Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthislog Please Help


  • This topic is locked This topic is locked
2 replies to this topic

#1 TerryWood

TerryWood

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 17 March 2006 - 06:55 PM

WinXPSP2 Opera 9.0 Look n Stop 2.5 Firewall, AntiVir 7 Secondary A/V, Avast 4.6 Primary A/V Plus other security software as per HijackLog

I may have a problem and I enclose my HiJack this log. Please Help

WHAT BROUGHT ME TO ASK FOR ASSISTANCE

I have started recently running Antivir A/V on a scanner only basis (Guard not installed) to back up my primary A/V Avast 4.6

Recently when running AntiVir 7 on a full scan it appears to have triggered one of the avast resident scanners which says there is a worm Win32:INCEF-C[WRM] in C:\Docs&Settings\All Users\Application Data\AntiVirPersonalEditionClassic\AVScan-20060316-203356-6E3ABF97. There were several of these files. They were moved to Avasts Virus Chest.

However on reboot the same thing happens all over again. (it picks up INCEF-C)

If I stop the Avast resident scanners and just run Antivir it picks nothing up

Similarly if I run an Avast scan it doesnt pick anything up. If I run ewido 3.5 Full Scan again nothing picked up.

I then ran a HiJackThis Log and it shows several entries for the following

O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll

So I dont know whether I have got one problem or three or twenty.

I would value your commentary & advice please

Thanks

Terry




Logfile of HijackThis v1.99.1
Scan saved at 22:47:21, on 17/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\Novatix\CYBERH~1\HawkSvc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\PROGRA~1\Novatix\CYBERH~1\HawkTask.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\antidialer.co.uk\Dialer_Watcher.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Soft4Ever\looknstop\looknstop.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AntiVir PersonalEdition Classic\avcenter.exe
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8100
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [antidialer.co.uk] C:\Program Files\antidialer.co.uk\Dialer_Watcher.exe
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download Image with Download Manager - tbr:iemenudownload
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Cyberhawk Service - Novatix Corporation - C:\PROGRA~1\Novatix\CYBERH~1\HawkSvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:17 PM

Posted 18 March 2006 - 05:40 AM

Hello TerryWood.

Welcome, I would like to take a look at this Log,
and I will get back to you as soon as I can.

Thank you,
ourwilly.

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:17 PM

Posted 18 March 2006 - 10:23 AM

Hello TerryWood.

I'm closing this topic since you are receiving assistance elsewhere.
http://castlecops.com/postlite149456-.html

By your own admission you have posted your log in some other forums beside here and CC.

Other sites have made it clear they dont like it either.

So I would like to go with you please. IWILL MAKE NO FURTHER CONTACT WITH OTHER SITES

The reason we don't like forum cross-posting is because analyzing logs and coming up with a fix involves a good deal of time, and when you have threee or four people looking at your problem at once and then all but one are told their investment in time is no longer necessary is very frustrating. Plus members of the malware removal community have way too many logs to do now, so one log one helper is more effecient in that it helps us share the load.

Also if you do get more than one response it gets confusing for everybody. So please show some courtesy to the other sites by posting to the other threads you have pending to just inform them you are getting help elsewhere.

Thanks.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users