-
October 30th, 2005, 10:54 AM
#1
Junior Member
Please can someone check if I'm clean...
I have recently been infected by a trojan/worm.
I think I have removed it but would like to be sure...
Logfile of HijackThis v1.99.1
Scan saved at 18:21:44, on 29/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Zippy\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.datafarm.com/scripts/datafarm.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.0 RC 15.6\RivaTuner.exe" /T
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
Thanks in advance!
-
October 30th, 2005, 11:00 AM
#2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
The only thing that really stands out to me, are the 2 different entries for MSN Messenger.
maybe i'm paranoid but why are there two entries for the 1 program..
f2b
-
October 30th, 2005, 11:02 AM
#3
Things that stick out for me..
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.datafarm.com/scripts/datafarm.dll
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
But I'm not really qualified to determine if they are a genuine thread or a genuine app..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
October 30th, 2005, 11:11 AM
#4
Hi, and welcome to AO
http://www.emsisoft.com/en/software/free/
http://www.ewido.net/en/
http://www.safer-networking.org/en/index.html (Spybot search & destroy)
Download those, update them and run them in safe mode
Do the same with your AV products
-
October 30th, 2005, 01:40 PM
#5
Junior Member
Originally posted here by the_JinX
Things that stick out for me..
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.datafarm.com/scripts/datafarm.dll
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
But I'm not really qualified to determine if they are a genuine thread or a genuine app..
These two are OK, datafarm.com is my homepage for IE (I use Firefox.)
Not too worried about the two MSN's.
Thanks for all your help guys - will get onto it this evening....
-
October 30th, 2005, 03:52 PM
#6
Here, this is what I use when I want to check if I'm "clean" http://hjt.iamnotageek.com/
WARNING: THIS SIGNATURE IS SHAREWARE PLEASE REGISTER THIS SIGNATURE BY SENDING ME MONEY TO SEE THE COMPLETE SIGNATURE!
-
October 30th, 2005, 04:11 PM
#7
Hi Raion,
Those sites have been put up before and the general response was they're ( automated hijack services ) good as a reference tool but there is no real replacement for a qualified professional.
Eg
-
October 30th, 2005, 04:53 PM
#8
Hi scrambo2005
If you want to check on some of these items yourself (good way to learn what's in your PC) you can usually take the CLSID (A universally unique identifier (UUID) that identifies a COM component. Each COM component has its CLSID in the Windows Registry so that it can be loaded by other applications.) and either google it or check it out at Castlecops http://castlecops.com/CLSID.html
Your log actually looks clean,but like Eg said, get someone to have a look at it for you to be completely sure, this site explains each line in your HJT log Merjin
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
Claude Swanson
-
October 31st, 2005, 06:22 PM
#9
Originally posted here by .:front2back:.
The only thing that really stands out to me, are the 2 different entries for MSN Messenger.
maybe i'm paranoid but why are there two entries for the 1 program..
f2b
This is perfectly legit. The msmsg is the MS Messenger that comes with windows XP and such, while the msnmsg is MSN messenger that is added on. For some reason the MSN messenger doesn't disable the MS one. I've had many machines that had both set to autologin to the same account and toggle back and forth. In anycase, this isn't anything rogue.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|