O4 - HKCU\..\RunServices: [MSN Messages] msnmessag.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYCA_ZN
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.musicmatch.com (HKLM)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

SHOW HIDDEN FILES: Follow the instructions in the link to enable hidden files for your operating system.
You may wish to reverse this process if you have any concern about anyone getting into these hidden system files.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Please use your search function to see where this is located: msnmessag.exe I believe it is your Prefetch Folder and we will empty that, but if it is located anywhere else we will wish to check to delete it if it is there.

RIGHT Click on Start then click on Explore. Locate and delete these items:

msnmessag.exe >>> file ( if you found the location, be careful to look at the spelling so you do not remove any needed files)

Locate C:\Windows\Prefetch then open that folder and delete everthing that is there. (NOT THE FOLDER...just the contents)
Information about Prefetch:
http://www.pcmag.com/article2/0,1759,1683520,00.asp
http://techrepublic.com.com/5100-6270-5165773.html

Let's check for trojans, run this free online scan, scan the whole system and set it to clean or fix anything it locates. Let me know what it finds and the exact name and location of anything it locates but can't remove. You may be asked to install an ActiveX, please do so as this program is safe and it can not run without it.
http://www.windowsecurity.com/trojanscan/

Run this free scan also using the same instructions:
http://housecall.trendmicro.com/housecall/start_corp.asp

Run CCleaner then restart the computer and post a new log in this same thread along with any feedback you have. Let us know how you are running.

Thanks...pskelley
HJT Team

PURGE SYSTEM RESTORE
When you are completely finished with the removal procedure and are satisfied that the threat has been removed follow these instruction:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Edited by pskelley, 29 April 2005 - 12:26 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 Howitzer

Howitzer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 02 May 2005 - 09:08 AM

"Let's check for trojans, run this free online scan, scan the whole system and set it to clean or fix anything it locates. Let me know what it finds and the exact name and location of anything it locates but can't remove. You may be asked to install an ActiveX, please do so as this program is safe and it can not run without it.
[url="http://www.windowsecurity.com/trojanscan/""]http://www.windowsecurity.com/trojanscan/"[/url]

it doesn't give me the option of "cleaning or fixing anything it locates"???

#4 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 AM

Posted 02 May 2005 - 09:30 AM

it doesn't give me the option of "cleaning or fixing anything it locates"???

Sorry, it has been a while since I used it on my computer (just ran it and I am trojan free) and they may have made a change in how they fix stuff if anything is found. I use this scan often as a back up once I have manually removed bad stuff, and most reports are of a trojan free computer. Here is what I found in the directions I read:

FREE ONLINE TROJAN SCAN
http://www.windowsecurity.com/trojanscan/
1) Scan my computer for Trojans
2) Make sure Scan all running processes and Use heuristics are checked
3) C:\ will scan by default, you can add at the bottom of that window, or take away
4) Note: TrojanScan can only run if you are using Internet Explorer 5.0 or later as your browser. If you are using IE 5 or later but still cannot run this test, your IE settings are not allowing the TrojanScan service to run. Check how to change your settings and go back to perform the scan again.
The TrojanScan is able to scan your system and give details of any Trojans found. To remove the Trojans from your system, please go to the a-squared Personal home page.
a-squared Free
(without background guard and IDS)
a-squared Free is the free alternative to a-squared Personal. As with the personal version it cleans your computer from existing Malware but a-squared Free does not contain the background guard with the IDS which prevents any further infection of your computer.

If you want to try another good scan, try this one:
http://www.ewido.net/en/download/

or http://scan.sygatetech.com/pretrojanscan.html (have not run this one myself yet) or here is a good free trial period download:
http://www.misec.net/trojanhunter/

Hope this helps...pskelley

Edited by pskelley, 02 May 2005 - 09:34 AM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 Howitzer

Howitzer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 03 May 2005 - 04:50 PM

after I performed the required tasks (I hope I did everything ok)...

here is my new log file:


Logfile of HijackThis v1.99.1
Scan saved at 3:53:20 PM, on 5/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Logan\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

Edited by Howitzer, 03 May 2005 - 04:54 PM.


#6 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 AM

Posted 03 May 2005 - 05:00 PM

1) HJT needs it's own permanent folder to store HJT.exe, logs and backups for safety. You are running a .zip file from at Temporary Directory and the backups may not be available if needed. Please view the information in the following link to fix this: http://www.bleepingcomputer.com/tutorials/how-to-post-a-hijackthis-log/

C:\DOCUME~1\Logan\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

Congratulations :thumbsup: the good news is your log is clean, the bad news is you did not follow direction number one and more than likely the backups if you needed them have been deleted by CCleaner? I would stongly suggest you move HJT before you use it again.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.net-integration.net/index.php?showtopic=3051
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

Safe surfing
Thanks...pskelley
N-I Malware Assistant
Donations are appreciated
http://www.net-integration.net/index.php?page=support
If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#7 Howitzer

Howitzer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 03 May 2005 - 05:11 PM

thanks so much for the help!!

#8 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 AM

Posted 04 May 2005 - 06:05 PM

Since your problem appears to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request. If you should have a new issue, please start a new topic.
This applies only to the original topic starter. Everyone else please begin a New Topic.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users