Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log


  • This topic is locked This topic is locked
3 replies to this topic

#1 Divanumber2

Divanumber2

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 21 June 2005 - 09:24 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:20:41 AM, on 6/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\mmc.exe
C:\Documents and Settings\direed\Local Settings\Temp\HijackThis.exe
C:\PROGRA~1\MOZILL~1\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://dil4.vetmed.vt.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093527148291
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cntrlsrvs.w2k.vt.edu
O17 - HKLM\Software\..\Telephony: DomainName = cntrlsrvs.w2k.vt.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{4FDE88F4-11BE-40DF-8767-B18FF92AF54A}: NameServer = 198.82.162.237,198.82.145.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{64BA9C89-B19E-4D11-82F4-5564671606E8}: NameServer = 198.82.162.237,198.82.145.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cntrlsrvs.w2k.vt.edu
O17 - HKLM\System\CS1\Services\Tcpip\..\{4FDE88F4-11BE-40DF-8767-B18FF92AF54A}: NameServer = 198.82.162.237,198.82.145.6
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cntrlsrvs.w2k.vt.edu
O17 - HKLM\System\CS2\Services\Tcpip\..\{4FDE88F4-11BE-40DF-8767-B18FF92AF54A}: NameServer = 198.82.162.237,198.82.145.6
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 21 June 2005 - 07:45 PM

Hi, Divanumber2,

I do not see any malware in your log. However if you are going to use HJT, it must be moved to a permanent folder of its own where it can save backups.

You have one item that can be fixed.
(It is used in connection with memory dumps - you can disable these by - right clicking on My Computer, selecting Properties and then the Advanced tab. Click on the Settings button in 'Startup and Recovery'. In the bottom pane - under 'Write debugging information' - click on the down arrow and then select 'None' - OK your way out.)

To fix this using HijackThis, after HJT is moved from the temp directory, launch HJT and tick this entry.
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

Then close all windows and click "Fix Checked."
Reboot, and that should do it. Since you did not remove malware, I do not have to see a new log.

Here is my standard list of simple steps that you can take to reduce the chance of infection in the future. You may have already taken some of these steps:
1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

2. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

3. Download and install the following free programs:
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html
Periodically check for updates.

4. Keep your antivirus software and firewall software up to date.
Note: Zone Alarm Firewall (Zone Labs) http://www.zonelabs.com/store/content/home.jsp is free.
Also Sygate has an optional free version: http://smb.sygate.com/download_buy.htm

5. You might consider installing Mozilla / Firefox.
http://www.mozilla.org/

6. Install spyware detection and removal programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/software/adaware/

b. SpyBot S&D: http://safer-networking.org/en/news/2005-05-31.html
http://www.majorgeeks.com/download2471.html
http://security.kolla.de/index.php?lang=en&page=download
** If you already have Spybot 1.3 update to version 1.4.
Before installing Spybot S&D 1.4 remove 1.3 like this:
Open 1.3 . Go to Immunize. Click on UNDO at the top. At the bottom, take the checkmark OUT of "BrowserHelper> "Enable permanent blocking..."
This will disable all protection. Make sure ALL has been disabled.
If you are using Spybot's TeaTimer disable all protection there as well.
If Opera Browser is installed, de-select protection for Opera Immunity
Then go to Add/Remove programs via Start>Settings>Control Panel and REMOVE the old 1.3 Spybot.
Reboot
Go to your Program Files and delete the old Spybot folder.
Delete the old desktop icon.
Then you are ready to install the new version.

I would check for updates in SpyBot once a week or so.
Check for updates in Adaware frequently.
I scan with each at least weekly.

7. The "a Squared" Trojan Scanner has a free version. It is an onboard trojan scanner that is installed much like Spybot/AdAware but handles trojans.
Download free from "a Squared" http://www.emsisoft.com/en/software/free/ Install it.
Run and activate your free version with a Squared and then select
Scan your computer for malware infections .
Then select any/all drives.
Finally Scan selected folders.

8. Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm
If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm

9. I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.
10. After you use Windows XP for some time, the prefetch folder can get full of rarely used or obsolete links which can slow down your computer boot time noticeably. We recommend you delete all files in this folder about once a month.
To find the prefetch folder, enter this in the explorer address bar:
%windir%\prefetch
This should take you to either C:\WINDOWS\PREFETCH or C:\WINNT\PREFETCH. Delete all the files there. http://www.hexff.com/xp_tuneup.php

11. You might want to take a look at this article, too.
http://computercops.biz/postlite7736-.html

Happy and Safe Surfing! :thumbsup:

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#3 Divanumber2

Divanumber2
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 22 June 2005 - 07:43 AM

Thanks so much!

#4 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 22 June 2005 - 08:18 AM

You are very welcome. I'm glad we could help. :thumbsup:
Since this issue appears resolved, this Topic is closed.

Edited by Bugbatter, 22 June 2005 - 09:11 AM.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users