Solved

highjackthis log

Posted on 2004-08-15
5
8,229 Views
Last Modified: 2013-12-04
Hi was hoping someone could review my highjack log and let me know if I'm clean and what to remove if not.... haven't been having and problems just wanting to be safe


Logfile of HijackThis v1.98.2
Scan saved at 9:30:37 AM, on 8/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {B8E5F684-BC02-BCB2-5A21-D33621A9F081} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
O4 - HKLM\..\Run: [nortonupdate] nortonuptdate.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [extrafilm] C:\PROGRA~1\error drv bold\holdthe.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1091848321703
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C94E577-C545-485D-8CA9-DF3851D37A9C}: Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C94E577-C545-485D-8CA9-DF3851D37A9C}: NameServer = 192.168.2.1

0
Comment
Question by:woodendude
  • 2
  • 2
5 Comments
 
LVL 9

Author Comment

by:woodendude
Comment Utility
Wanted to add , I don't use zone alarm(zonelabs), real arcade, i noticed these in my log.
0
 
LVL 10

Accepted Solution

by:
LRI41 earned 70 total points
Comment Utility
Ran your HighJack This Log through the "analysis web site:

HijackThis log file analysis

HijackThis is a program used by experienced users in order to detect browser hijackers. It allows you to identify any sort of spyware and malware (as well as some trojan horses and worms). This is achieved by scanning special zones of the registry as well as the hard disk drive, the results being listed in a structured window. Another feature of HijackThis is the creation of a log file, which can be saved as a simple text file and opened by any text editor (notepad as default). Until now, inexperienced users, who could not analyze the log file by themselves, had no other choice than posting it in a specialized forum and to hope that a more experienced user takes some time to analyze it. The script presented on this page is a way to analyze your log without help from the outside: simply copy/paste the content of the log file in the textbox below and hit the analyze button. HijackThis is free and does not need to be installed.

 simply copy/paste the content of the log file in the textbox below and hit the analyze button. HijackThis is free and does not need to be installed.

http://www.hijackthis.de/index.php?langselect=english

 and it reported:

C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe               Unknown             running process. (IPClient.exe)             This is a unknown process.
       C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe               Unknown             running process. (IPMon32.exe)             This is a unknown process.


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1               Possibly nasty             This page could possibly be nasty.             If you do not know the entry '127.0.0.1 ', delete it.
       R3 - Default URLSearchHook is missing               Nasty             Should be fixed if you do not know the application or if no application is mentioned.             This entry should be fixed.


      O2 - BHO: (no name) - {B8E5F684-BC02-BCB2-5A21-D33621A9F081} - (no file)               Unknown             Entries found in this registry zone are potentially nasty. This application ([B8E5F684-BC02-BCB2-5A21-D33621A9F081] - Result: ) has been checked. Hit rate: 0,00 %             Unknown application.Unnecessary (deactivated) entry that can be fixed.


O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Co              Unknown             The entered application IPInSightLAN 01 was identified: None. Hit rate: 5,26 % (result)             Unknown application.
       O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatic              Unknown             The entered application IPInSightMonitor 01 was identified: None. Hit rate: 8,70 % (result)             Unknown application.
       O4 - HKLM\..\Run: [nortonupdate] nortonuptdate.dll               Unknown             The entered application nortonupdate was identified: None. Hit rate: 18,75 % (result)             Unknown application


O4 - HKLM\..\Run: [extrafilm] C:\PROGRA~1\error drv bold\holdthe.exe               Unknown             The entered application extrafilm was identified: None. Hit rate: 7,69 % (result)             Unknown application

O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\Usr              Unknown             The entered application SSC_UserPrompt was identified: None. Hit rate: 5,56 % (result)             Unknown application.
       O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe               Nasty             The entered application Windows Firewalll was identified: Windows Service Host. Hit rate: 72,86 % (result)             Must be fixed!

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE               Nasty             The entered application 'Microsoft Find Fast.lnk (FINDFAST.EXE)' was identified: 'Microsoft Find Fast (Findfast.exe )'. Hit rate: 52,93 % (result)             Must be fixed!
       O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE               Nasty             The entered application 'Office Startup.lnk (OSA.EXE)' was identified: 'Office Startup (Exploer.exe )'. Hit rate: 48,75 % (result)             Must be fixed!

       O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB               Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs              Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.

      O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/su              Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.
       O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/              Possibly nasty             Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!             Check if you know this site and fix it if you do not.

      O17 - HKLM\System\CCS\Services\Tcpip\..\{7C94E577-C545-485D-8CA9-DF3851D37A9C}: Domain = sympatico.c              Possibly nasty             If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.             Do you know the IP or Domain 'sympatico.ca '? If not, fix this entry.



