-
February 28th, 2006, 06:51 PM
#1
Help with hijackthis log.
There are a ton of people here that are better than me at analyzing these logs than me. The following is the hijackthis log from a buddies computer, if you could have a look and let me know if something stick out I would appreciate it.
Thanks
Logfile of HijackThis v1.99.1
Scan saved at 8:21:15 AM, on 2/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\CDProxyServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\PROMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\USBToolbox\Res.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\Common Files\Symantec Shared\Security =
Console\NSCSRVCE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =3D =
http://www.google.ca/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - =
C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - =
C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} =
- c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - =
C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} =
- C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - =
c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog =
Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE =
C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE =
C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft =
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program =
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! =
3\MsgPlus.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program =
Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program =
Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program =
Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart TIMER_SEQUENCE =
first
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program =
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software =
Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Up Service] up32.pif
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec =
Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common =
Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [ResModify] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [AdwareAlert] C:\Program =
Files\AdwareAlert\adwarealert.Exe -boot
O4 - HKLM\..\RunServices: [Up Service] up32.pif
O4 - HKCU\..\Run: [Up Service] up32.pif
O4 - HKCU\..\RunServices: [Up Service] up32.pif
O4 - Global Startup: Kodak software updater.lnk =3D C:\Program =
Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software =
Updater.exe
O8 - Extra context menu item: &Google Search - res://c:\program =
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program =
files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program =
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program =
files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program =
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - =
res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - =
C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - =
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program =
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - =
C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - =
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Absolute Poker - =
{EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All =
Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - =
{EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All =
Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload =
Tool) - http://by111fd.bay111.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} =
(MsnMessengerSetupDownloadControl Class) - =
http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - =
http://h20270.www2.hp.com/ediags/gmn...detection3.cab
O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} (XML DOM Document 3.0) =
- http://h20270.www2.hp.com/ediags/gmn/install/hpxml.cab
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 =
Internet Ltd - C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation =
- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec =
Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - =
C:\WINNT\CDProxyServ.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - =
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman =
Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - =
C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - =
Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - =
C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - =
Symantec Corporation - C:\Program Files\Norton =
AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec =
Corporation - C:\Program Files\Common Files\Symantec Shared\Security =
Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA =
Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare =
software\bin\ptssvc.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - =
C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec =
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common =
Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program =
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINNT\taskcntr.exe =
(file missing)
-
February 28th, 2006, 07:12 PM
#2
Get rid of $sys$DRMServer.exe with instructions from here
up32.pif is a worm... Look here
Other than those nothing else really sticks out... But there is a lot of "rubbish" there.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
February 28th, 2006, 07:18 PM
#3
Hi
First:
C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe is the dreaded Sony Rootkit, read here to remove it. http://www.bleepingcomputer.com/forums/topic34904.html
Second:
C:\Program Files\MessengerPlus! 3\ MsgPlus.exe msgplus - msgplus.exe - Process Information
Process File: msgplus.exe
Process Name: MSN MessengerPlus
Description: msgplus.exe is distributed as a third party MSN extension. However is also spyware if installed with the sponsor program it offers to install. If this optional sponsor program was installed, this process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. Please see additional details regarding this process.
This is down to user preference, but only if you indicated during the download that you didn't want 3rd party programs (adware/popups)..(IMO get rid of it)
Third:
O4 - HKCU\..\Run: [Up Service] up32.pif
Name: Up Service Filename: up32.pif Command: up32.pif Description: Added by the W32/Rbot-ARI worm. This infection, when started, connects to an IRC server where it sits on a channel awaiting commands. File Location: %System% Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry. HijackThis Category: O4 Entry Note: %System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP.
O4 - HKCU\..\RunServices: [Up Service] up32.pif
http://www.bleepingcomputer.com/star...pif-12797.html
These two entries are a worm and you need to get rid of them.
So to start go to
Trend Micro Housecall and run a scan
then go to Panda Online and run another scan.
Run all of your scans for Ewido
Adaware SE
In Safe Mode and then post a new HJT log.
Edit: Damn I gotta type faster....... ya beat me to it TS
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
Claude Swanson
-
February 28th, 2006, 07:21 PM
#4
Originally posted here by Tiger Shark
Get rid of $sys$DRMServer.exe with instructions from here
up32.pif is a worm... Look here
Other than those nothing else really sticks out... But there is a lot of "rubbish" there.
Thanks Tiger, I picked up on the worm too. I didn't know what DRMServer was thought. And you are right there is a lot of crap in there (looks like a six pack job )
Cheers:
-
February 28th, 2006, 07:23 PM
#5
But there is a lot of "rubbish" there
I didn't want to post earlier because I wouldn't have been able to point out the things Tiger did - but, I agree about that part. Just install CCleaner, a-squared, and your favourite adware and spyware removers (like Ad-Aware and Spybot S&D on his PC and run them - that should get rid of most of the nasties.
Cheers,
-jk
[edit] I wasn't trying to sound patronising - I posted those links in case you wanted to send your buddy here to download the mentioned tools if you don't have access to his box..
-
February 28th, 2006, 07:24 PM
#6
The thing with the DRM file that alerted me is the $sys$... That's a hidden file... It shouldn't show as being started in a hijack this log...
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
February 28th, 2006, 07:34 PM
#7
Another part of sony drm root kit?
---------------------------------
CDProxyServ - CDProxyServ.exe - Process Information
"Process File: CDProxyServ or CDProxyServ.exe
Process Name: Sony-Bmg Album Background Process"<---> Good luck with this one
sony drm root kit?
-----------------
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 =
Internet Ltd - C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe<--->
W32/Rbot-ARI
-------------
O4 - HKLM\..\RunServices: [Up Service] up32.pif
O4 - HKCU\..\Run: [Up Service] up32.pif
O4 - HKCU\..\RunServices: [Up Service] up32.pif
might be leftovers of W32/Tilebot-S worm
-----------------------------------------
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINNT\taskcntr.exe =
(file missing)
tigershark, I beleive MS released a patch that stopped $sys$ type files from remaining completly hidden.
-
February 28th, 2006, 09:34 PM
#8
Originally posted here by spamdies
tigershark, I beleive MS released a patch that stopped $sys$ type files from remaining completly hidden.
Yep, they did in either the Dec or Jan Patch Tuesday. Makes it much easier to find the little buggerer.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|