Solved

Hijack This Analysis

Posted on 2004-10-08
8
3,686 Views
Last Modified: 2010-04-11
I just received the EE newsletter (thank you!  very informative!) and would like some help with the hijack this analysis pasted below.  Thank you.




         Logfile of HijackThis v1.98.2                 Safe.
Safe.               Shows the version of HijackThis an. The newest version is: v1.98.2!               This should be the newest version. (v1.98.2 )
              A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft's windowsupdate site to download the newest version of the service pack.
        MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)               Safe.
Safe.               Shows the version of your Internet Explorer. Newest Version is: 6.00.2800.1106!               This should be the newest version. (6.00.2800.1106)
        C:\WINDOWS\System32\smss.exe               Safe.
Safe.               running process. (smss.exe)
Systemprozess - Anwendung, die benutzt wird um Sitzungen zu starten, verwalten und löschen.               
        C:\WINDOWS\system32\winlogon.exe               Safe.
Safe.               running process. (winlogon.exe)
Systemprozess - Windows Login Routine               
        C:\WINDOWS\system32\services.exe               Safe.
Safe.               running process. (services.exe)
Systemprozess - Verwaltet die Systemdienste.               
        C:\WINDOWS\system32\lsass.exe               Safe.
Safe.               running process. (lsass.exe)
Systemprozess               
        C:\WINDOWS\system32\svchost.exe               Safe.
Safe.               running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste.               
        C:\WINDOWS\System32\svchost.exe               Safe.
Safe.               running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste.               
        C:\Program Files\Sygate\SPF\smc.exe               Safe.
Safe.               running process. (smc.exe)
              
        C:\WINDOWS\Explorer.EXE               Safe.
Safe.               running process. (Explorer.EXE)
Systemprozess für Desktop und Taskleiste.               
        C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe               Safe.
Safe.               running process. (ccSetMgr.exe)
              
        C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe               Safe.
Safe.               running process. (ccEvtMgr.exe)
Event logging application               
        C:\WINDOWS\system32\spoolsv.exe               Safe.
Safe.               running process. (spoolsv.exe)
Systemprozess               
        C:\Program Files\Common Files\Symantec Shared\ccProxy.exe               Safe.
Safe.               running process. (ccProxy.exe)
              
        C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE               Safe.
Safe.               running process. (MDM.EXE)
Machine Debug Manager. Used by developers.               
        C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe               Safe.
Safe.               running process. (navapsvc.exe)
Norton AntiVirus application that provides auto-protection of the system.               
        C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe               Safe.
Safe.               running process. (SAVScan.exe)
Prozess von Norton Antivirus.               
        C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe               Safe.
Safe.               running process. (SNDSrvc.exe)
              
        C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe               Safe.
Safe.               running process. (symlcsvc.exe)
              
        C:\WINDOWS\System32\PROMon.exe               Unknown
Unknown               running process. (PROMon.exe)
              This is a unknown process.
        C:\WINDOWS\System32\NMSSvc.exe               Unknown
Unknown               running process. (NMSSvc.exe)
              This is a unknown process.
        C:\WINDOWS\System32\hkcmd.exe               Safe.
Safe.               running process. (hkcmd.exe)
              
        C:\WINDOWS\GWMDMMSG.exe               Unknown
Unknown               running process. (GWMDMMSG.exe)
              This is a unknown process.
        C:\Program Files\Real\RealPlayer\RealPlay.exe               Safe.
Safe.               running process. (RealPlay.exe)
              
        C:\Program Files\Common Files\Symantec Shared\ccApp.exe               Safe.
Safe.               running process. (ccApp.exe)
              
        C:\Program Files\Netscape\Netscape\Netscp.exe               Safe.
Safe.               running process. (Netscp.exe)
              
        C:\Program Files\Messenger\msmsgs.exe               Safe.
Safe.               running process. (msmsgs.exe)
MSN Messenger               
        C:\WINDOWS\System32\ctfmon.exe               Safe.
Safe.               running process. (ctfmon.exe)
              
        C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE               Safe.
Safe.               running process. (OUTLOOK.EXE)
E-Mail Client für Windows.               
        C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE               Safe.
Safe.               running process. (EXCEL.EXE)
              
        C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE               Safe.
Safe.               running process. (WINWORD.EXE)
              
        C:\WINDOWS\System32\zstatus.exe               Unknown
Unknown               running process. (zstatus.exe)
              This is a unknown process.
        C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary
Directory 1 for hijackthis_198.zip\HijackThis.exe               Safe.
Safe.               running process. (HijackThis.exe)
Tool, mit dem sie dieses Logfile erzeugt haben.               Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
www.access-4-free.com/portal.asp               Possibly nasty
Possibly nasty               This page could possibly be nasty.               If you do not know the entry 'www.access-4-free.com/portal.asp ', delete it.
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.access-4-free.com/portal.asp               Possibly nasty
Possibly nasty               This page could possibly be nasty.               If you do not know the entry 'www.access-4-free.com/portal.asp ', delete it.
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.gatewaybiz.com               Possibly nasty
Possibly nasty               This page could possibly be nasty.               If you do not know the entry 'http://www.gatewaybiz.com ', delete it.
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
www.access-4-free.com/portal.asp               Possibly nasty
Possibly nasty               This page could possibly be nasty.               If you do not know the entry 'www.access-4-free.com/portal.asp ', delete it.
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
www.access-4-free.com/portal.asp               Possibly nasty
Possibly nasty               This page could possibly be nasty.               If you do not know the entry 'www.access-4-free.com/portal.asp ', delete it.
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Access4Free               Probably safe.
Probably safe.               If you want to have the standard title-column back, you should fix this entry.               If you want to have the standard title-column back, you should fix this entry.
        N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSB
Web_01.src"); (C:\Documents and Settings\Administrator\Application
Data\Mozilla\Profiles\default\wzt6hiva.slt\prefs.js)               Safe in most cases.               Safe in most cases. Unknown pages and Lop.Com entries should be fixed!               If you know the page, this entry does not need to be fixed.
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx               Safe.
Safe.               Entries found in this registry zone are potentially nasty. This application ([06849E9F-C8D7-4D59-B87D-784B7D6BE0B3] - Result: 06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) has been checked. Hit rate: 99 %               
        O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll               Safe.
Safe.               Entries found in this registry zone are potentially nasty. This application ([53707962-6F74-2D53-2644-206D7942484F] - Result: 53707962-6F74-2D53-2644-206D7942484F) has been checked. Hit rate: 99 %               
        O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll               Safe.
Safe.               Entries found in this registry zone are potentially nasty. This application ([9ECB9560-04F9-4bbc-943D-298DDF1699E1] - Result: 9ECB9560-04F9-4bbc-943D-298DDF1699E1) has been checked. Hit rate: 99 %               
        O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll               Safe.
Safe.               Entries found in this registry zone are potentially nasty. This application ([BDF3E430-B101-42AD-A544-FADC6B084872] - Result: BDF3E430-B101-42AD-A544-FADC6B084872) has been checked. Hit rate: 99 %               
        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx               Safe.
Safe.               Entries found in this registry zone are potentially nasty. This application ([8E718888-423F-11D2-876E-00A0C9082467] - Result: 8E718888-423F-11D2-876E-00A0C9082467) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 99 %               
        O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll               Safe.
Safe.               Entries found in this registry zone are potentially nasty. This application ([0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7] - Result: 0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 99 %               
        O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll               Safe.
Safe.               Entries found in this registry zone are potentially nasty. This application ([42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6] - Result: 42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 99 %               
        O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe               Safe.
Safe.               The entered application PROMon.exe was identified: Promon.exe. Hit rate: 61 % (result)               Not dangerous, but unnecessary.
        O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe               Safe.
Safe.               The entered application IgfxTray was identified: igfxtray. Hit rate: 82 % (result)               Not dangerous, but unnecessary.
        O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe               Safe.
Safe.               The entered application HotKeysCmds was identified: HotKeysCmds. Hit rate: 99 % (result)               
        O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe               Safe.
Safe.               The entered application GWMDMMSG was identified: GWMDMMSG. Hit rate: 95 % (result)               Not dangerous, but unnecessary.
        O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe               Safe.
Safe.               The entered application GWMDMpi was identified: GWMDMpi. Hit rate: 94 % (result)               
        O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER               Safe.
Safe.               The entered application RealTray was identified: RealTray. Hit rate: 74 % (result)               Not dangerous, but unnecessary.
        O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"               Safe.
Safe.               The entered application ccApp was identified: ccApp. Hit rate: 94 % (result)               
        O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet
Security\UrlLstCk.exe               Safe.
Safe.               The entered application URLLSTCK.exe was identified: UrlLstCk. Hit rate: 60 % (result)               
        O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe               Safe.
Safe.               The entered application NeroFilterCheck was identified: NeroFilterCheck. Hit rate: 99 % (result)               
        O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui               Safe.
Safe.               The entered application SmcService was identified: SmcService. Hit rate: 91 % (result)               
        O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec
Shared\Security Center\UsrPrmpt.exe               Safe.
Safe.               The entered application SSC_UserPrompt was identified: SSC_UserPrompt. Hit rate: 99 % (result)               
        O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program
Files\Netscape\Netscape\Netscp.exe" -turbo               Safe.
Safe.               The entered application Mozilla Quick Launch was identified: Mozilla Quick Launch. Hit rate: 78 % (result)               Not dangerous, but unnecessary.
        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background               Safe.
Safe.               The entered application MSMSGS was identified: MSMSGS. Hit rate: 94 % (result)               
        O4 - HKCU\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe               Safe.
Safe.               The entered application Symantec NetDriver Monitor was identified: Symantec NetDriver Monitor. Hit rate: 79 % (result)               
        O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe               Safe.
Safe.               The entered application ctfmon.exe was identified: ctfmon. Hit rate: 81 % (result)               
        O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000               Safe.
Safe.               The entry E&xport to Microsoft Excel has been identified as safe.               If the entry 'E&xport to Microsoft Excel ' is not needed anymore, it should be fixed.
        O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL               Possibly nasty
Possibly nasty               Unknown buttons or entries in the 'Extras'-menu should be fixed.               To be fixed if the entry 'Research ' is unknown.
        O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll               Safe.
Safe.               The entry Real.com has been identified as safe.               If the entry 'Real.com ' is not needed anymore, it should be fixed.
        O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll               Safe.
Safe.               Most of the entries present in this registry area are safe. Only OnFlow adds an unwanted plugins can be found here. OnFlow-Plugins have the following extension *.ofb.               
        O17 -
HKLM\System\CCS\Services\Tcpip\..\{F205A15B-9269-484C-8DF5-AF9CF4BE69D2}:
NameServer = 66.155.128.12 66.155.128.20               Possibly nasty
Possibly nasty               If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.               Do you know the IP or Domain '66.155.128.12 66.155.128.20 '? If not, fix this entry.
        
0 Nasty
0
Comment
Question by:Lucynka
  • 4
  • 3
8 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Hello Lucynka =)

U are not required to post the WHOLE analysation here..... just scroll down to the bottom of the analysed page, and u will see the SAVE ANALYSE button, hit it and it will save ur log in a new page, copy the address of that page and paste it here.... we will look at it :)

and BTW dont forget to explain abt ur problem !! =)
0
 
LVL 10

Expert Comment

by:LRI41
Comment Utility
HijackThis log file analysis

HijackThis is a program used by experienced users in order to detect browser hijackers. It allows you to identify any sort of spyware and malware (as well as some trojan horses and worms). This is achieved by scanning special zones of the registry as well as the hard disk drive, the results being listed in a structured window. Another feature of HijackThis is the creation of a log file, which can be saved as a simple text file and opened by any text editor (notepad as default). Until now, inexperienced users, who could not analyze the log file by themselves, had no other choice than posting it in a specialized forum and to hope that a more experienced user takes some time to analyze it. The script presented on this page is a way to analyze your log without help from the outside: simply copy/paste the content of the log file in the textbox below and hit the analyze button. HijackThis is free and does not need to be installed.

 simply copy/paste the content of the log file in the textbox below and hit the analyze button. HijackThis is free and does not need to be installed.

http://www.hijackthis.de/index.php?langselect=english
0
 
LVL 1

Author Comment

by:Lucynka
Comment Utility

Here is the saved analysis:
http://www.hijackthis.de/logfiles/4f91135e46bf60319cc6cf9d0db845b9.html

I don' t have a specific problem - I just want to detect any spyware etc on my system, and it's still running a bit slow.  I haven't added memory yet.  The bugs I was struggling with before the clean install are gone though!

Thanks!  :)
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
Comment Utility
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =www.access-4-free.com/portal.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =www.access-4-free.com/portal.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =www.access-4-free.com/portal.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =www.access-4-free.com/portal.asp
========================

Fix the above entries, rest is all OK :)
so they cannot be the reason of slowness, go and get some more RAM !! ;-)
Cheers ^_^
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Author Comment

by:Lucynka
Comment Utility
Thanks!  Do you know whether adding ram invalidates the Gateway warranty?  I'll have to open the box.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
hmmmmmmmm not sure,, are u having the warranty sticker on it which can tear if u will open the box ??
if yes then im afraid the warranty will invalidate in this case,,,, why dont u contact the provider of this system and tell them the situation, they must understand that now-a-days more RAM can be needed !! :)
0
 
LVL 1

Author Comment

by:Lucynka
Comment Utility
Thanks!  :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
my pleasure ^_^
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now