Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log--noonytunes


  • This topic is locked This topic is locked
3 replies to this topic

#1 noonytunes

noonytunes

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alcalde, New Mexico
  • Local time:04:50 PM

Posted 25 October 2004 - 09:01 AM

Hi! I did a Mcafee scan and it showed no viruses. I am using spysweeper on trial basis. It found and deleted one spyware yesterday. When I run Ad-aware it just shows negligible items that I delete (about 7). I'm trying to prepare for downloading the SP2 cd...I'm nervous about it. Anyway both Firefox and IE are slow. And for some reason I can't access MSN groups. Yesterday I couldn't get to this site...I don't mean I couldn't log in...I couldn't access the site by links or by typing website address into search bar. I finally got in though, after awhile.
Anyway...take a look-see at my log--please. :thumbsup:
Logfile of HijackThis v1.98.2
Scan saved at 7:51:04 AM, on 10/25/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy

Sweeper\SpySweeper.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common

Files\EPSON\EBAPI\SAgent2.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and

Settings\Owner.INSPIRATION\Local

Settings\Temp\Temporary Directory 2 for

HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page = http://about:blank
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\

Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan -

{BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [hpsysdrv]

c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard]

C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray]

C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]

C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AutoPlay]

C:\HP\BIN\AUTOPLAY.EXE
O4 - HKLM\..\Run: [Ink Monitor] C:\Program

Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [MCUpdateExe]

C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe]

c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask]

"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe"

/checktask
O4 - HKLM\..\Run: [VirusScan Online]

c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program

Files\VERITAS Software\Update

Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Zone Labs Client]

"C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Microsoft Works Update

Detection] C:\Program Files\Microsoft

Works\WkDetect.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program

Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: EPSON Status Monitor 3

Environment Check 2.lnk =

C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SR

CV02.EXE
O4 - Global Startup: SpySubtract.lnk =

C:\Program

Files\interMute\SpySubtract\SpySub.exe
O15 - Trusted Zone: http://www.adobe.com
O15 - Trusted Zone: http://www.amybrownart.com
O15 - Trusted Zone:

http://www.bankofamerica.com
O15 - Trusted Zone: http://www.beaucoup.com
O15 - Trusted Zone:

http://www.bleepingcomputer.com
O15 - Trusted Zone: http://www.comcast.net
O15 - Trusted Zone: http://www.davesite.com
O15 - Trusted Zone: http://www.dogpile.com
O15 - Trusted Zone: http://login.ezboard.com
O15 - Trusted Zone: http://www.ezboard.com
O15 - Trusted Zone: http://www.fairyartists.com
O15 - Trusted Zone: http://www.fairyvisions.com
O15 - Trusted Zone: http://disney.go.com
O15 - Trusted Zone: http://www.hp.com
O15 - Trusted Zone: http://www.irelandseye.com
O15 - Trusted Zone: http://www.kajama.com
O15 - Trusted Zone:

http://www.katsueydesignworks.com
O15 - Trusted Zone: http://www.lavasoftusa.com
O15 - Trusted Zone:

http://www.linda-goodman.com
O15 - Trusted Zone: http://*.littlepeople.net
O15 - Trusted Zone:

http://paranormal.meetup.com
O15 - Trusted Zone: http://*.mindleaders.com
O15 - Trusted Zone: http://messenger.msn.com
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: http://www.fairylord.org.uk
O15 - Trusted Zone: http://www.pagetutor.com
O15 - Trusted Zone: http://www.pantheon.org
O15 - Trusted Zone:

http://www.ronstadt-linda.com
O15 - Trusted Zone: http://www.rumbaar.net
O15 - Trusted Zone:

http://www.santafenewmexican.com
O15 - Trusted Zone: http://www.scriptours.com
O15 - Trusted Zone: http://www.siglets.com
O15 - Trusted Zone: http://www.slanguage.com
O15 - Trusted Zone:

http://www.spywarewarrior.com
O15 - Trusted Zone: http://www.tarot.com
O15 - Trusted Zone: http://www.unc.edu
O15 - Trusted Zone:

http://www.yourdictionary.com
O15 - Trusted Zone: http://www.zonelabs.com
O16 - DPF:

{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}

(McAfee.com Operating System Class) -

http://download.mcafee.com/molbin/shared/mcinsc

tl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF:

{6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v5consume

r/V5Controls/en/x86/client/wuweb_site.cab?10964

07275154
O16 - DPF:

{74D05D43-3236-11D4-BDCD-00C04F9A3B61}

(HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/h

ousecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF:

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asi

nst.cab
O16 - DPF:

{B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMessengerS

etupDownloader.cab
O16 - DPF:

{B8BE5E93-A60C-4D26-A2DC-220313175592}

(ZoneIntro Class) -

http://zone.msn.com/binFramework/v10/ZIntro.cab

27513.cab
O16 - DPF:

{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}

(DwnldGroupMgr Class) -

http://bin.mcafee.com/molbin/shared/mcgdmgr/en-

us/1,0,0,21/mcgdmgr.cab
O16 - DPF:

{E5D419D6-A846-4514-9FAD-97E826C84822}

(HeartbeatCtl Class) -

http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF:

{F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail

Attachments Control) -

http://by17fd.bay17.hotmail.msn.com/activex/HMA

tchmt.ocx
O16 - DPF:

{F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN

Chat Control 4.5) -

http://fdl.msn.com/public/chat/msnchat45.cab
noonytunes

BC AdBot (Login to Remove)

 


m

#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:04:50 PM

Posted 25 October 2004 - 10:30 AM

NoonyTunes,

Considering the lack of installed Windows Updates, you have done a good job of keeping your system clean. There are no 'baddies' in your HJT log.

I am a little concerned about the number of entries you have in 'Trusted Zone'. While I see nothing in the list that appears malicious, it's also not necessary for them to be there. I'd suggest:

Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O15 - Trusted Zone: http://www.adobe.com
O15 - Trusted Zone: http://www.amybrownart.com
O15 - Trusted Zone: http://www.bankofamerica.com
O15 - Trusted Zone: http://www.beaucoup.com
O15 - Trusted Zone: http://www.bleepingcomputer.com
O15 - Trusted Zone: http://www.comcast.net
O15 - Trusted Zone: http://www.davesite.com
O15 - Trusted Zone: http://www.dogpile.com
O15 - Trusted Zone: http://login.ezboard.com
O15 - Trusted Zone: http://www.ezboard.com
O15 - Trusted Zone: http://www.fairyartists.com
O15 - Trusted Zone: http://www.fairyvisions.com
O15 - Trusted Zone: http://disney.go.com
O15 - Trusted Zone: http://www.hp.com
O15 - Trusted Zone: http://www.irelandseye.com
O15 - Trusted Zone: http://www.kajama.com
O15 - Trusted Zone: http://www.katsueydesignworks.com
O15 - Trusted Zone: http://www.lavasoftusa.com
O15 - Trusted Zone: http://www.linda-goodman.com
O15 - Trusted Zone: http://*.littlepeople.net
O15 - Trusted Zone: http://paranormal.meetup.com
O15 - Trusted Zone: http://*.mindleaders.com
O15 - Trusted Zone: http://messenger.msn.com
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: http://www.fairylord.org.uk
O15 - Trusted Zone: http://www.pagetutor.com
O15 - Trusted Zone: http://www.pantheon.org
O15 - Trusted Zone: http://www.ronstadt-linda.com
O15 - Trusted Zone: http://www.rumbaar.net
O15 - Trusted Zone: http://www.santafenewmexican.com
O15 - Trusted Zone: http://www.scriptours.com
O15 - Trusted Zone: http://www.siglets.com
O15 - Trusted Zone: http://www.slanguage.com
O15 - Trusted Zone: http://www.spywarewarrior.com
O15 - Trusted Zone: http://www.tarot.com
O15 - Trusted Zone: http://www.unc.edu
O15 - Trusted Zone: http://www.yourdictionary.com
O15 - Trusted Zone: http://www.zonelabs.com

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.

