Help with hijackthis log.
Results 1 to 8 of 8

Thread: Help with hijackthis log.

  1. #1
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867

    Help with hijackthis log.

    There are a ton of people here that are better than me at analyzing these logs than me. The following is the hijackthis log from a buddies computer, if you could have a look and let me know if something stick out I would appreciate it.

    Thanks

    Logfile of HijackThis v1.99.1
    Scan saved at 8:21:15 AM, on 2/28/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINNT\CDProxyServ.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\drivers\KodakCCS.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\WINNT\system32\PROMon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MessengerPlus! 3\MsgPlus.exe
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\USBToolbox\Res.EXE
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINNT\system32\LVComS.exe
    C:\Program Files\Common Files\Symantec Shared\Security =
    Console\NSCSRVCE.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =3D =
    http://www.google.ca/
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - =
    C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - =
    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} =
    - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - =
    C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} =
    - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - =
    c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog =
    Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE =
    C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE =
    C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft =
    AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program =
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! =
    3\MsgPlus.exe"
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program =
    Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program =
    Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program =
    Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart TIMER_SEQUENCE =
    first
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program =
    Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software =
    Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Up Service] up32.pif
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec =
    Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common =
    Files\Symantec Shared\Security Center\UsrPrmpt.exe"
    O4 - HKLM\..\Run: [ResModify] C:\Program Files\USBToolbox\Res.EXE
    O4 - HKLM\..\Run: [AdwareAlert] C:\Program =
    Files\AdwareAlert\adwarealert.Exe -boot
    O4 - HKLM\..\RunServices: [Up Service] up32.pif
    O4 - HKCU\..\Run: [Up Service] up32.pif
    O4 - HKCU\..\RunServices: [Up Service] up32.pif
    O4 - Global Startup: Kodak software updater.lnk =3D C:\Program =
    Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software =
    Updater.exe
    O8 - Extra context menu item: &Google Search - res://c:\program =
    files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program =
    files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program =
    files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program =
    files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program =
    files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - =
    res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - =
    C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - =
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program =
    Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - =
    C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - =
    {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra button: Absolute Poker - =
    {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All =
    Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra 'Tools' menuitem: Absolute Poker - =
    {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All =
    Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload =
    Tool) - http://by111fd.bay111.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} =
    (MsnMessengerSetupDownloadControl Class) - =
    http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - =
    http://h20270.www2.hp.com/ediags/gmn...detection3.cab
    O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} (XML DOM Document 3.0) =
    - http://h20270.www2.hp.com/ediags/gmn/install/hpxml.cab
    O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 =
    Internet Ltd - C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation =
    - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec =
    Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - =
    C:\WINNT\CDProxyServ.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - =
    VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman =
    Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - =
    C:\WINNT\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - =
    Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - =
    C:\WINNT\System32\NMSSvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - =
    Symantec Corporation - C:\Program Files\Norton =
    AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec =
    Corporation - C:\Program Files\Common Files\Symantec Shared\Security =
    Console\NSCSRVCE.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA =
    Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare =
    software\bin\ptssvc.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - =
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec =
    Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common =
    Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program =
    Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINNT\taskcntr.exe =
    (file missing)
    DjM

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Get rid of $sys$DRMServer.exe with instructions from here

    up32.pif is a worm... Look here

    Other than those nothing else really sticks out... But there is a lot of "rubbish" there.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Hi

    First:

    C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe is the dreaded Sony Rootkit, read here to remove it. http://www.bleepingcomputer.com/forums/topic34904.html


    Second:

    C:\Program Files\MessengerPlus! 3\ MsgPlus.exe msgplus - msgplus.exe - Process Information

    Process File: msgplus.exe
    Process Name: MSN MessengerPlus

    Description: msgplus.exe is distributed as a third party MSN extension. However is also spyware if installed with the sponsor program it offers to install. If this optional sponsor program was installed, this process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. Please see additional details regarding this process.
    This is down to user preference, but only if you indicated during the download that you didn't want 3rd party programs (adware/popups)..(IMO get rid of it)


    Third:


    O4 - HKCU\..\Run: [Up Service] up32.pif
    Name: Up Service Filename: up32.pif Command: up32.pif Description: Added by the W32/Rbot-ARI worm. This infection, when started, connects to an IRC server where it sits on a channel awaiting commands. File Location: %System% Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry. HijackThis Category: O4 Entry Note: %System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP.
    O4 - HKCU\..\RunServices: [Up Service] up32.pif

    http://www.bleepingcomputer.com/star...pif-12797.html

    These two entries are a worm and you need to get rid of them.


    So to start go to

    Trend Micro Housecall and run a scan

    then go to Panda Online and run another scan.

    Run all of your scans for Ewido
    Adaware SE

    In Safe Mode and then post a new HJT log.

    Edit: Damn I gotta type faster....... ya beat me to it TS
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  4. #4
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by Tiger Shark
    Get rid of $sys$DRMServer.exe with instructions from here

    up32.pif is a worm... Look here

    Other than those nothing else really sticks out... But there is a lot of "rubbish" there.
    Thanks Tiger, I picked up on the worm too. I didn't know what DRMServer was thought. And you are right there is a lot of crap in there (looks like a six pack job )


    Cheers:
    DjM

  5. #5
    The Prancing Pirate
    Join Date
    Jul 2004
    Posts
    548
    But there is a lot of "rubbish" there
    I didn't want to post earlier because I wouldn't have been able to point out the things Tiger did - but, I agree about that part. Just install CCleaner, a-squared, and your favourite adware and spyware removers (like Ad-Aware and Spybot S&D on his PC and run them - that should get rid of most of the nasties.

    Cheers,

    -jk

    [edit] I wasn't trying to sound patronising - I posted those links in case you wanted to send your buddy here to download the mentioned tools if you don't have access to his box..
    TAZForum <---- click

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The thing with the DRM file that alerted me is the $sys$... That's a hidden file... It shouldn't show as being started in a hijack this log...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Banned
    Join Date
    Jul 2004
    Posts
    297
    Another part of sony drm root kit?
    ---------------------------------
    CDProxyServ - CDProxyServ.exe - Process Information
    "Process File: CDProxyServ or CDProxyServ.exe
    Process Name: Sony-Bmg Album Background Process"&lt;---&gt; Good luck with this one

    sony drm root kit?
    -----------------
    O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 =
    Internet Ltd - C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe&lt;---&gt;

    W32/Rbot-ARI
    -------------
    O4 - HKLM\..\RunServices: [Up Service] up32.pif
    O4 - HKCU\..\Run: [Up Service] up32.pif
    O4 - HKCU\..\RunServices: [Up Service] up32.pif



    might be leftovers of W32/Tilebot-S worm
    -----------------------------------------
    O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINNT\taskcntr.exe =
    (file missing)


    tigershark, I beleive MS released a patch that stopped $sys$ type files from remaining completly hidden.

  8. #8
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    Originally posted here by spamdies
    tigershark, I beleive MS released a patch that stopped $sys$ type files from remaining completly hidden.
    Yep, they did in either the Dec or Jan Patch Tuesday. Makes it much easier to find the little buggerer.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides