|
Infected Business PC, customer desperate
|
|
AfterDawn Addict
1 product review
|
29. June 2006 @ 21:15 |
Link to this message
|
To those here to help thanks.
I recently acquired a business pc that was believed to be "infected" upon running and installing Ad-Aware,Spybot s&d, and a anti-virus app.And scanning the anti-spy came back 100% clean but the a/v came back with 3 trojans. I ran Hijack This and came up with this log-file . . .
Logfile of HijackThis v1.99.1
Scan saved at 12:04:05 AM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Softwin\BitDefender9\bdnagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Hijack This!\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.actlink.net:8081
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{87A66E96-718F-4A56-A196-BD1D76FE3D1B}: NameServer = 63.71.245.4 63.71.245.5
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I was mainly concerned with entries 17 and the three #20 entries. I am not very skilled yet at reading these log files but am working on it. If someone could tell me if anything in this logfile shouldnt be running that would be great.
Many thanks for helping. - PeaInAPod :~)
|
|
Advertisement
|
 |
|
|
Senior Member
3 product reviews
|
29. June 2006 @ 22:41 |
Link to this message
|
|
number 20 is good its from spysweeper, i am also concerned about no 17, have you tried selecting and clicking fix.
i dont know what that is, have peer guardian running in the background, fully updated and surf the net, see if it tries to connect and if it is bad, peer guardian should pick it up and block it, and give you the name of what it is, otherwise i dont know.
soz couldnt be more help
"Its so hard to try to be different..."-Apocalypse Hoboken |
|
dolphin2
Suspended due to non-functional email address
|
29. June 2006 @ 22:49 |
Link to this message
|
|
I'm learning also but came up with these results for the items in question:
O17 - HKLM\System\CCS\Services\Tcpip\..\{87A66E96-718F-4A56-A196-BD1D76FE3D1B}: NameServer = 63.71.245.4 63.71.245.5
This is an internet/LAN connection to IP 63.71.245.4 and 5. It connects to Applied Computer Technologies of Illinois.
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
In order they are:
Intel Graphics Accelerator Helper Module
Windows Genuine Advantage
WebRoot SpySweeper Module
All the 020 items seem to be OK. The one is question is the 017. Is it needed?
EDIT: I forgot to mention that sometimes SpySweeper and the Windows Genuine Advantage stuff don't always play nice together. I don't know what the problems are, but that's something to look at.
This message has been edited since posting. Last time this message was edited on 29. June 2006 @ 22:52
|
AfterDawn Addict
1 product review
|
30. June 2006 @ 16:00 |
Link to this message
|
I searched dogpile.com for "Applied Computer Technologies of Illinois" and came up with a dial-up internet service thats operated by none other than ACT Internet (A=Applied, C=Computer, etc) so I guess it had something to do with his internet which he confirmed was with the ACT company. I still dont understand what it was doing but its from his Internet Company so it cant be anything malicious/harmful.
I would like to say Thank You to all who took time out of their day to reply to my thread so quickly. So to Dolphin2 and Phantom69 I wish you and the best of luck and many thanks.
I was wondering I would like to learn how to better read HijackThis logs is there any specific info/internet site that you can think of that would be a good place for me to start learning?? thanks :~)
-PeaInAPod
|
Senior Member
3 product reviews
|
30. June 2006 @ 16:17 |
Link to this message
|
|
im not sure about where to learn, but if you read a couple of threads here on ad where people have posted their hijack this logs and the problem has been solved. and you start familiarising yourself with windows processes and certain common software executables and registry keys. its really easy to pick up.
oh and btw, no problem dude.
"Its so hard to try to be different..."-Apocalypse Hoboken
|
AfterDawn Addict
1 product review
|
30. June 2006 @ 16:27 |
Link to this message
|
|
thats a good idea. Ill probably do that. again, thanks Phantom69
|
Senior Member
3 product reviews
|
30. June 2006 @ 16:33 |
Link to this message
|
|
np
"Its so hard to try to be different..."-Apocalypse Hoboken
|
|
dolphin2
Suspended due to non-functional email address
|
30. June 2006 @ 16:44 |
Link to this message
|
This message has been edited since posting. Last time this message was edited on 30. June 2006 @ 16:47
|
Senior Member
3 product reviews
|
30. June 2006 @ 16:47 |
Link to this message
|
|
hey thats really good stuff dolphin, i never knew about them, i had to learn myself lol
"Its so hard to try to be different..."-Apocalypse Hoboken
|
|
dolphin2
Suspended due to non-functional email address
|
30. June 2006 @ 16:48 |
Link to this message
|
|
I'm in the beginning stages of taking the course offered by the first link.
|
Senior Member
3 product reviews
|
30. June 2006 @ 17:39 |
Link to this message
|
|
im already at school, i think il stick to teaching myself lol, 3 months is a while for me, homework too. dang man
"Its so hard to try to be different..."-Apocalypse Hoboken
|
|
dolphin2
Suspended due to non-functional email address
|
30. June 2006 @ 17:41 |
Link to this message
|
I understand.
