Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Need Log Checked Since Computer Was Wiped Clean


  • Please log in to reply
4 replies to this topic

#1 Guest_yjsk2100_*

Guest_yjsk2100_*

  • Guests
  • OFFLINE
  •  

Posted 06 July 2007 - 02:50 PM

I am using Windows XP Professional SP2 with IE7. About 3 weeks ago my computer took a dump and the hard drive had to be wiped clean. I originally had XP Home and now I have XP Pro. Ran all my programs and they are coming up clean except for the Yahoo Anti-spy that finds 3 dialers. I know Yahoo Anti-spy isn't that great but since it came up with dialers I needed to have my log checked. In case you need to know the dialers were located in HKEY-Current Version\Software\Microsoft\Windows\Current Version\Internet Settings\Zonemap\Domain\ dettaglio.biz
phishingfix.biz
adslconnection.name
softlab.name
xxxcontent.name
I went to each of them and deleted in the registry the value 04 of each. Yet they come back. Not sure if am suppose to delete the whole folder or not. I did find a Dialer in my Ad-Aware 2007 as well as a Trojan but after deleting them and running another scan they were not there. But that doesn't mean they are totally gone either. Not sure what to do next so here is my log. Any help would be greatly appreciated. I do see two 09's where is says file missing. Not sure what they are.


Logfile of HijackThis v1.99.1
Scan saved at 3:03:27 PM, on 7/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

BC AdBot (Login to Remove)

 


m

#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 17 July 2007 - 07:55 AM

Hi yjsk2100,

Sorry for the long delay. Your log looks malware free--as it should after a reformat. What Yahoo Anti-spy is seeing is most likely false positives. If you've installed SpywareBlaster it will put bad sites in your Internet Explorer Restricted Zone in order to block. Some scanners will raise an alarm if they find any reference to the sites, not paying attention to anything else, so thanks for posting where it was found because it does make a difference.

The only other thing that stands out to me is that you don't have a software firewall installed. If you have a router and maybe Windows Firewall enabled, that is pretty good, but you still don't have a good way to monitor outgoing packets that could be the first you know of a system compromise. Here are some good free ones:

Kerio Personal Firewall
OutPost Firewall Free
ZoneAlarm
Comodo


Understanding and Using Firewalls
US-CERT's Understanding Firewalls

To further secure your system, read over the following topic. and use the advice that applies to you. A recent trend it to exploit unpatched windows and third party programs, so using Secunia Software Inspector to aid in keeping everything updated is now more critical than ever, and something that needs to be attended to after a reformat.

How did I get infected?, With steps so it does not happen again!


Simple and easy ways to keep your computer safe and secure on the Internet


The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 Guest_yjsk2100_*

Guest_yjsk2100_*

  • Guests
  • OFFLINE
  •  

Posted 19 July 2007 - 05:46 PM

Thanks for the reply. Didn't realize anyone had responded until today. Yes I know I don't have a very good firewall and I have been using the Microsoft firewall. I wanted to get a security suite with both Antivirus and Firewall combined but if there is another way to go then I am all ears. Before format I was using NIS2007 and still have the disk. Decided to try something else for a while so I am using AVG Anti-Virus. Which firewall is the best to use and which ones are compatible with AVG? And it needs to be one that is simple to use. I have been hearing good things about Zone Alarm but I guess I need to google for a tutorial first. Getting a firewall is next on my agenda...

Also glad to hear my log is fine. Can you tell me what those 2 entries are??? They say file missing and no name and they look somewhat identical???

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:40 PM

Posted 19 July 2007 - 08:18 PM

Any of those firewalls I linked to should be OK and compatible with AVG. I've tried them all and they have their strengths and weaknesses. ZoneAlarm has a reputation for being easiest to learn to use but sometimes puts out upgrade versions before they are really ready and uninstalling can be a problem. Comodo is the new kid on the block and user friendly, but be ready for it to ask you to OK more than the others and there have been reports it slows down connection speed.

Just about everyone is coming out with security suites now--including AVG and ZoneAlarm. But most that I've seen aren't free. I'm not a big fan of Norton--it does the job but is a big resource hog and can bork a system especially when you want to uninstall it and for several other reasons. However, PCMag gives the 2007 version an excellent rating and claims it has cut down on the bloat. If money is tight for you and you still have time left on a subscription you might try it again--if it were me I would go with something else.

You don't really need a suite, you can mix and match and most of the time you will have no problems. AVG has been making AV's for a long time but are new to firewalls and conversely ZoneAlarm has done firewalls for a long time but are new to AV's. Whatever you decide, just be sure to run only one AV and one firewall at a time. And if you want more opinions from the BC community, this would be a good topic in AntiVirus, Firewall and Privacy Products and Protection Methods forum.

The lines you are asking about have to do with this: http://support.microsoft.com/kb/914440

It's been incorporated into IE7 so everyone running that version has those in a log. The two lines are not quite identical. One is a button on the toobar and the other is an option in the tools menu of IE7. If you were to fix those lines with HijackThis, the button and option would disappear. The file missing flag is a small bug in HijackThis, and can't be trusted.

If you have any other questions that aren't related to removing malware, feel free to ask around in the other BC forums.

Happy computing. :thumbsup:

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#5 Guest_yjsk2100_*

Guest_yjsk2100_*

  • Guests
  • OFFLINE
  •  

Posted 21 July 2007 - 01:06 PM

Thanks. Just wanted to make sure those 2 entries didn't need to be fixed so I left my log alone. Since my last post I have installed Comodo firewall and it is working just fine. Just a little getting use to all those pop-ups asking me to allow or to deny. Since this was a format and all on my computer is fine I have allowed all so far. If one comes up I am unsure of I will most definitely ask but until then I seem to be virus and malware free. Thanks so much for helping me with the log and letting me know I needed a firewall...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users