Results 1 to 9 of 9

Thread: Please can someone check if I'm clean...

  1. #1
    Junior Member
    Join Date
    Oct 2005
    Posts
    3

    Please can someone check if I'm clean...

    I have recently been infected by a trojan/worm.

    I think I have removed it but would like to be sure...

    Logfile of HijackThis v1.99.1
    Scan saved at 18:21:44, on 29/10/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\system32\gearsec.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\Raxco\PerfectDisk\PDSched.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Zippy\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.datafarm.com/scripts/datafarm.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.0 RC 15.6\RivaTuner.exe" /T
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
    O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

    Thanks in advance!

  2. #2
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    The only thing that really stands out to me, are the 2 different entries for MSN Messenger.
    maybe i'm paranoid but why are there two entries for the 1 program..

    f2b

  3. #3
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    Things that stick out for me..

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.datafarm.com/scripts/datafarm.dll

    O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe



    But I'm not really qualified to determine if they are a genuine thread or a genuine app..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi, and welcome to AO


    http://www.emsisoft.com/en/software/free/
    http://www.ewido.net/en/

    http://www.safer-networking.org/en/index.html (Spybot search & destroy)

    Download those, update them and run them in safe mode

    Do the same with your AV products


  5. #5
    Junior Member
    Join Date
    Oct 2005
    Posts
    3
    Originally posted here by the_JinX
    Things that stick out for me..

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.datafarm.com/scripts/datafarm.dll

    O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe



    But I'm not really qualified to determine if they are a genuine thread or a genuine app..
    These two are OK, datafarm.com is my homepage for IE (I use Firefox.)

    Not too worried about the two MSN's.

    Thanks for all your help guys - will get onto it this evening....

  6. #6
    Senior Member Raion's Avatar
    Join Date
    Dec 2003
    Location
    New York, New York
    Posts
    1,299
    Here, this is what I use when I want to check if I'm "clean" http://hjt.iamnotageek.com/
    WARNING: THIS SIGNATURE IS SHAREWARE PLEASE REGISTER THIS SIGNATURE BY SENDING ME MONEY TO SEE THE COMPLETE SIGNATURE!

  7. #7
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171
    Hi Raion,

    Those sites have been put up before and the general response was they're ( automated hijack services ) good as a reference tool but there is no real replacement for a qualified professional.

    Eg

  8. #8
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Hi scrambo2005

    If you want to check on some of these items yourself (good way to learn what's in your PC) you can usually take the CLSID (A universally unique identifier (UUID) that identifies a COM component. Each COM component has its CLSID in the Windows Registry so that it can be loaded by other applications.) and either google it or check it out at Castlecops http://castlecops.com/CLSID.html

    Your log actually looks clean,but like Eg said, get someone to have a look at it for you to be completely sure, this site explains each line in your HJT log Merjin
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  9. #9
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    Originally posted here by .:front2back:.
    The only thing that really stands out to me, are the 2 different entries for MSN Messenger.
    maybe i'm paranoid but why are there two entries for the 1 program..

    f2b
    This is perfectly legit. The msmsg is the MS Messenger that comes with windows XP and such, while the msnmsg is MSN messenger that is added on. For some reason the MSN messenger doesn't disable the MS one. I've had many machines that had both set to autologin to the same account and toggle back and forth. In anycase, this isn't anything rogue.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •