Post by: Guest Gaute on November 14, 2004, 10:35:19 AM
Could someone please take a look at my hijackthis log and see if my computer
is infested with some malicious malware?
The problem; my pc has started to work really slow these last few days and avast
has told me that it's been infested by some trojans.
I would really appriciate some help with these.
Here's the log:
Logfile of HijackThis v1.98.2
Scan saved at 16:33:45, on 14.11.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Programfiler\D-Tools\daemon.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\MOONS\MPROTECT\PMMODE.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Telenor\ecc\ecc.exe
C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programfiler\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac (http://\"http://www.online.no/proxy.pac\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZPMMode] C:\MOONS\MPROTECT\PMMODE.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [THGuard] C:\Programfiler\TrojanHunter 4.0\THGuard.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ecc] C:\Programfiler\Telenor\ecc\ecc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5CFF8CA-A6B0-425C-B019-871DEA59B464}: NameServer = 130.67.15.198
O17 - HKLM\System\CS1\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O17 - HKLM\System\CS2\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
Thank you.
Best regard's
Gaute
Post by: guestolo on November 14, 2004, 11:48:26 AM
Better yet, I know you've tried an online Virus scan at Housecall's but could you also try one at RAV's free online virus scan
http://www.ravantivirus.com/scan/ (http://\"http://www.ravantivirus.com/scan/\")
When you access that link with Internet Explorer
click on the "To Continue without subsribing click here" link
It will load the activex and dat files
Ensure that all the top entries are checked
Autoclean--Inside Archives---Unpack Executables---Smart Scan
Then click the Scan my PC button
Let it completely finish scanning
Copy and Paste the results back here
Could you also post a fresh hijackthis log too, thanks
Post by: Guest on November 17, 2004, 03:58:56 AM
Thanks for the last time you helped me! You must be some kind of net-superhero
fighting of all the virus programmers. "During the day he was a skilled computer
engineer, but as the clock struck 24:00 he turned into NetWork (the threat of the threaters.)." Oh well. I'll stop.
Here's the RAV online scanning result:
Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\BRUKER\Lokale innstillinger\Temporary Internet Files\Content.IE5\YH56F2HG\66.49.196[1]->(SCRIPT0000) - JS/Drost.A* -> Infected
Scanned
============================
Objects: 32067
Directories: 2097
Archives: 761
Size(Kb): -46844
Infected files: 1
Found
============================
Viruses found: 1
Suspicious files: 0
Disinfected files: 0
Mail files: 114
I can't find the memory of the Avast. The files are not in the chest or anywere else. I was notified about the infections as AdAware was scanning the pc. I didn't
write anything down... AdAware SE does not have any records of the infections either.
Here's the new log from HJT:
Logfile of HijackThis v1.98.2
Scan saved at 10:04:27, on 17.11.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Programfiler\D-Tools\daemon.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\MOONS\MPROTECT\PMMODE.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Telenor\ecc\ecc.exe
C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac (http://\"http://www.online.no/proxy.pac\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZPMMode] C:\MOONS\MPROTECT\PMMODE.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [THGuard] C:\Programfiler\TrojanHunter 4.0\THGuard.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ecc] C:\Programfiler\Telenor\ecc\ecc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5CFF8CA-A6B0-425C-B019-871DEA59B464}: NameServer = 130.67.15.198
O17 - HKLM\System\CS1\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O17 - HKLM\System\CS2\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
Thanks Guestsolo!
Regard's
Gaute
Post by: guestolo on November 17, 2004, 07:43:41 PM
/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' /> That Infected file is in your Temporary Internet files
One of 2 things you can do
Reboot into safe mode and Set windows to show hidden files and folders and delete the contents of this folder
C:\Documents and Settings\BRUKER\Lokale innstillinger\Temporary Internet Files\Content.IE5
Or, what I prefer to do, is download this free utility
Windows CleanUp! (http://\"http://home.comcast.net/~sgould4567/software/cleanup/\")
A small download
After Installation, you may want to Restart in safe mode
Open CleanUp!
Simply press the Cleanup button
Let it scan and clean your computer
Restart back in Normal Mode
It's a good idea to clean up your temp folders every couple of weeks anyways
If you check out the options button in CleanUp
You will notice that Prefetch is checked----Leave it checked to ensure you do a Standard Cleanup
You may want to Uncheck when running future cleanups, only check it once every couple of months
Let me know how you make out
Post by: Guest Gaute on November 26, 2004, 04:30:07 AM
Sorry for my late response, I've been occupied night and day with a project.
Looks like the machine is sweet at the moment. The Cleaner took hand of the
things.
Thank you for your effort and kindness Guestsolo! You are one of a kind.
Best regard's
Gaute