Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I'm Infected


  • This topic is locked This topic is locked
3 replies to this topic

#1 bigjohn

bigjohn

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sydney Australia
  • Local time:05:24 AM

Posted 21 April 2006 - 09:19 AM

G'day
My son installed Kazaa lite on the PC and got infected. I have got rid of a lot of crap, but I think there is still some more.
Here is my Hjt log file. The entries O 10 are a worry. I'ne never seen them before, also, O 17 I'm not so sure.
I will be grateful for your help.
John

Logfile of HijackThis v1.99.1
Scan saved at 12:02:34 AM, on 4/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Common

Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINXP\System32\oodag.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Registry

Defragmentation\RegManServ.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINXP\wanmpsvc.exe
C:\Program Files\AOL 7.0a\waol.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Local Page =
O4 - HKLM\..\Run: [gcasServ] "C:\Program

Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program

Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program

Files\Kaspersky Lab\Kaspersky Anti-Virus Personal

Pro\kav.exe" /minimize
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINXP\System32\Shdocvw.dll
O10 - Unknown file in Winsock LSP:

c:\winxp\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP:

c:\winxp\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP:

c:\winxp\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP:

c:\winxp\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP:

c:\winxp\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP:

c:\winxp\system32\avgfwafu.dll
O17 -

HKLM\System\CCS\Services\Tcpip\..\{942FF9F3-8E4A-

426F-A120-5725374222ED}: NameServer =

205.188.146.145
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc)

- Acronis - C:\Program Files\Common

Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ewido security suite control - ewido

networks - C:\Program Files\ewido

anti-malware\ewidoctrl.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) -

Kaspersky Lab - C:\Program Files\Kaspersky

Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset

- C:\Program Files\Eset\nod32krn.exe
O23 - Service: O&O Defrag - O&O Software GmbH -

C:\WINXP\System32\oodag.exe
O23 - Service: Registry Management Service

(RegManServ) - Unknown owner - C:\Program

Files\Registry Defragmentation\RegManServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone

Labs, LLC - C:\WINXP\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service

(WANMiniportService) - America Online, Inc. -

C:\WINXP\wanmpsvc.exe

Edited by bigjohn, 21 April 2006 - 09:34 AM.


BC AdBot (Login to Remove)

 


#2 bigjohn

bigjohn
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sydney Australia
  • Local time:05:24 AM

Posted 21 April 2006 - 09:28 AM

Sometimes when shuttinhoff it reboots. Any ideas??

Edited by bigjohn, 21 April 2006 - 09:31 AM.


#3 bigjohn

bigjohn
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sydney Australia
  • Local time:05:24 AM

Posted 27 April 2006 - 03:12 AM

You can close this thread. Thank you.
BJ

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:24 PM

Posted 30 April 2006 - 10:40 AM

This thread is closed.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users