Solved

Hijack This Analysis

Posted on 2004-10-08
8
3,706 Views
Last Modified: 2010-04-11
I just received the EE newsletter (thank you!  very informative!) and would like some help with the hijack this analysis pasted below.  Thank you.




         Logfile of HijackThis v1.98.2                 Safe.
Safe.               Shows the version of HijackThis an. The newest version is: v1.98.2!               This should be the newest version. (v1.98.2 )
              A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft's windowsupdate site to download the newest version of the service pack.
        MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)               Safe.
Safe.               Shows the version of your Internet Explorer. Newest Version is: 6.00.2800.1106!               This should be the newest version. (6.00.2800.1106)
        C:\WINDOWS\System32\smss.exe               Safe.
Safe.               running process. (smss.exe)
Systemprozess - Anwendung, die benutzt wird um Sitzungen zu starten, verwalten und löschen.               
        C:\WINDOWS\system32\winlogon.exe               Safe.
Safe.               running process. (winlogon.exe)
Systemprozess - Windows Login Routine               
        C:\WINDOWS\system32\services.exe               Safe.
Safe.               running process. (services.exe)
Systemprozess - Verwaltet die Systemdienste.               
        C:\WINDOWS\system32\lsass.exe               Safe.
Safe.               running process. (lsass.exe)
Systemprozess               
        C:\WINDOWS\system32\svchost.exe               Safe.
Safe.               running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste.               
        C:\WINDOWS\System32\svchost.exe               Safe.
Safe.               running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste.               
        C:\Program Files\Sygate\SPF\smc.exe               Safe.
Safe.               running process. (smc.exe)
              
        C:\WINDOWS\Explorer.EXE               Safe.
Safe.               running process. (Explorer.EXE)
Systemprozess für Desktop und Taskleiste.               
        C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe               Safe.
Safe.               running process. (ccSetMgr.exe)
              
        C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe               Safe.
Safe.               running process. (ccEvtMgr.exe)
Event logging application               
        C:\WINDOWS\system32\spoolsv.exe               Safe.
Safe.               running process. (spoolsv.exe)
Systemprozess               
        C:\Program Files\Common Files\Symantec Shared\ccProxy.exe               Safe.
Safe.               running process. (ccProxy.exe)
              
        C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE               Safe.
Safe.               running process. (MDM.EXE)
Machine Debug Manager. Used by developers.               
        C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe               Safe.
Safe.               running process. (navapsvc.exe)
Norton AntiVirus application that provides auto-protection of the system.               
        C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe               Safe.
Safe.               running process. (SAVScan.exe)
Prozess von Norton Antivirus.               
        C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe               Safe.
Safe.               running process. (SNDSrvc.exe)
              
        C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe               Safe.
Safe.               running process. (symlcsvc.exe)
              
        C:\WINDOWS\System32\PROMon.exe               Unknown
Unknown               running process. (PROMon.exe)
              This is a unknown process.
        C:\WINDOWS\System32\NMSSvc.exe               Unknown
Unknown               running process. (NMSSvc.exe)
              This is a unknown process.
        C:\WINDOWS\System32\hkcmd.exe               Safe.
Safe.               running process. (hkcmd.exe)
              
        C:\WINDOWS\GWMDMMSG.exe               Unknown
Unknown               running process. (GWMDMMSG.exe)
              This is a unknown process.
        C:\Program Files\Real\RealPlayer\RealPlay.exe               Safe.
Safe.               running process. (RealPlay.exe)
              
        C:\Program Files\Common Files\Symantec Shared\ccApp.exe               Safe.
Safe.               running process. (ccApp.exe)
              
        C:\Program Files\Netscape\Netscape\Netscp.exe               Safe.
Safe.               running process. (Netscp.exe)
              
        C:\Program Files\Messenger\msmsgs.exe               Safe.
Safe.               running process. (msmsgs.exe)
MSN Messenger               
        C:\WINDOWS\System32\ctfmon.exe               Safe.
Safe.               running process. (ctfmon.exe)
              
        C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE               Safe.
Safe.               running process. (OUTLOOK.EXE)
E-Mail Client für Windows.               
        C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE               Safe.
Safe.               running process. (EXCEL.EXE)
              
        C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE               Safe.
Safe.               running process. (WINWORD.EXE)
              
        C:\WINDOWS\System32\zstatus.exe               Unknown
Unknown               running process. (zstatus.exe)
              This is a unknown process.
        C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary
Directory 1 for hijackthis_198.zip\HijackThis.exe               Safe.
Safe.               running process. (HijackThis.exe)
Tool, mit dem sie dieses Logfile erzeugt haben.               Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
www.access-4-free.com/portal.asp               Possibly nasty
Possibly nasty               This page could possibly be nasty.               If you do not know the entry 'www.access-4-free.com/portal.asp ', delete it.
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.access-4-free.com/portal.asp               Possibly nasty
Possibly nasty               This page could possibly be nasty.               If you do not know the entry 'www.access-4-free.com/portal.asp ', delete it.
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.gatewaybiz.com               Possibly nasty
Possibly nasty               This page could possibly be nasty.               If you do not know the entry 'http://www.gatewaybiz.com ', delete it.
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
www.access-4-free.com/portal.asp               Possibly nasty
Possibly nasty               This page could possibly be nasty.               If you do not know the entry 'www.access-4-free.com/portal.asp ', delete it.
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
www.access-4-free.com/portal.asp               Possibly nasty
Possibly nasty               This page could possibly be nasty.               If you do not know the entry 'www.access-4-free.com/portal.asp ', delete it.
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Access4Free               Probably safe.
Probably safe.               If you want to have the standard title-column back, you should fix this entry.               If you want to have the standard title-column back, you should fix this entry.
        N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSB
Web_01.src"); (C:\Documents and Settings\Administrator\Application
Data\Mozilla\Profiles\default\wzt6hiva.slt\prefs.js)               Safe in most cases.               Safe in most cases. Unknown pages and Lop.Com entries should be fixed!               If you know the page, this entry does not need to be fixed.
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx               Safe.
Safe.               Entries found in this registry zone are potentially nasty. This application ([06849E9F-C8D7-4D59-B87D-784B7D6BE0B3] - Result: 06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) has been checked. Hit rate: 99 %               
        O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll               Safe.
Safe.               Entries found in this registry zone are potentially nasty. This application ([53707962-6F74-2D53-2644-206D7942484F] - Result: 53707962-6F74-2D53-2644-206D7942484F) has been checked. Hit rate: 99 %               
        O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll               Safe.
Safe.               Entries found in this registry zone are potentially nasty. This application ([9ECB9560-04F9-4bbc-943D-298DDF1699E1] - Result: 9ECB9560-04F9-4bbc-943D-298DDF1699E1) has been checked. Hit rate: 99 %               
        O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll               Safe.
Safe.               Entries found in this registry zone are potentially nasty. This application ([BDF3E430-B101-42AD-A544-FADC6B084872] - Result: BDF3E430-B101-42AD-A544-FADC6B084872) has been checked. Hit rate: 99 %               
        O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx               Safe.
Safe.               Entries found in this registry zone are potentially nasty. This application ([8E718888-423F-11D2-876E-00A0C9082467] - Result: 8E718888-423F-11D2-876E-00A0C9082467) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 99 %               
        O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll               Safe.
Safe.               Entries found in this registry zone are potentially nasty. This application ([0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7] - Result: 0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 99 %               
        O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll               Safe.
Safe.               Entries found in this registry zone are potentially nasty. This application ([42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6] - Result: 42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 99 %               
        O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe               Safe.
Safe.               The entered application PROMon.exe was identified: Promon.exe. Hit rate: 61 % (result)               Not dangerous, but unnecessary.
        O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe               Safe.
Safe.               The entered application IgfxTray was identified: igfxtray. Hit rate: 82 % (result)               Not dangerous, but unnecessary.
        O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe               Safe.
Safe.               The entered application HotKeysCmds was identified: HotKeysCmds. Hit rate: 99 % (result)               
        O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe               Safe.
Safe.               The entered application GWMDMMSG was identified: GWMDMMSG. Hit rate: 95 % (result)               Not dangerous, but unnecessary.
        O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe               Safe.
Safe.               The entered application GWMDMpi was identified: GWMDMpi. Hit rate: 94 % (result)               
        O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe
SYSTEMBOOTHIDEPLAYER               Safe.
Safe.               The entered application RealTray was identified: RealTray. Hit rate: 74 % (result)               Not dangerous, but unnecessary.
        O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"               Safe.
Safe.               The entered application ccApp was identified: ccApp. Hit rate: 94 % (result)               
        O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet
Security\UrlLstCk.exe               Safe.
Safe.               The entered application URLLSTCK.exe was identified: UrlLstCk. Hit rate: 60 % (result)               
        O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe               Safe.
Safe.               The entered application NeroFilterCheck was identified: NeroFilterCheck. Hit rate: 99 % (result)               
        O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui               Safe.
Safe.               The entered application SmcService was identified: SmcService. Hit rate: 91 % (result)               
        O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec
Shared\Security Center\UsrPrmpt.exe               Safe.
Safe.               The entered application SSC_UserPrompt was identified: SSC_UserPrompt. Hit rate: 99 % (result)               
        O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program
Files\Netscape\Netscape\Netscp.exe" -turbo               Safe.
Safe.               The entered application Mozilla Quick Launch was identified: Mozilla Quick Launch. Hit rate: 78 % (result)               Not dangerous, but unnecessary.
        O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background               Safe.
Safe.               The entered application MSMSGS was identified: MSMSGS. Hit rate: 94 % (result)               
        O4 - HKCU\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe               Safe.
Safe.               The entered application Symantec NetDriver Monitor was identified: Symantec NetDriver Monitor. Hit rate: 79 % (result)               
        O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe               Safe.
Safe.               The entered application ctfmon.exe was identified: ctfmon. Hit rate: 81 % (result)               
        O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000               Safe.
Safe.               The entry E&xport to Microsoft Excel has been identified as safe.               If the entry 'E&xport to Microsoft Excel ' is not needed anymore, it should be fixed.
        O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL               Possibly nasty
Possibly nasty               Unknown buttons or entries in the 'Extras'-menu should be fixed.               To be fixed if the entry 'Research ' is unknown.
        O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll               Safe.
Safe.               The entry Real.com has been identified as safe.               If the entry 'Real.com ' is not needed anymore, it should be fixed.
        O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll               Safe.
Safe.               Most of the entries present in this registry area are safe. Only OnFlow adds an unwanted plugins can be found here. OnFlow-Plugins have the following extension *.ofb.               
        O17 -
HKLM\System\CCS\Services\Tcpip\..\{F205A15B-9269-484C-8DF5-AF9CF4BE69D2}:
NameServer = 66.155.128.12 66.155.128.20               Possibly nasty
Possibly nasty               If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.               Do you know the IP or Domain '66.155.128.12 66.155.128.20 '? If not, fix this entry.
        
0 Nasty
0
Comment
Question by:Lucynka
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12262789
Hello Lucynka =)

U are not required to post the WHOLE analysation here..... just scroll down to the bottom of the analysed page, and u will see the SAVE ANALYSE button, hit it and it will save ur log in a new page, copy the address of that page and paste it here.... we will look at it :)

and BTW dont forget to explain abt ur problem !! =)
0
 
LVL 10

Expert Comment

by:LRI41
ID: 12263524
HijackThis log file analysis

HijackThis is a program used by experienced users in order to detect browser hijackers. It allows you to identify any sort of spyware and malware (as well as some trojan horses and worms). This is achieved by scanning special zones of the registry as well as the hard disk drive, the results being listed in a structured window. Another feature of HijackThis is the creation of a log file, which can be saved as a simple text file and opened by any text editor (notepad as default). Until now, inexperienced users, who could not analyze the log file by themselves, had no other choice than posting it in a specialized forum and to hope that a more experienced user takes some time to analyze it. The script presented on this page is a way to analyze your log without help from the outside: simply copy/paste the content of the log file in the textbox below and hit the analyze button. HijackThis is free and does not need to be installed.

 simply copy/paste the content of the log file in the textbox below and hit the analyze button. HijackThis is free and does not need to be installed.

http://www.hijackthis.de/index.php?langselect=english
0
 
LVL 1

Author Comment

by:Lucynka
ID: 12263951

Here is the saved analysis:
http://www.hijackthis.de/logfiles/4f91135e46bf60319cc6cf9d0db845b9.html

I don' t have a specific problem - I just want to detect any spyware etc on my system, and it's still running a bit slow.  I haven't added memory yet.  The bugs I was struggling with before the clean install are gone though!

Thanks!  :)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 12263970
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =www.access-4-free.com/portal.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =www.access-4-free.com/portal.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =www.access-4-free.com/portal.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =www.access-4-free.com/portal.asp
========================

Fix the above entries, rest is all OK :)
so they cannot be the reason of slowness, go and get some more RAM !! ;-)
Cheers ^_^
0
 
LVL 1

Author Comment

by:Lucynka
ID: 12265218
Thanks!  Do you know whether adding ram invalidates the Gateway warranty?  I'll have to open the box.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12265344
hmmmmmmmm not sure,, are u having the warranty sticker on it which can tear if u will open the box ??
if yes then im afraid the warranty will invalidate in this case,,,, why dont u contact the provider of this system and tell them the situation, they must understand that now-a-days more RAM can be needed !! :)
0
 
LVL 1

Author Comment

by:Lucynka
ID: 12266849
Thanks!  :)
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12266853
my pleasure ^_^
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question