Solved

highjackthis log

Posted on 2004-08-15
5
8,231 Views
Last Modified: 2013-12-04
Hi was hoping someone could review my highjack log and let me know if I'm clean and what to remove if not.... haven't been having and problems just wanting to be safe


Logfile of HijackThis v1.98.2
Scan saved at 9:30:37 AM, on 8/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {B8E5F684-BC02-BCB2-5A21-D33621A9F081} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
O4 - HKLM\..\Run: [nortonupdate] nortonuptdate.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [extrafilm] C:\PROGRA~1\error drv bold\holdthe.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1091848321703
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C94E577-C545-485D-8CA9-DF3851D37A9C}: Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C94E577-C545-485D-8CA9-DF3851D37A9C}: NameServer = 192.168.2.1

0
Comment
Question by:woodendude
  • 2
  • 2
5 Comments
 
LVL 9

Author Comment

by:woodendude
ID: 11804168
Wanted to add , I don't use zone alarm(zonelabs), real arcade, i noticed these in my log.
0
 
LVL 10

Accepted Solution

by:
LRI41 earned 70 total points
ID: 11804938
Ran your HighJack This Log through the "analysis web site:

HijackThis log file analysis

HijackThis is a program used by experienced users in order to detect browser hijackers. It allows you to identify any sort of spyware and malware (as well as some trojan horses and worms). This is achieved by scanning special zones of the registry as well as the hard disk drive, the results being listed in a structured window. Another feature of HijackThis is the creation of a log file, which can be saved as a simple text file and opened by any text editor (notepad as default). Until now, inexperienced users, who could not analyze the log file by themselves, had no other choice than posting it in a specialized forum and to hope that a more experienced user takes some time to analyze it. The script presented on this page is a way to analyze your log without help from the outside: simply copy/paste the content of the log file in the textbox below and hit the analyze button. HijackThis is free and does not need to be installed.

 simply copy/paste the content of the log file in the textbox below and hit the analyze button. HijackThis is free and does not need to be installed.

http://www.hijackthis.de/index.php?langselect=english

 and it reported:

C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe               Unknown             running process. (IPClient.exe)             This is a unknown process.
       C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe               Unknown             running process. (IPMon32.exe)             This is a unknown process.


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1               Possibly nasty             This page could possibly be nasty.             If you do not know the entry '127.0.0.1 ', delete it.
       R3 - Default URLSearchHook is missing               Nasty             Should be fixed if you do not know the application or if no application is mentioned.             This entry should be fixed.


      O2 - BHO: (no name) - {B8E5F684-BC02-BCB2-5A21-D33621A9F081} - (no file)               Unknown             Entries found in this registry zone are potentially nasty. This application ([B8E5F684-BC02-BCB2-5A21-D33621A9F081] - Result: ) has been checked. Hit rate: 0,00 %             Unknown application.Unnecessary (deactivated) entry that can be fixed.


O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Co              Unknown             The entered application IPInSightLAN 01 was identified: None. Hit rate: 5,26 % (result)             Unknown application.
       O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatic              Unknown             The entered application IPInSightMonitor 01 was identified: None. Hit rate: 8,70 % (result)             Unknown application.
       O4 - HKLM\..\Run: [nortonupdate] nortonuptdate.dll               Unknown             The entered application nortonupdate was identified: None. Hit rate: 18,75 % (result)             Unknown application


O4 - HKLM\..\Run: [extrafilm] C:\PROGRA~1\error drv bold\holdthe.exe               Unknown             The entered application extrafilm was identified: None. Hit rate: 7,69 % (result)             Unknown application

O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\Usr              Unknown             The entered application SSC_UserPrompt was identified: None. Hit rate: 5,56 % (result)             Unknown application.
       O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe               Nasty             The entered application Windows Firewalll was identified: Windows Service Host. Hit rate: 72,86 % (result)             Must be fixed!

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE               Nasty             The entered application 'Microsoft Find Fast.lnk (FINDFAST.EXE)' was identified: 'Microsoft Find Fast (Findfast.exe )'. Hit rate: 52,93 % (result)             Must be fixed!
       O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE               Nasty             The entered application 'Office Startup.lnk (OSA.EXE)' was identified: 'Office Startup (Exploer.exe )'. Hit rate: 48,75 % (result)             Must be fixed!

       O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB               Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs              Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.

      O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/su              Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.
       O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/              Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.

      O17 - HKLM\System\CCS\Services\Tcpip\..\{7C94E577-C545-485D-8CA9-DF3851D37A9C}: Domain = sympatico.c              Possibly nasty             If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.             Do you know the IP or Domain 'sympatico.ca '? If not, fix this entry.



0
 
LVL 12

Expert Comment

by:rossfingal
ID: 11805344
Hi!
I think it's a great idea to have any place where one can take a HijackThis log and
have it analyzed.
However, looking at the results of the automatic scan posted by {LR141} above - I
just happened to notice a glaring omission -
I guess it did not pick up this:
O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
Let's see - "Firewall" spelled with 3 "L's" (or "I's") and scvhost.exe?!?!?
I'm not sure, but I think a valid process would be svchost.exe - and, there may be multiple instances of it running.
Here's what they say about scvhost.exe (just for starters):
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_AGOBOT.NR
http://www.sophos.com/virusinfo/analyses/w32rbotek.html
http://vil.nai.com/vil/content/Print100725.htm
And another thing - this file:
O4 - HKLM\..\Run: [nortonupdate] nortonuptdate.dll
This is not a valid "Norton" or "Symantec" file.
Just some things to consider!
Good luck!
RF
0
 
LVL 10

Expert Comment

by:LRI41
ID: 11805481
Comment from rossfingal
Date: 08/15/2004 01:09PM PDT
I guess it did not pick up this:
O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
Let's see - "Firewall" spelled with 3 "L's" (or "I's") and scvhost.exe?!?!?


Accepted Answer from LRI41
Date: 08/15/2004 11:34AM PDT
Grade: A
 Accepted Answer  


Ran your HighJack This Log through the "analysis web site:
 
 and it reported:

   O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe             Nasty           The entered application Windows Firewalll was identified: Windows Service Host. Hit rate: 72,86 % (result)           Must be fixed!

   O4 - HKLM\..\Run: [nortonupdate] nortonuptdate.dll             Unknown           The entered application nortonupdate was identified: None. Hit rate: 18,75 % (result)           Unknown application


0
 
LVL 12

Expert Comment

by:rossfingal
ID: 11805561
Hi!  woodendude!

This entry shows the presence of a virus or trojan:
O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
Valid entries are C:\WINDOWS\system32\svchost.exe - note the difference in spelling, also notice that
Firewall is spelled with three "L's" (or "I's")!
Here's some information on what it might be:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_AGOBOT.NR
http://www.sophos.com/virusinfo/analyses/w32rbotek.html
http://vil.nai.com/vil/content/Print100725.htm

Do an online scan (or 2 or 3!) from the following:
(since your running Symantec, you should probably do scans from other vendors)

symantec
http://security.norton.com/sscv6/default.asp?langid=ie&venid=sym
--------
Bitdefender
http://www.bitdefender.com/scan/licence.php
--------
TrendMicro
http://housecall.trendmicro.com/housecall/start_corp.asp
--------
AuditMyPC
http://www.auditmypc.com/
--------
Sygate
http://scan.sygate.com/
--------
McAfee
http://us.mcafee.com/root/mfs/default.asp?affid=294
--------
Kaspersky
http://www.kaspersky.com/remoteviruschk.html
--------
RAV
http://www.ravantivirus.com/scan/
--------
Freedom
http://www.freedom.net/viruscenter/onlineviruscheck.html
--------
GRC
https://grc.com/x/ne.dll?bh0bkyd2
--------
Lockdown
http://stealthtests.lockdowncorp.com
--------
Pandasoft:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
--------
CA online virus scan....
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
--------
a2 Anti-Trojan:
http://onlinecheck.emsisoft.com/en

You may have to do the following in "Safe" mode.
 
Make sure "System Restore" is turned off.
Make sure "Show all Files and Folders", including hidden and system, is turned on.

Right click on the Taskbar and click on Task Manager -
in the list of running processes look for scvhost.exe (NOT svchost.exe!) -
kill any instances you find (if present).
Search your entire computer for any instances of the following:
scvhost.exe
nortonuptdate.dll  {This is not a valid Norton DLL}
Delete all that you find.

You should move HijackThis into it's own folder - something like: C:\Program Files\HJT\HijackThis.exe
With all browser windows closed (only HijackThis running) -
have HJT fix the following (put a check-mark in front of):
O2 - BHO: (no name) - {B8E5F684-BC02-BCB2-5A21-D33621A9F081} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [nortonupdate] nortonuptdate.dll
O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

A search on the following produced nothing:
O4 - HKLM\..\Run: [extrafilm] C:\PROGRA~1\error drv bold\holdthe.exe <- a search on "holdthe.exe"
Do you know what it is?
Does it come from "extrafilm.com"?

You might want to consider uninstalling Messenger Plus. See this post: http://www.spywareinfo.com/newsletter/arch...june-2003/3.php
This link is to the old forums and you may have to make repeated trys to get there (DDOS attacks!) - be patient!

If you do uninstall it, fix the following 04 item with HijackThis with all other windows closed...
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
Then find and delete the following folder....
C:\Program Files\Messenger Plus! 3\


Clean out all your temp files:
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
# Empty your "Recycle Bin".
Reboot your computer and -
Post a new HijackThis log here.

Good luck!
RF
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now