Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please check Hyjack This log


  • Please log in to reply
10 replies to this topic

#1 jameskelsey

jameskelsey

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 12 June 2005 - 09:25 AM

I was cleaning up my computer and saw some things that i didnt know could someone tell me if there safe?
Logfile of HijackThis v1.99.1
Scan saved at 10:13:53 AM, on 6/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\WDBtnMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for 1.99.1.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: ItsDeductiblePopUp.lnk = C:\Program Files\ItsDeductible\ItsDeductible.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1092945796046
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static...h/weblaunch.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\System32\HPHipm11.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 jameskelsey

jameskelsey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 12 June 2005 - 02:17 PM

I ran Spybot Search & Destroy,Ad Aware SE,and A Squared they came up clean.When i ran Panda Active scan it found 3 infections here is the report.


Incident Status Location

Adware:Adware/StatBlaster No disinfected Windows Registry
Virus:JS/Illwill.A Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default.bhq\Mail\pop.charter.net\Inbox[newprice.zip][price.html]
Virus:W32/Bagle.AM.worm Disinfected C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\default.bhq\Mail\pop.charter.net\Inbox[newprice.zip][price.exe]



Ive never made registry changes before can you walk me through it if i need to remove Adware/StatBlaster myself?

#3 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:22 AM

Posted 12 June 2005 - 04:34 PM

Welcome jameskelsey to Bleeping Computer.

Let's first do this:

Download Stinger to your desktop.

Run the file and let it scan the entire disk.

***

Download and install Registrar Lite.

Let's go search the Registry for StatBlaster
Please be very carefull what you do. A corrupt Registry is a broken down machine.

Doubleclick the file you just downloaded.
An Installshield will appear. Follow the instructions.

Go to start - programs - RegistrarLite - Registrar Lite
Since it's the first time you open it, the program will finish the installation.

Press the magnifying glass
In the box 'text to search for' type
StatBlaster
press 'enter'. The program will search the Registry looking for items.

When it's done searching you will see a window with rows.
Click a row (*)
Click the star icon below
A new window (bookmarks) will open
You will be on the same row we started at
Click the right mousebutton
Click 'copy name to clipboard'

Open notepad
Click the right mousebutton and choose 'paste'.

Go back to Registrar Lite and close the bookmarks window.

Go to the next row
Repeat the steps from (*) untill all items are done.

Then close Registrar Lite.

In Notepad you can copy all lines and post them here in your answer.

I don't have to see a new log using HijackThis.


Posted Image
Life is what happens while you're making other plans

#4 jameskelsey

jameskelsey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 12 June 2005 - 08:24 PM

Thanks for your help.Stinger did not find anything.I ran some more scans,Symantec online scan said i was clean,Trend micro online scan said i was clean but Panda still says i have StatBlaster in my registry.I opened regedit and looked for it and its aliases but did not see them.This is my wifes computer and she runs a accounting business on it so i must be very careful. So i need to do a full backup onto my external hard drive before i do anything with the registry.Ill get back to you tomorrow night.My registry is probably a mess, we had a serious infection last spring and had to take it in to be cleaned up.I dont know if they cleaned the registry,it was Best Buy.

#5 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:22 AM

Posted 13 June 2005 - 01:01 PM

If you follow the steps for Registrar Lite, you are not changing anything.
Basicly all you do is search and copy what you find. Please don't use Regedit, use Registrar Lite and follow the steps in the advise I gave you.


Posted Image
Life is what happens while you're making other plans

#6 jameskelsey

jameskelsey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 13 June 2005 - 06:26 PM

I ran Register Lite looking for StatBlaster but it found nothing.Could it have another name (alias).Panda says its still there.

#7 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:22 AM

Posted 13 June 2005 - 06:36 PM

Not really.
Look here.
That all there is to it. Guess it's a false positive then. Ignore it.

All scans say you are clean, so you must be clean then.

How is your computer running?


Posted Image
Life is what happens while you're making other plans

#8 jameskelsey

jameskelsey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 13 June 2005 - 06:37 PM

I looked up StatBlaster in the Panda encyclopedia and looked for the alias it had listed with registery lite and found nothing.

#9 jameskelsey

jameskelsey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 13 June 2005 - 07:39 PM

Ive been getting some system errors thats why i started looking for problems.One is at bootup and the microsoft crash analysis says it is Intel grafics driver related.Some other ones are HP driver related errors.This started a couple days ago,before that everything was running great.The only thing thats been added was a Sony camera and photo software about a month ago.Should i do a System File Check,if so could you tell me how?I dont know how on XP.

#10 jameskelsey

jameskelsey
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 13 June 2005 - 08:25 PM

I went to Intel and installed the newest driver.Ill check back tomorrow night.

#11 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:22 AM

Posted 14 June 2005 - 02:19 PM

I'll just hold my tongue and await your message.


Posted Image
Life is what happens while you're making other plans




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users