•
•
•
•
What is DaniWeb IT Discussion Community?
You're currently browsing the Viruses, Spyware and other Nasties section within the Tech Talk category of DaniWeb, a massive community of 392,079 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 4,018 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Please support our Viruses, Spyware and other Nasties advertiser:
Views: 2929 | Replies: 7
 |
•
•
Join Date: Feb 2004
Location: Philippines
Posts: 455
Reputation: 
Rep Power: 5
Solved Threads: 12
cyberkill(ed)
I've been having this recurring problem with a trojan (I think). everytime i leave my computer online, there are email messages being sent to random addresses. When I check on the tasks running, there are random exe files that I keep on deleting. I delete the exe files and the entries using HJT. I've just deleted some again and ran HJT... here's the log, anybody out there with more experience with log reading than I am... pls. help... I'm getting really annoyed...
Logfile of HijackThis v1.97.7
Scan saved at 2:46:44 PM, on 4/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\E_SSRP03.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\SYSTEM32\r_server.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\MSTask.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgentNT.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\EBRR.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
E:\oliver\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garmentsasia.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Sew Perfect Phils., Inc.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.garmentsasia.com"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rzo6u6bc.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://%5C%5CFaith%5CC%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rzo6u6bc.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV03.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...590.1961689815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Te...loads/outc.cab
Thanks a plenty...
Logfile of HijackThis v1.97.7
Scan saved at 2:46:44 PM, on 4/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\E_SSRP03.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\SYSTEM32\r_server.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\MSTask.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgentNT.exe
C:\WINDOWS\system32\stisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\EBRR.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
E:\oliver\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garmentsasia.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Sew Perfect Phils., Inc.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.garmentsasia.com"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rzo6u6bc.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://%5C%5CFaith%5CC%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rzo6u6bc.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV03.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...590.1961689815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Te...loads/outc.cab
Thanks a plenty...
*-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=*
*I am the oceans.. Still, still yet always in constant *
*motion.Quiet but never afraid,Silent but always awake*
*And no God nor Man can control where you roam.. no *
*boundaries cast forever you last.... *
*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*
*I am the oceans.. Still, still yet always in constant *
*motion.Quiet but never afraid,Silent but always awake*
*And no God nor Man can control where you roam.. no *
*boundaries cast forever you last.... *
*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*
•
•
Join Date: Aug 2003
Posts: 7,116
Reputation:
Rep Power: 24
Solved Threads: 302
I don't see anything in you log to do this ,next time run and post hijack log before you delete the files
you can delete this file .
C:\WINDOWS\SYSTEM\blank.htm
you can delete this file .
C:\WINDOWS\SYSTEM\blank.htm
Boo!!!!! Sarcastic Jack
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 7,642
Reputation:
Rep Power: 22
Solved Threads: 415
Maybe it has something to do with remote administrator running all the time??
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe added as a result of ALADINZ.P virus
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe added as a result of ALADINZ.P virus
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
•
•
Join Date: Aug 2003
Posts: 7,116
Reputation:
Rep Power: 24
Solved Threads: 302
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Boo!!!!! Sarcastic Jack
•
•
Join Date: Feb 2004
Location: Philippines
Posts: 455
Reputation:
Rep Power: 5
Solved Threads: 12
cyberkill(ed)
so, Im to remove O4 - HKLM\..\Run: [SystemTray] SysTray.Exe??
I don't think it's the remote administrator... I just installed it, i hated running up and down just to fix something so small...
That's what I was worried about, I don't see anything wrong myself... but it still keeps on coming...
•
•
•
•
Originally Posted by crunchie
Maybe it has something to do with remote administrator running all the time??
•
•
•
•
Originally Posted by caperjack
I don't see anything in you log to do this ,next time run and post hijack log before you delete the files
That's what I was worried about, I don't see anything wrong myself... but it still keeps on coming...
*-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=*
*I am the oceans.. Still, still yet always in constant *
*motion.Quiet but never afraid,Silent but always awake*
*And no God nor Man can control where you roam.. no *
*boundaries cast forever you last.... *
*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*
*I am the oceans.. Still, still yet always in constant *
*motion.Quiet but never afraid,Silent but always awake*
*And no God nor Man can control where you roam.. no *
*boundaries cast forever you last.... *
*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 7,642
Reputation:
Rep Power: 22
Solved Threads: 415
Yes remove the O4 - HKLM\..\Run: [SystemTray] SysTray.Exe it was added due to a virus. That according to sysinfo.org
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
•
•
Join Date: Aug 2003
Posts: 7,116
Reputation:
Rep Power: 24
Solved Threads: 302
the systray look ok to me .how are you determining it to be the bad one crunchie .
http://www.answersthatwork.com/Taskl...tasklist_s.htm === right down the bottom the difference i see is the upercase T in SysTray.exe ,lower case in the bad one .I do a search at SWI and noone is fixing it when its in a log .
http://www.answersthatwork.com/Taskl...tasklist_s.htm === right down the bottom the difference i see is the upercase T in SysTray.exe ,lower case in the bad one .I do a search at SWI and noone is fixing it when its in a log .
Boo!!!!! Sarcastic Jack
•
•
Join Date: Feb 2004
Location: Philippines
Posts: 455
Reputation:
Rep Power: 5
Solved Threads: 12
cyberkill(ed)
I think it's a virus if it's not in \winnt\system32\ folder.. or sumthin
*-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=*
*I am the oceans.. Still, still yet always in constant *
*motion.Quiet but never afraid,Silent but always awake*
*And no God nor Man can control where you roam.. no *
*boundaries cast forever you last.... *
*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*
*I am the oceans.. Still, still yet always in constant *
*motion.Quiet but never afraid,Silent but always awake*
*And no God nor Man can control where you roam.. no *
*boundaries cast forever you last.... *
*=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=*
|
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
•
•
•
•
•
•
•
•
DaniWeb Viruses, Spyware and other Nasties Marketplace
Linear Mode
- hjt log pls help cleanup (Viruses, Spyware and other Nasties)
- New HJT log, pls help me to clean up (Viruses, Spyware and other Nasties)
- HJT log help cleanup pls (Viruses, Spyware and other Nasties)
- Pls help with this HJT log (Viruses, Spyware and other Nasties)
- HJT log help pls (Viruses, Spyware and other Nasties)
- Pls help with my HJT log (Viruses, Spyware and other Nasties)
- help pls...Hjt log... (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: BlazeFind.Bridge
- Next Thread: Hijacked Internet Explorer--log included