That last link can always be used for quick checks.
I just ran the posted log thru the HijackThis Log File Analysis on line. The only thing it questions was that 017 entry which we now know as safe. It asked if the IP address was known and if not, the entry should be deleted. Don't know how it will do with other infections but I'm going to try it out and see what it shows. Mostly I'm interested if it shows how to get rid of somethings that are bad.
Will post back results of some log scans.
---------
Here's a link to an infected log. Take a look at what it reports.
http://www.hijackthis.de/logfiles/f1ce011c64f68d3b5e946d834417266...
[note]This is only there for 3 days
This message has been edited since posting. Last time this message was edited on 30. June 2006 @ 17:56
|
AfterDawn Addict
1 product review
|
30. June 2006 @ 18:59 |
Link to this message
|
|
@ dolphin2
That online Malware Class thing is right up my alley. I am currently finishing high school and during the summer I can work on it at night and sometime during the day seeing as my job doesnt require me to be their full time (its great to be a kid :~) lol) anyway the links are awesome.
|
AfterDawn Addict
1 product review
|
30. June 2006 @ 18:59 |
Link to this message
|
|
- Double Post -
This message has been edited since posting. Last time this message was edited on 1. July 2006 @ 16:00
|
Senior Member
3 product reviews
|
30. June 2006 @ 19:05 |
Link to this message
|
|
lol, im only on a 3 week holiday right now, i cant use summer hols for it cause im going overseas this year. so there really is not time for me :( but i am learning from what others say lol
"Its so hard to try to be different..."-Apocalypse Hoboken
|
|
dolphin2
Suspended due to non-functional email address
|
30. June 2006 @ 19:46 |
Link to this message
|
|
@PeaInAPod
Glad you found them as useful. Also good to hear that you so interested that you would work on it during the summer and after work. You sound like a very energenic young person.
@Phantom69
I also understand your feelings on the course. Where are you planning on going? Just a general tour or do you have planned stops?
|
Senior Member
3 product reviews
|
30. June 2006 @ 20:19 |
Link to this message
|
|
im going south to tasmania for a 6 day 60 km hike :D
plus i have a whole bunch of other stuff that i have to do like major assignments and things during the holidays so its pretty much already packed lol
"Its so hard to try to be different..."-Apocalypse Hoboken
This message has been edited since posting. Last time this message was edited on 30. June 2006 @ 20:20
|
|
dolphin2
Suspended due to non-functional email address
|
30. June 2006 @ 22:15 |
Link to this message
|
|
That's quite a hike. What are the temps going to be like at this time of year in that area?
|
Senior Member
3 product reviews
|
30. June 2006 @ 22:56 |
Link to this message
|
|
well actually at that time of year its supposed to be unpredictable conditions so we have to carry heaps of stuff in case of emergencies etc
more than likely it will be subzero during some stages though
|
|
dolphin2
Suspended due to non-functional email address
|
30. June 2006 @ 23:55 |
Link to this message
|
|
I live in the desert. That's way, way to cold for me! I'd freeze my tail off!! LOL!
|
Senior Member
3 product reviews
|
1. July 2006 @ 00:28 |
Link to this message
|
|
oh well here in Australia it can get pretty freakin hot during summer and extremely cold during winter, so we are continually going from one extreme to another lol
|
|
dolphin2
Suspended due to non-functional email address
|
1. July 2006 @ 12:01 |
Link to this message
|
|
I live in southern Nevada. Temps here in summer can go as high as 115. During winter, I've seen it go below freezing (32). These are Fahrenheit. 46-0 Celsius.
|
AfterDawn Addict
1 product review
|
1. July 2006 @ 16:07 |
Link to this message
|
|
I live in a small town in north western Illinois. We havent even got hills to climb on let alone Mountains. We live out in the country and are surrounded by fields. I never actually measured this or anything but you can probably see straight across the fields for a good couple miles! But when fall comes and they harvest the fields I got a good couple hundred acres of fields that I can ride my ATV through!! So its not all that bad here in Illinois I guess.
|
Senior Member
3 product reviews
|
1. July 2006 @ 16:09 |
Link to this message
|
|
dang welp we get that high in the middle of australia where tis deser, like alice springs and stuff but otherwise over here in sydney i dont think it has ever gone over 36 C
|
|
Advertisement
|
|
|
|
dolphin2
Suspended due to non-functional email address
|
1. July 2006 @ 23:03 |
Link to this message
|
|
@PeaInAPod
I don't like your Illinois winters. Ice storms are not for me!
@Phantom69
I've always wanted to visit Australia, but I'm afraid if I did, I may never want to leave! Aussie gals are something else!
|
