HijackThis Log

Reply

Join Date: Apr 2005
Posts: 16,273
Reputation: jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all 
Solved Threads: 544
Moderator
Featured Poster
jbennet's Avatar
jbennet jbennet is offline Offline
Moderator

HijackThis Log

 
0
  #1
Jun 5th, 2007
Please can someone take a look at my HJT log for me. Thanks!

 
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15:55:31, on 05/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\James Bennet\Desktop\hjt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: MySQL System Tray Monitor.lnk = C:\Program Files\MySQL\MySQL Tools for 5.0\MySQLSystemTrayMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: TabPlayer - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\TabPlayer\tp.exe
O9 - Extra 'Tools' menuitem: Tools Menu Item - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\TabPlayer\tp.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1177166548484
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Abyss Web Server (AbyssWebServer) - Unknown owner - C:\Program Files\Abyss Web Server\abyssws.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - c:\xampp\service.exe (file missing)
--
End of file - 6454 bytes
If i am helpful, please give me reputation points.
Reply With Quote Quick reply to this message  
Join Date: May 2005
Posts: 3,204
Reputation: gerbil will become famous soon enough gerbil will become famous soon enough 
Solved Threads: 188
gerbil gerbil is offline Offline
Nearly a Senior Poster

Re: HijackThis Log

 
0
  #2
Jun 5th, 2007
...so clean it squeaks, jb. You could fix that O2 entry with no file, but it was never a problem BHO -it's a common enough CLSID.
Were/are there any symptoms bothering you?
Deep, deep in the woods, but walking about.
Reply With Quote Quick reply to this message  
Join Date: Apr 2005
Posts: 16,273
Reputation: jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all 
Solved Threads: 544
Moderator
Featured Poster
jbennet's Avatar
jbennet jbennet is offline Offline
Moderator

Re: HijackThis Log

 
0
  #3
Jun 5th, 2007
mmm its worrying me because windows keeps telling me thats it system files have been modified by an untrusted source.
If i am helpful, please give me reputation points.
Reply With Quote Quick reply to this message  
Join Date: May 2005
Posts: 3,204
Reputation: gerbil will become famous soon enough gerbil will become famous soon enough 
Solved Threads: 188
gerbil gerbil is offline Offline
Nearly a Senior Poster

Re: HijackThis Log

 
0
  #4
Jun 5th, 2007
I guess they are not the system files that are included in the protected list, otherwise the file protection sys would have kicked in and replaced em with originals.... Could it be a driver? I'd have thought an untrusted source would have buckley's of doing that unless some permissions were altered. Don't know. Sorry. sfc may sort it out, but that would mean that the cache files were wrong also...
Deep, deep in the woods, but walking about.
Reply With Quote Quick reply to this message  
Join Date: Apr 2005
Posts: 16,273
Reputation: jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all 
Solved Threads: 544
Moderator
Featured Poster
jbennet's Avatar
jbennet jbennet is offline Offline
Moderator

Re: HijackThis Log

 
0
  #5
Jun 6th, 2007
Yeah the file protection thing keeps coming up on bootup and saying something is trying to replace winlogon.exe but it obviously fails as sfc /scannow completes sucessfully.
If i am helpful, please give me reputation points.
Reply With Quote Quick reply to this message  
Join Date: May 2005
Posts: 3,204
Reputation: gerbil will become famous soon enough gerbil will become famous soon enough 
Solved Threads: 188
gerbil gerbil is offline Offline
Nearly a Senior Poster

Re: HijackThis Log

 
0
  #6
Jun 6th, 2007
Haha.. you def would not want winlogon.exe replaced cos win file prot runs inside that! I can only think that a trojan or virus with just one job in mind is resident, it fails and stops until next reboot. O20 is where you would hope to see that launch type being reported, naturally with windows I bet there are many other winlogon launch methods. I can only suggest doing a couple of online scans, an eg is Panda Online Scan:[what follows is a set piece...]
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
Give it a shot....
Last edited by gerbil; Jun 6th, 2007 at 9:59 am.
Deep, deep in the woods, but walking about.
Reply With Quote Quick reply to this message  
Join Date: Apr 2005
Posts: 16,273
Reputation: jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all jbennet is a name known to all 
Solved Threads: 544
Moderator
Featured Poster
jbennet's Avatar
jbennet jbennet is offline Offline
Moderator

Re: HijackThis Log

 
0
  #7
Jun 6th, 2007
nod32 and avg detected nothing

i think some nasty trojan is trying to replace my winlogon in order to capture my password etc...

sfc /scannow fixes it but only for that reboot.

Im gonna backup thyen delete the cache directiories and any copies of winlogon i can find and replace them with stock ones from the xp cd
If i am helpful, please give me reputation points.
Reply With Quote Quick reply to this message  
Reply

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum


Views: 782 | Replies: 6
Thread Tools Search this Thread



Tag cloud for Viruses, Spyware and other Nasties
acrobat adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china combofix commercial conficker control cybercrime cyberwarfare ddos education email europe exam exploit explorer facebook fake fancheckvirus firefox gtaiv halloween herss.exe hijack hosting ie8 internet iphone links logfiles malware mcafee microsoft mobile msn nazi news norton obama onlinethreats paedophile panel parents patch pc pdf policeprovirusmba-mblockedinternetaccess president privacy pro redirect redirecting report research rogueantivirus rootkit samhain sans scareware search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans symantec system teen threat translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista vulnerability war warning windows worm yahoo zero-day zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC