« previous next »
Pages: [1]

Author Topic: Could someone take a look at this hjt log?  (Read 1324 times)

Guest Gaute

  • Guest
Could someone take a look at this hjt log?
« on: November 14, 2004, 10:35:19 AM »
Hello!

Could someone please take a look at my hijackthis log and see if my computer
is infested with some malicious malware?
The problem; my pc has started to work really slow these last few days and avast
has told me that it's been infested by some trojans.
I would really appriciate some help with these.

Here's the log:

Logfile of HijackThis v1.98.2
Scan saved at 16:33:45, on 14.11.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Programfiler\D-Tools\daemon.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\MOONS\MPROTECT\PMMODE.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Telenor\ecc\ecc.exe
C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programfiler\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZPMMode] C:\MOONS\MPROTECT\PMMODE.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [THGuard] C:\Programfiler\TrojanHunter 4.0\THGuard.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ecc] C:\Programfiler\Telenor\ecc\ecc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5CFF8CA-A6B0-425C-B019-871DEA59B464}: NameServer = 130.67.15.198
O17 - HKLM\System\CS1\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O17 - HKLM\System\CS2\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198

Thank you.

Best regard's

Gaute
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Could someone take a look at this hjt log?
« Reply #1 on: November 14, 2004, 11:48:26 AM »
Hi again Gaute, I would like to know where Avast is finding these trojans

Better yet, I know you've tried an online Virus scan at Housecall's but could you also try one at RAV's free online virus scan

http://www.ravantivirus.com/scan/
When you access that link with Internet Explorer
click on the "To Continue without subsribing click here" link
It will load the activex and dat files

Ensure that all the top entries are checked
Autoclean--Inside Archives---Unpack Executables---Smart Scan

Then click the Scan my PC button

Let it completely finish scanning

Copy and Paste the results back here

Could you also post a fresh hijackthis log too, thanks
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
Could someone take a look at this hjt log?
« Reply #2 on: November 17, 2004, 03:58:56 AM »
Hi Guestsolo!
Thanks for the last time you helped me! You must be some kind of net-superhero
fighting of all the virus programmers. "During the day he was a skilled computer
engineer, but as the clock struck 24:00 he turned into NetWork (the threat of the threaters.)." Oh well. I'll stop.

Here's the RAV online scanning result:

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\BRUKER\Lokale innstillinger\Temporary Internet Files\Content.IE5\YH56F2HG\66.49.196[1]->(SCRIPT0000) - JS/Drost.A* -> Infected

Scanned
============================
   Objects: 32067
   Directories: 2097
   Archives: 761
   Size(Kb): -46844
   Infected files: 1

Found
============================
   Viruses found: 1
   Suspicious files: 0
   Disinfected files: 0
   Mail files: 114


I can't find the memory of the Avast. The files are not in the chest or anywere else. I was notified about the infections as AdAware was scanning the pc. I didn't
write anything down... AdAware SE does not have any records of the infections either.

Here's the new log from HJT:

Logfile of HijackThis v1.98.2
Scan saved at 10:04:27, on 17.11.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Programfiler\D-Tools\daemon.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\MOONS\MPROTECT\PMMODE.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Telenor\ecc\ecc.exe
C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZPMMode] C:\MOONS\MPROTECT\PMMODE.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [THGuard] C:\Programfiler\TrojanHunter 4.0\THGuard.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ecc] C:\Programfiler\Telenor\ecc\ecc.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programfiler\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5CFF8CA-A6B0-425C-B019-871DEA59B464}: NameServer = 130.67.15.198
O17 - HKLM\System\CS1\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198
O17 - HKLM\System\CS2\Services\Tcpip\..\{27FF44F9-988C-475B-B1FD-23287C17E7C0}: NameServer = 130.67.15.198

Thanks Guestsolo!

Regard's
Gaute
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Could someone take a look at this hjt log?
« Reply #3 on: November 17, 2004, 07:43:41 PM »
Hi again Gaute, welcome back, I think  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />

That Infected file is in your Temporary Internet files

One of 2 things you can do
Reboot into safe mode and Set windows to show hidden files and folders and delete the contents of this folder

C:\Documents and Settings\BRUKER\Lokale innstillinger\Temporary Internet Files\Content.IE5

Or, what I prefer to do, is download this free utility
Windows CleanUp!
A small download
After Installation, you may want to Restart in safe mode

Open CleanUp!
Simply press the Cleanup button
Let it scan and clean your computer
Restart back in Normal Mode

It's a good idea to clean up your temp folders every couple of weeks anyways

If you check out the options button in CleanUp
You will notice that Prefetch is checked----Leave it checked to ensure you do a Standard Cleanup
You may want to Uncheck when running future cleanups, only check it once every couple of months

Let me know how you make out
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest Gaute

  • Guest
Could someone take a look at this hjt log?
« Reply #4 on: November 26, 2004, 04:30:07 AM »
Thanks a lot for those tips Guestsolo!
Sorry for my late response, I've been occupied night and day with a project.

Looks like the machine is sweet at the moment. The Cleaner took hand of the
things.

Thank you for your effort and kindness Guestsolo! You are one of a kind.

Best regard's

Gaute
Logged
Pages: [1]
« previous next »