Hjt Log--need Help


Recommended Posts

My System: Dell8200, Win XP Home, Symantec AVC, ZoneAlarm, SpyBot S&D, AdAware, SpyWare Blaster.

Symptoms: Noticed significant delay attempting to run SpyBot and AdAware--Task Manager indicated these were using 99% CPU. Let Spybot run to completion (1.5 hr)---detected "pipas.A" trojan. Removed, but continues to regenerate after reboot. Attempted free on-line scan using Panda and SpywareSweeper---these detected problems, but they could not be removed without purchasing removal tool. Downloaded and ran Ewido malware scanner---detected problems fixed. SpyBot still being significantly delayed by remaining infection. Here's my HJT log---should definately get rid of 017 items, I think, but what about other items? Your advice on how to proceed is needed.

Logfile of HijackThis v1.99.1

Scan saved at 4:41:19 PM, on 1/10/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\StartupMonitor.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HijackThis\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C80 Series" /O6 "USB001" /M "Stylus C80"

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2D368997-F85F-42D7-BE98-464F4CBB0195}: NameServer = 85.255.113.118,85.255.112.101

O17 - HKLM\System\CCS\Services\Tcpip\..\{453752DE-9C74-446B-98F1-AA145A95EA99}: NameServer = 85.255.113.118,85.255.112.101

O17 - HKLM\System\CCS\Services\Tcpip\..\{629AD2DB-9100-4C42-85DF-530BC00F8389}: NameServer = 85.255.113.118,85.255.112.101

O17 - HKLM\System\CS1\Services\Tcpip\..\{2D368997-F85F-42D7-BE98-464F4CBB0195}: NameServer = 85.255.113.118,85.255.112.101

O17 - HKLM\System\CS2\Services\Tcpip\..\{2D368997-F85F-42D7-BE98-464F4CBB0195}: NameServer = 85.255.113.118,85.255.112.101

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Link to post
Share on other sites

Dragon I have been seeing a ton of those IPs in logs from the Ukraine lately, and on a few forums I mod or admin I can clearly see they are US residents. Ask Chappy or BT to look at falcon's IP to locate where he is at, but doubtful is from Belargus Ukraine.

http://www.dnsstuff.com/tools/whois.ch?ip=85.255.113.118

Link to post
Share on other sites

doh!!!

I didn't even think about looking at the IP. thats what I get for being rushed on this computer because my wife needed it for work.

*Dragon slaps his head*

Falcon24, you can remove those O17 entries using Hijack this.

open Hijack this, click on scan only, next find the following entries and put a check next to them. Then with all browsers and windows closed, including this one, click on Fix Selected

O17 - HKLM\System\CCS\Services\Tcpip\..\{2D368997-F85F-42D7-BE98-464F4CBB0195}: NameServer = 85.255.113.118,85.255.112.101

O17 - HKLM\System\CCS\Services\Tcpip\..\{453752DE-9C74-446B-98F1-AA145A95EA99}: NameServer = 85.255.113.118,85.255.112.101

O17 - HKLM\System\CCS\Services\Tcpip\..\{629AD2DB-9100-4C42-85DF-530BC00F8389}: NameServer = 85.255.113.118,85.255.112.101

O17 - HKLM\System\CS1\Services\Tcpip\..\{2D368997-F85F-42D7-BE98-464F4CBB0195}: NameServer = 85.255.113.118,85.255.112.101

O17 - HKLM\System\CS2\Services\Tcpip\..\{2D368997-F85F-42D7-BE98-464F4CBB0195}: NameServer = 85.255.113.118,85.255.112.101

reboot your computer post a fresh Hijack this log, and let us know how your system is doing.

Link to post
Share on other sites

Actions: (1) Ran HJT, fixed all 017 items; reran HJT to verify they were gone--were. (2) rebooted in Safe Mode and ran AdAware. (2) then ran Ewido fast scan which detected several problems--see Log. it is unclear if items labled "error during cleaning" were actually fixed? (3) ran Spybot S&D---something is still inhibiting effeciency of running this software--it took 1 hour 15 min to complete---detected "pipas.A" trojan---fixed. this is a recurring trojan that I have been unable to get rid of. (4) ran SpySweeper which detected a bunch of trojans, adware and cookies---these were not fixable since I haven't purchased the removal tool. QUESTIONS:

(a) Is there any freeware that can detect AND get rid of this SpySweeper-detected malware effectively???

(B) Is there anything suspicious in the HJT log below?

APPRECIATE YOUR HELP!!

--------------------------------------------------------

ewido anti-malware - Scan report

---------------------------------------------------------

+ Created on: 1:17:13 PM, 1/11/2006

+ Report-Checksum: 5E2476B6

+ Scan result:

[204] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning

[228] VM_00BF0000 -> Downloader.Agent.uj : Error during cleaning

[860] VM_009D0000 -> Downloader.Agent.uj : Error during cleaning

C:\Documents and Settings\John Watson\Cookies\john [email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup

C:\Documents and Settings\John Watson\Cookies\john [email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup

C:\Documents and Settings\John Watson\Cookies\john [email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1

Scan saved at 3:22:51 PM, on 1/11/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\StartupMonitor.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HijackThis\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C80 Series" /O6 "USB001" /M "Stylus C80"

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Link to post
Share on other sites

Dragon, the IPs from there are also part of a Fixwareout and should have this tool run on it as well as getting rid of the lines.

http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. Make sure you are connected to the Internet.

The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch(If it doesn't, run it manually)

Post another HJT log and the contents of C:\fixwareout\report.txt

^^^ that is the instructions to give when you have them run it too

Mike

Link to post
Share on other sites

due to lack of feedback, this topic has been closed. If you are the original topic starter and you are still having problems please send a message, with a link to this topic, to a staff member to have it re-opened.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.