Then go ahead with the SP2 installation. As SP2 is a large update, you may want to order the CD from Microsoft instead of downloading the file. Order here

Here are some simple steps to help keep your computer clean and secure:

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. If there are new critical updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. This will ensure your computer is up to date and the operating system is safe from the latest threats.

Use an AntiVirus Software - It is very important that you have an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

Equally as important is that you keep your AV up to date. Set it to auto-update if that option is available, otherwise update it at least weekly. If you do not keep your antivirus current, then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

The firewall built into Windows XP is better than nothing, but third party firewalls offer more complete protection. A very good firewall, with a free for personal use version, is ZoneAlarm, available from Zone Labs. Firewalls are also part of the Symantec and McAfee Security Suites.

You can test your firewall at one of the following sites:
Symantec Security: http://security.symantec.com
Gibson Research: http://www.grc.com (follow the links to Shield's-Up!)
DSL Reports Port Scanner: http://www.dslreports.com/scan

For a more in-depth tutorial, and an expanded listing of available firewalls, see
Understanding and Using Firewalls.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
A in-depth treatise on IE privacy and security by Eric Howes can be found here

Install Spybot - Search and Destroy - Download and install the latest version of Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer as an adjunct to your virus protection. Keep this program updated and scan your system periodically with it just as you do with your antivirus software.

A tutorial on installing & using this product can be found at:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Install Ad-Aware SE - Download and install the latest version of Ad-Aware SE. Keep this program updated and use it to scan for malware on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found at:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from downloading and running known malicious programs.

A tutorial on installing & using this product can be found at:
Using SpywareBlaster to protect your computer from Spyware and Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Finally, practice safe computer habits. Don't click on strange email attachments thinking your AV will defend you. Usually it will, but sometimes it won't.

Follow this list and your potential for being infected again will be dramatically reduced.
Derfram
~~~~~~

#3 CalamityKen

CalamityKen

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Location:Whitby. Ont.
  • Local time:05:50 PM

Posted 25 October 2004 - 10:39 AM

noonytunes, welcome.

Please print this out and follow ALL these directions carefully.

In addition to ddeerrff's suggestions:

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.

Move HijackThis.exe into this folder as you do not want the HijackThis backup logs
in the Temp folder that should be cleaned out periodically.

When you run HijackThis from C:\HJT folder by double clicking on it and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

It is best to disable ZoneAlarm and McAfee anti virus applications when you do the WinXP update but enable the WinXP firewall for protection while updating.

When finished then install the prevention protection below and help your friends from being infected on the Internet.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.
Index.dat Suite helps with this.
http://support.it-mate.co.uk/?mode=Products&p=index.datsuite

Insure that Index.dat Suite is Setup to empty the Temp folders especially
C:\Documents and Settings\{user}\Local Settings\Temp
then run the Find and create the run.bat and reboot to have it remove what it finds.

{user} is the Owner.INSPIRATION User Account ID.
Removal of infections and prevention protection should be installed on ALL User Account IDS.

Download and install WinPatrol.
http://www.winpatrol.com

Browser settings for increased security:
http://bshagnasty.home.att.net/browsersettings.htm

Install IE-SPYAD then run the install.bat in the ie-spyad folder and SpywareBlaster then keep them up to date as today's Internet is full of nasty infections.
https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
http://www.javacoolsoftware.com/spywareblaster.html

Edited by CalamityKen, 25 October 2004 - 10:42 AM.


#4 noonytunes

noonytunes
  • Topic Starter

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alcalde, New Mexico
  • Local time:04:50 PM

Posted 25 October 2004 - 09:00 PM

Thanks so much for your help Ken and derf. I successfully downloaded SP2...but when it gets to some of those things recommended toward the end...it is very overwhelming. The Index.dat Suite...says I need a bootdisk from somewhere for that run.bat...and well, some of this other stuff...I'm afraid I'm in over my head. I downloaded spyware blaster and ran it. I had that before. I'll try to figure some of this stuff out...but, I don't know what to do with the results of the Index.dat Suite. Well...later...all... :thumbsup:
noonytunes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users