Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - andan


  • This topic is locked This topic is locked
3 replies to this topic

#1 andan

andan

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 11 July 2005 - 03:33 PM

Hello,

Up-to-date scans with SpyBot, AdAware, Bazooka Spyware Scanner, Tauscan, Trojan Hunter, F-Prot for Windows (run from Safe Mode) and BitDefender's online scan indicate a clean system. BitDefender recently found and cleaned QuickTime files of the Holax.A98304.B trojan.
Thank you for your analysis.

Logfile of HijackThis v1.99.1
Scan saved at 1:16:28 PM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MXOALDR.EXE
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\Contour\Config32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\ActiveWords\AWMonitor.exe
C:\Program Files\Cache Sentry\CacheSentry\CacheSentry.exe
C:\Program Files\Lodger\Lodger.exe
C:\Program Files\ARM Software\MacroMaker\MacroMaker.exe
C:\WINDOWS\Contour\xpoint32.exe
C:\Program Files\ActiveWords\AWMonitor.exe
C:\Program Files\ActiveWords\AWApps\L&T\AWLearnTrain.exe
C:\Program Files\ActiveWords\AWFeedback.exe
C:\PROGRA~1\ACTIVE~1\Nahuatl.exe
C:\Program Files\FSI\F-Prot\F-StopW.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ePrompter\ePrompter.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Remember: information is not knowledge.
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\SnagIt\SnagItBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\conflict.2\googletoolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\SnagIt\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\conflict.2\googletoolbar2.dll
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [Contour.PageIcon] C:\WINDOWS\Contour\PageIcon.exe Software\LCS\{C86ADCC0-D34F-11D3-B478-00104B2804F9}
O4 - HKLM\..\Run: [Contour.Config32] C:\WINDOWS\Contour\Config32.exe Contour Perfit Mouse (USB)
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - Startup: CacheSentry.exe.lnk = C:\Program Files\Cache Sentry\CacheSentry\CacheSentry.exe
O4 - Startup: cleartemp.exe.lnk = C:\Program Files\Clear Temp\cleartemp.exe
O4 - Startup: ePrompter.exe.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Startup: Lodger.exe.lnk = C:\Program Files\Lodger\Lodger.exe
O4 - Startup: MacroMaker.exe.lnk = C:\Program Files\ARM Software\MacroMaker\MacroMaker.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Global Startup: ActiveWords.lnk = C:\Program Files\ActiveWords\AWMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\conflict.2\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\conflict.2\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\conflict.2\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\conflict.2\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\conflict.2\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: MSKB - {61622020-4131-11d3-9D63-FEA41EE8563B} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Clarify - {F7D275AE-D4A5-4964-AD1F-5BD3705A5032} - C:\Program Files\Clarify\ClarifyButton.dll
O9 - Extra button: Favorites Search - {FF925300-80E6-11D4-A15B-FFF9086C1A3C} - C:\PROGRA~1\FAVORI~1\FavSeek.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O15 - Trusted Zone: http://www.ceruleanstudios.com
O15 - Trusted Zone: http://www.everythingtechnology.com
O15 - Trusted Zone: http://www.langalist.com
O15 - Trusted Zone: http://www.memecode.com
O15 - Trusted Zone: http://www.myrealbox.com
O15 - Trusted Zone: http://mail.oco.net
O15 - Trusted Zone: http://www.oco.net
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://www.zipzoomfly.com
O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/C...nts/msvcp71.cab
O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/C...nts/msvcr71.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/SSC/SharedCont...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120070605140
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1...n/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002060...all/xscan53.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLcd.CAB
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www1.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.es/activescan/as/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} -
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...529/mcfscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

BC AdBot (Login to Remove)

 


m

#2 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 13 July 2005 - 04:50 PM

I don't see much in your log. Are you still having problems?

#3 andan

andan
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 14 July 2005 - 02:09 PM

Thanks for taking a look.

I think I'm clean but yesterday Ewido found an old, suspicious Trivial File Transfer Protocol file in \Sys32 , a TFTPxxxx file that, unlike the other files of that type there, was 73 bytes not zero; it thought that might indicate infection with Heuristic.Win32.Morphine.Crypted, so I had the program quarantine the file.

Every other scanner says I'm clean but since one or another app will flag things the others don't/can't see and I'm not well versed on what to look for in a HJT log (and wouldn't want to mistakenly assume I'm clean if I've actually overlooked something) I appreciate your analysis.

#4 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 14 July 2005 - 04:25 PM

Welcome.

Here are some tips to keep you clean.

To prevent the hijackers from taking over your system, increase the level of security on your system. Don't allow the hijackers to take you over!! Review these articles to increase the level of security.

http://www.computercops.biz/postt7736.html
http://www.markusjansson.net/eienbid.html




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users