Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is this log OK ?


  • Please log in to reply
1 reply to this topic

#1 Multix

Multix

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 21 August 2005 - 09:01 AM

This is the log:

Logfile of HijackThis v1.99.1
Scan saved at 16:44:13, on 21.08.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\KWorld\MpegTV Station PCITV\RemoteCtl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjk\HijackThis.exe

O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MpegTV Station PCITV Remote Control.lnk = C:\Program Files\KWorld\MpegTV Station PCITV\RemoteCtl.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



I think I'm infected after I scaned on-line the HDD ( Kaspersky )

This is the log from kaspersky:


KASPERSKY ON-LINE SCANNER REPORT
Sunday, August 21, 2005 16:29:02
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 21/08/2005
Kaspersky Anti-Virus database records: 144874

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 48171
Number of viruses found 4
Number of infected objects 40
Number of suspicious objects 0
Duration of the scan process 3084 sec

Infected Object Name Virus Name
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\Program Files\Opera\uninst\unwise.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
C:\System Volume Information\_restore{5636F4A3-B757-441F-A1F0-145A81FC018F}\RP72\A0008682.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\OTHERS\monopoly\UNWISE.EXE Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\RECYCLER\S-1-5-21-2000478354-688789844-854245398-1003\Dd6.exe/Data/psshutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232
D:\RECYCLER\S-1-5-21-2000478354-688789844-854245398-1003\Dd6.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232
D:\Soft\Chat\mIRC + crack\mIRC 6.16.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616
D:\Soft\Chat\mIRC + crack\mIRC 6.16.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
D:\Soft\Opera\Opera for Windows (Non-Java) 8.10 Preview 2.exe/UNWISE32.EXE Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\Soft\Opera\Opera for Windows (Non-Java) 8.10 Preview 2.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{507BA8F1-2F52-42B4-875D-DD093E1A5DA1}\RP15\A0002987.exe/UNWISE32.EXE Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{507BA8F1-2F52-42B4-875D-DD093E1A5DA1}\RP15\A0002987.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{507BA8F1-2F52-42B4-875D-DD093E1A5DA1}\RP20\A0004640.exe/data0027 Infected: not-a-virus:AdWare.ComedyPlanet.b
D:\System Volume Information\_restore{507BA8F1-2F52-42B4-875D-DD093E1A5DA1}\RP20\A0004640.exe Infected: not-a-virus:AdWare.ComedyPlanet.b
D:\System Volume Information\_restore{507BA8F1-2F52-42B4-875D-DD093E1A5DA1}\RP20\A0004644.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232
D:\System Volume Information\_restore{507BA8F1-2F52-42B4-875D-DD093E1A5DA1}\RP31\A0005825.exe/data0032 Infected: not-a-virus:AdWare.ComedyPlanet.b
D:\System Volume Information\_restore{507BA8F1-2F52-42B4-875D-DD093E1A5DA1}\RP31\A0005825.exe Infected: not-a-virus:AdWare.ComedyPlanet.b
D:\System Volume Information\_restore{5636F4A3-B757-441F-A1F0-145A81FC018F}\RP72\A0008570.exe/UNWISE32.EXE Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{5636F4A3-B757-441F-A1F0-145A81FC018F}\RP72\A0008570.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{5636F4A3-B757-441F-A1F0-145A81FC018F}\RP72\A0008690.exe/UNWISE32.EXE Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{5636F4A3-B757-441F-A1F0-145A81FC018F}\RP72\A0008690.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{5636F4A3-B757-441F-A1F0-145A81FC018F}\RP77\A0011305.exe/data.rar/Data/psshutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232
D:\System Volume Information\_restore{5636F4A3-B757-441F-A1F0-145A81FC018F}\RP77\A0011305.exe/data.rar Infected: not-a-virus:RiskTool.Win32.PsShutdown.232
D:\System Volume Information\_restore{5636F4A3-B757-441F-A1F0-145A81FC018F}\RP77\A0011305.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.232
D:\System Volume Information\_restore{6B8392C0-4B56-4098-AAE3-FE4C072B9229}\RP19\A0003150.exe/data0023 Infected: not-a-virus:AdWare.ComedyPlanet.b
D:\System Volume Information\_restore{6B8392C0-4B56-4098-AAE3-FE4C072B9229}\RP19\A0003150.exe Infected: not-a-virus:AdWare.ComedyPlanet.b
D:\System Volume Information\_restore{6B8392C0-4B56-4098-AAE3-FE4C072B9229}\RP31\A0009186.exe/UNWISE32.EXE Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{6B8392C0-4B56-4098-AAE3-FE4C072B9229}\RP31\A0009186.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{6B8392C0-4B56-4098-AAE3-FE4C072B9229}\RP31\A0009187.exe/UNWISE32.EXE Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{6B8392C0-4B56-4098-AAE3-FE4C072B9229}\RP31\A0009187.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{74588681-D46A-406D-856D-BDE9B11E1EC5}\RP69\A0016629.exe/UNWISE32.EXE Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{74588681-D46A-406D-856D-BDE9B11E1EC5}\RP69\A0016629.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{74588681-D46A-406D-856D-BDE9B11E1EC5}\RP81\A0019028.exe/UNWISE32.EXE Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{74588681-D46A-406D-856D-BDE9B11E1EC5}\RP81\A0019028.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{9BBDAB0F-2005-4568-A2DC-7322597FBC2D}\RP29\A0007002.exe/UNWISE32.EXE Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{9BBDAB0F-2005-4568-A2DC-7322597FBC2D}\RP29\A0007002.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{9BBDAB0F-2005-4568-A2DC-7322597FBC2D}\RP35\A0007967.exe/UNWISE32.EXE Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{9BBDAB0F-2005-4568-A2DC-7322597FBC2D}\RP35\A0007967.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{B0124ACF-E5DF-4362-B4AF-605AE741AEF3}\RP47\A0017055.exe/UNWISE32.EXE Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
D:\System Volume Information\_restore{B0124ACF-E5DF-4362-B4AF-605AE741AEF3}\RP47\A0017055.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.a
Scan process completed.

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:43 PM

Posted 23 August 2005 - 04:27 PM

Hello Multix and welcome to the BC HijackThis forum. I only see a missing file items in the log so let's fix those.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

The items in the Kapersky report will have to be deleted manually if Kapersky cannot delete them. You will not be able to delete any of the items in the restore points except by resetting them by doing the following:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Since the copy of mIrc appears to be a cracked verison you will have to decide what to do with that. Cracked applications can do anything they want and it is probably where all the rest of the issues are coming from. Only totally removing it will solve the problem.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users