Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Examine Hijack Log


  • This topic is locked This topic is locked
4 replies to this topic

#1 rustyrev

rustyrev

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 18 February 2010 - 05:08 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:31 PM, on 2/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\iHome\Mouse Driver\KMWDSrv.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe
D:\iTunesHelper.exe
C:\Program Files\iHome\Mouse Driver\StartAutorun.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iHome\Mouse Driver\KMConfig.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\iHome\Mouse Driver\KMProcess.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Documents and Settings\Floydhouse\Desktop\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mg3.mail.yahoo.com/dc/launch?.gx...d=7perlbj22iq88
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [American Airlines DealFinder] "C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunesHelper.exe"
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\iHome\Mouse Driver\StartAutorun.exe KMConfig.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\SYSTEM32\ADOBE\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; IEMB3; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" -"http://www.adobe.com/shockwave/download/triggerpages/default.html"
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} (VatCtrl Class) - http://66.112.21.2:4000/VatDec.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\iHome\Mouse Driver\KMWDSrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8665 bytes


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:34 AM

Posted 18 February 2010 - 06:30 PM

Good evening. smile.gif

Are you having any specific problems, or is this just a look-see?

So long, and thanks for all the fish.

 

 


#3 rustyrev

rustyrev
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:34 AM

Posted 18 February 2010 - 06:55 PM

Yep crashes in Firefox recently and AVG found these viruses and cleaned them but I am still crashing
"D:\Program Files\UPDATE\antivir_workstation_winh_en.exe:\disk_1\avewin32.dll";"Virus identified Hare.7786.BOOT";"Moved to Virus Vault"
"D:\Program Files\UPDATE\antivir_workstation_winh_en.exe";"Virus identified Hare.7786.BOOT";"Moved to Virus Vault"
"C:\WINDOWS\$NtServicePackUninstall$\dplaysvr.exe";"Virus found W95/SK";"Moved to Virus Vault"
and these warnings
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dv_aspnetmmc.chm:\html\ef45fd62-12d5-473f-8a52-003f94321ff5.htm";"The file could not be scanned probably due to an invalid file structure (address 54fa83d7).";"Object is white-listed (critical/system file that should not be removed)"
"D:\Program Files\Ad-Aware SE Personal\unregaaw.exe";"The file could not be scanned probably due to an invalid file structure (address b0b0b0b).";"Object is white-listed (critical/system file that should not be removed)"
"C:\Documents and Settings\All Users.WINDOWS\Application Data\Intuit\Quicken\Sku\Deluxe\delux001.cab:\Inet\Common\Pnf\Withhold\summary.htm";"The file could not be scanned probably due to an invalid file structure (address ee0e612c).";"Object is white-listed (critical/system file that should not be removed)"
Thanks

Russell

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:34 AM

Posted 19 February 2010 - 03:49 PM

Good evening. smile.gif

The detections that you list seem to fall into two categories, and neither appears at first glance to be a worry.

"D:\Program Files\UPDATE\antivir_workstation_winh_en.exe:\disk_1\avewin32.dll";"Virus identified Hare.7786.BOOT";"Moved to Virus Vault"
"D:\Program Files\UPDATE\antivir_workstation_winh_en.exe";"Virus identified Hare.7786.BOOT";"Moved to Virus Vault"
"C:\WINDOWS\$NtServicePackUninstall$\dplaysvr.exe";"Virus found W95/SK";"Moved to Virus Vault"


The first two appear to be AntiVir files, although i'm not familiar with them, and the third is a Microsoft offering that I have on my system as well, so all three seem to be false-positive detections.

You should presumably know whether D:\Program Files\UPDATE\antivir_workstation_winh_en.exe is a legitimate file that you downloaded from a known and trusted source or not, so i'll leave it to you to decide whether this is actually a cause for concern.

"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dv_aspnetmmc.chm:\html\ef45fd62-12d5-473f-8a52-003f94321ff5.htm";"The file could not be scanned probably due to an invalid file structure (address 54fa83d7).";"Object is white-listed (critical/system file that should not be removed)"
"D:\Program Files\Ad-Aware SE Personal\unregaaw.exe";"The file could not be scanned probably due to an invalid file structure (address b0b0b0b).";"Object is white-listed (critical/system file that should not be removed)"
"C:\Documents and Settings\All Users.WINDOWS\Application Data\Intuit\Quicken\Sku\Deluxe\delux001.cab:\Inet\Common\Pnf\Withhold\summary.htm";"The file could not be scanned probably due to an invalid file structure (address ee0e612c).";"Object is white-listed (critical/system file that should not be removed)"


"An invalid file structure" seems to indicate that these files are corrupt, but as all three are "Object is white-listed (critical/system file that should not be removed)", I don't see that they pose any real threat.

The first and third are html files, so the fact that they may be corrupt shouldn't pose any problems to your system as a whole, and the second is an uninstaller for Ad-Aware SE Personal, which may make removing it a problem, but nothing that a repair install won't cure should it be necessary. That version is seriously out-of-date, so if you do still have it onboard I hope that you aren't relying on it too much as I doubt that it updates any more, or has done for some time.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The fact that FireFox is crashing isn't necessarily indicative of a malware problem as I have been having similar problems with it for a while and i'm hoping that the upgrade to the latest version, 3.6, will solve it when I get around to it.

We'll have a little poke around and see if anything shows up, but with the little that you have told me I tend to think that you've just got a browser that needs some TLC.

Download a copy of DDS by sUBs from one of the following locations: Link1; Link2; Link3
  • Double click the tool to run it.
  • You can read the screen that appears, or not - the tool runs anyway.
  • When the tool has finished, two Notepad windows will appear.
  • You need to save both as they will disappear when closed.
  • File > Save As... from the Toolbar will allow you to do this.
  • Copy and Paste both logs into your next reply.
  • Please check after posting that both logs are complete.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pay a visit to the ESET Online Scanner.
  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Go here and click the Download EXE button at the top and save the file to your Desktop - the file is randomly named to try to sidestep the actions of certain malicious files.
Double click the file to begin:
  • If you get a pop-up regarding rootkit activity and are asked if you want to scan, click No.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for
    • Sections
    • IAT/EAT
    • Show All
    • All drives except your main one, which is usually C:\.
  • Click the Scan button on the right and OK any pop-up that you may see regarding rootkit activity.
  • When the scan has completed, (you'll have time for a snack and a cuppa!), click the Save... button and again save the log with any name to a handy location.
Post the contents of the log(s) into your next reply. The Preview option on the forum may show the whole log(s) being posted, but they sometimes get cut down when the actual post is made, so please check the post once it is completed.

So long, and thanks for all the fish.

 

 


#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:34 AM

Posted 25 February 2010 - 03:25 PM

Closed due to lack of response.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users