Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack Log/Virus Help


  • Please log in to reply
1 reply to this topic

#1 cvaughn

cvaughn

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 01 May 2005 - 05:26 PM

Below is a log from both hijackthis and NAV. I have a number of viruses and am not sure how to get rid of them, as NAV won't erase the ones it found.

Any help would be much appreciated!!!

-C

Logfile of HijackThis v1.99.1
Scan saved at 5:24:17 PM, on 5/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Error Nuker\bin\ErrorNuker.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentrix.com/sidecat.jsp?p=985...335391921681100
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.utexas.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchcentrix.com/sidecat.jsp?p=985...335391921681100
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\la92yis6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\la92yis6.slt\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CUCore Agent] C:\Program Files\Common Files\First Virtual Communications\ConfAgent.exe" /Minimize
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: View Link Source - C:\windows\web\viewsource.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://wnt.cc.utexas.edu/CFIDE/classes/CFJava.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/packages/GSManager.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {52A5CD24-64C6-4BAF-A4EC-4D13F451763F} - https://www.cuworld.com/PIC/inner_pic/packages/CUworld.cab
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://www.webgateinc.com/wizard/control/10135/wg_webeye.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1000/...uditControl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/.../yiebio4025.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


__________________


Threat category: VirusSource: lab.bat,Description: The compressed file lab.bat within C:\WINDOWS\system32\msock32.exe is infected with the IRC Trojan virus.

,Threat category: Hack toolSource: winspool32.exe,Description: The compressed file winspool32.exe within winspool32.exe within C:\WINDOWS\system32\msock32.exe is a Hack tool threat.

,Threat category: Hack toolSource: winspool32.exe,Description: The compressed file winspool32.exe within C:\WINDOWS\system32\msock32.exe is a Hack tool threat.

,Threat category: VirusSource: vsmon.EXE,Description: The compressed file vsmon.EXE within vsmon.EXE within C:\WINDOWS\system32\msock32.exe is infected with the Backdoor.IRC.Zcrew virus.

Threat category: VirusSource: vsmon.EXE,Description: The compressed file vsmon.EXE within C:\WINDOWS\system32\msock32.exe is infected with the Backdoor.IRC.Zcrew virus.

Threat category: VirusSource: TASKMAN.EXE,Description: The compressed file TASKMAN.EXE within C:\WINDOWS\system32\msock32.exe is infected with the IRC Trojan virus.

,Threat category: VirusSource: sys.dll,Description: The compressed file sys.dll within C:\WINDOWS\system32\msock32.exe is infected with the Backdoor.IRC.Flood virus.

,Threat category: VirusSource: msdtcvtr.bat,Description: The compressed file msdtcvtr.bat within C:\WINDOWS\system32\msock32.exe is infected with the BAT.Trojan virus.

,Threat category: VirusSource: msdtcvtr32.bat,Description: The compressed file msdtcvtr32.bat within C:\WINDOWS\system32\msock32.exe is infected with the IRC Trojan virus.

,Threat category: VirusSource: lsass.exe,Description: The compressed file lsass.exe within C:\WINDOWS\system32\msock32.exe is infected with the IRC Trojan virus.

,Threat category: AdwareSource: C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\QXVS4FFO\ratemypicture[1].htm,Description: The file C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\QXVS4FFO\ratemypicture[1].htm is a Adware threat.

,Threat category: AdwareSource: AdStatServX.dll,Description: The compressed file AdStatServX.dll within C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\1RKJSNYR\bridge-c24[1].cab is a Adware threat.

,Threat category: AdwareSource: AdStatServX.dll,Description: The compressed file AdStatServX.dll within C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\GVUJHTS0\bridge-c46[1].cab is a Adware threat.

,Threat category: AdwareSource: AdStatServX.dll,Description: The compressed file AdStatServX.dll within C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\GVUJHTS0\bridge-c46[1].cab is a Adware threat.

,Threat category: AdwareSource: AdStatServX.dll,Description: The compressed file AdStatServX.dll within C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\1RKJSNYR\bridge-c24[1].cab is a Adware threat.

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:25 AM

Posted 02 May 2005 - 03:23 AM

Hello cvaughn and welcome to the BC forums. Your log shows a few entries for internet searching that we will need to deal with but none of the infected files that Norton is showing so let's start out with some scans for various threats. Please proceed with the following steps in order.

Step #1

Run On-line virus scans

Please run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
Make sure that you choose "fix" or "clean".

Step #2

Run Spybot Search & Destroy

Download, install, update and run a scan with Spybot S&D:
  • Download and Install Spybot Search & Destroy, accepting the Default Settings.
  • In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
  • Close ALL windows except Spybot S&D
  • Click the button to ‘Search for Updates’ and then download and install all available Updates.
  • Next click the button ‘Check for Problems’
  • When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window.
  • Make certain there is a check mark beside all of the RED entries ONLY.
  • Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
  • REBOOT to complete the scan and clear memory.
Step #3

Run AdAware SE

Download, install, update, configure and run a scan with Ad-aware SE:
  • Download and Install AdAware SE Personal, keeping the default options. However, some of the settings will need to be changed before your first scan.
  • Close ALL windows except Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Save the log file when it asks and then click ‘Finish’
  • REBOOT to complete the removal of what Ad-Aware SE found.
Step #4

Next, let's clean up the temporary folders:
  • Download CleanUp! and install.
  • Start CleanUp! and click the CleanUp! button. Let it run to completion.
Step #5

OK. Reboot your computer normally, start HijackThis and perform a new scan. Post your new log file back here as a relpy to this topic and I will review it.

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGITIMATE AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users