0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi!
I think it's a great idea to have any place where one can take a HijackThis log and
have it analyzed.
However, looking at the results of the automatic scan posted by {LR141} above - I
just happened to notice a glaring omission -
I guess it did not pick up this:
O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
Let's see - "Firewall" spelled with 3 "L's" (or "I's") and scvhost.exe?!?!?
I'm not sure, but I think a valid process would be svchost.exe - and, there may be multiple instances of it running.
Here's what they say about scvhost.exe (just for starters):
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_AGOBOT.NR
http://www.sophos.com/virusinfo/analyses/w32rbotek.html
http://vil.nai.com/vil/content/Print100725.htm
And another thing - this file:
O4 - HKLM\..\Run: [nortonupdate] nortonuptdate.dll
This is not a valid "Norton" or "Symantec" file.
Just some things to consider!
Good luck!
RF
0
 
LVL 10

Expert Comment

by:LRI41
Comment Utility
Comment from rossfingal
Date: 08/15/2004 01:09PM PDT
I guess it did not pick up this:
O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
Let's see - "Firewall" spelled with 3 "L's" (or "I's") and scvhost.exe?!?!?


Accepted Answer from LRI41
Date: 08/15/2004 11:34AM PDT
Grade: A
 Accepted Answer  


Ran your HighJack This Log through the "analysis web site:
 
 and it reported:

   O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe             Nasty           The entered application Windows Firewalll was identified: Windows Service Host. Hit rate: 72,86 % (result)           Must be fixed!

   O4 - HKLM\..\Run: [nortonupdate] nortonuptdate.dll             Unknown           The entered application nortonupdate was identified: None. Hit rate: 18,75 % (result)           Unknown application


0
 
LVL 12

Expert Comment

by:rossfingal
Comment Utility
Hi!  woodendude!

This entry shows the presence of a virus or trojan:
O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
Valid entries are C:\WINDOWS\system32\svchost.exe - note the difference in spelling, also notice that
Firewall is spelled with three "L's" (or "I's")!
Here's some information on what it might be:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_AGOBOT.NR
http://www.sophos.com/virusinfo/analyses/w32rbotek.html
http://vil.nai.com/vil/content/Print100725.htm

Do an online scan (or 2 or 3!) from the following:
(since your running Symantec, you should probably do scans from other vendors)

symantec
http://security.norton.com/sscv6/default.asp?langid=ie&venid=sym
--------
Bitdefender
http://www.bitdefender.com/scan/licence.php
--------
TrendMicro
http://housecall.trendmicro.com/housecall/start_corp.asp
--------
AuditMyPC
http://www.auditmypc.com/
--------
Sygate
http://scan.sygate.com/
--------
McAfee
http://us.mcafee.com/root/mfs/default.asp?affid=294
--------
Kaspersky
http://www.kaspersky.com/remoteviruschk.html
--------
RAV
http://www.ravantivirus.com/scan/
--------
Freedom
http://www.freedom.net/viruscenter/onlineviruscheck.html
--------
GRC
https://grc.com/x/ne.dll?bh0bkyd2
--------
Lockdown
http://stealthtests.lockdowncorp.com
--------
Pandasoft:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
--------
CA online virus scan....
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
--------
a2 Anti-Trojan:
http://onlinecheck.emsisoft.com/en

You may have to do the following in "Safe" mode.
 
Make sure "System Restore" is turned off.
Make sure "Show all Files and Folders", including hidden and system, is turned on.

Right click on the Taskbar and click on Task Manager -
in the list of running processes look for scvhost.exe (NOT svchost.exe!) -
kill any instances you find (if present).
Search your entire computer for any instances of the following:
scvhost.exe
nortonuptdate.dll  {This is not a valid Norton DLL}
Delete all that you find.

You should move HijackThis into it's own folder - something like: C:\Program Files\HJT\HijackThis.exe
With all browser windows closed (only HijackThis running) -
have HJT fix the following (put a check-mark in front of):
O2 - BHO: (no name) - {B8E5F684-BC02-BCB2-5A21-D33621A9F081} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [nortonupdate] nortonuptdate.dll
O4 - HKCU\..\Run: [Windows Firewalll] scvhost.exe
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

A search on the following produced nothing:
O4 - HKLM\..\Run: [extrafilm] C:\PROGRA~1\error drv bold\holdthe.exe <- a search on "holdthe.exe"
Do you know what it is?
Does it come from "extrafilm.com"?

You might want to consider uninstalling Messenger Plus. See this post: http://www.spywareinfo.com/newsletter/arch...june-2003/3.php
This link is to the old forums and you may have to make repeated trys to get there (DDOS attacks!) - be patient!

If you do uninstall it, fix the following 04 item with HijackThis with all other windows closed...
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
Then find and delete the following folder....
C:\Program Files\Messenger Plus! 3\


Clean out all your temp files:
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
# Empty your "Recycle Bin".
Reboot your computer and -
Post a new HijackThis log here.

Good luck!
RF
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
This video discusses moving either the default database or any database to a new volume.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now