Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed - My hijackthis log please check it out
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

My hijackthis log please check it out

 Post Reply Post Reply Page  12>
Author
Message
Bomb123 View Drop Down
Senior Member
Senior Member


Joined: 13 October 2009
Status: Offline
Points: 136
Post Options Post Options   Thanks (0) Thanks(0)   Quote Bomb123 Quote  Post ReplyReply Direct Link To This Post Topic: My hijackthis log please check it out
    Posted: 06 December 2009 at 10:47am
Hello can someone check if theres anything malicious in this log. Thank you in advance! Tongue


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:04, on 6.12.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCENTER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rav\RavMonD.exe
C:\Program Files\Rising\Rav\rsnetsvr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\Rising\Rav\ScanFrm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Rising\Rav\RsTray.exe
C:\Program Files\Rising\AntiSpyware\rstray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Käyttäjä\My Documents\7tukz883.exe
C:\DOCUME~1\KYTTJ~1\LOCALS~1\Temp\RarSFX0\l24uap.exe
C:\DOCUME~1\KYTTJ~1\LOCALS~1\Temp\RarSFX0\q64kjXP.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Rising PC Doctor - {98B7C13A-E9CD-4959-8B46-FBEAB41E42A8} - C:\WINDOWS\system32\UrlFilter.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [RavTray] "C:\Program Files\Rising\Rav\RsTray.exe" -system
O4 - HKLM\..\Run: [runeip] "C:\Program Files\Rising\AntiSpyware\rstray.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\AntiSpyware\RunOnce.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231841782203
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E4F500BF-C1A3-11D6-9697-0090961B771E} (VCR.Scan) - http://www.viruschaser.com/Kor/vc4w_ocx/Vcrscan.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5595/mcfscan.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: kmon.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: McAfee Application Installer Cleanup (0313721260024275) (0313721260024275mcinstcleanup) - Unknown owner - C:\DOCUME~1\KYTTJ~1\LOCALS~1\Temp\031372~1.EXE (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CXZTK - Unknown owner - C:\DOCUME~1\KYTTJ~1\LOCALS~1\Temp\CXZTK.exe (file missing)
O23 - Service: CY - Unknown owner - C:\DOCUME~1\KYTTJ~1\LOCALS~1\Temp\CY.exe (file missing)
O23 - Service: HZOCWYSUYO - Unknown owner - C:\DOCUME~1\KYTTJ~1\LOCALS~1\Temp\HZOCWYSUYO.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: JQBG - Unknown owner - C:\DOCUME~1\KYTTJ~1\LOCALS~1\Temp\JQBG.exe (file missing)
O23 - Service: LHHL - Unknown owner - C:\DOCUME~1\KYTTJ~1\LOCALS~1\Temp\LHHL.exe (file missing)
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
O23 - Service: Moon Secure Antivirus Core (msav) - Unknown owner - C:\Program Files\Moon Secure Antivirus\msavcore.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Rav Process Communication Center (RavCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCENTER.EXE
O23 - Service: Rising RavTask Manager (RavTask) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavTask.exe
O23 - Service: RJPIC - Unknown owner - C:\DOCUME~1\KYTTJ~1\LOCALS~1\Temp\RJPIC.exe (file missing)
O23 - Service: RQTY - Unknown owner - C:\DOCUME~1\KYTTJ~1\LOCALS~1\Temp\RQTY.exe (file missing)
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavMonD.exe
O23 - Service: Rising Scan Service (RsScanSrv) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\ScanFrm.exe
O23 - Service: TRHOSDLO - Unknown owner - C:\DOCUME~1\KYTTJ~1\LOCALS~1\Temp\TRHOSDLO.exe (file missing)

--
End of file - 9546 bytes


Back to Top
dsilvers View Drop Down
Groupie
Groupie


Joined: 22 January 2008
Status: Offline
Points: 53
Post Options Post Options   Thanks (0) Thanks(0)   Quote dsilvers Quote  Post ReplyReply Direct Link To This Post Posted: 06 December 2009 at 9:17pm
You have a number of services and .exe running from a .tmp folder.  If I don't miss my guess they are mostly left overs from rkr.  You can use sc delete to remove them if they are sysinternals files.  Some appear related to DR web and lavasoft.  I assume you have or have had them installed at one time. IF they are rkr leftovers they will be manual start.

Have a look here:  http://forum.sysinternals.com/forum_posts.asp?TID=1650&PN=1

You have used about every scanner know installed or have used it in the past.  Pick one and uninstall the others.  They can conflict with each other.

Edit for clarity


Edited by dsilvers - 06 December 2009 at 9:20pm
Back to Top
Bomb123 View Drop Down
Senior Member
Senior Member


Joined: 13 October 2009
Status: Offline
Points: 136
Post Options Post Options   Thanks (0) Thanks(0)   Quote Bomb123 Quote  Post ReplyReply Direct Link To This Post Posted: 08 December 2009 at 11:22am
Yeah i have used many av and antirootkit programs i will remove those entries. Did you see any malicious in the log? Tongue
Back to Top
dsilvers View Drop Down
Groupie
Groupie


Joined: 22 January 2008
Status: Offline
Points: 53
Post Options Post Options   Thanks (0) Thanks(0)   Quote dsilvers Quote  Post ReplyReply Direct Link To This Post Posted: 08 December 2009 at 9:32pm
Is this thread at malware bytes your post: 

http://www.malwarebytes.org/forums/index.php?s=1e9b966959730b6f3e5c91c22351332e&showtopic=32702&pid=166632&st=0&#entry166632

The temp file paths are the same as in your Hijack log, C:\DOCUME~1\KYTTJ~1\LOCALS~1\Temp.  Many of the same wierd services running from a temp file.  If it is your post it would be better to continue your pursuit in that thread and not have two or more people tied up looking at logs.  Trying to follow instructions from multiple sources will just confuse you.

For the record I don't see anything malicious.  You are running something called Virus Chaser from Malaysia.  I am not familiar with it and in todays time there is absolutely no reason to be involved with an unknown AV.  Antivir, Avast, AVG, all free, all legitimate and respected players in the security world, pick one and dump the rest.  Malwarebytes is a good on demand scanner.  If any of the applications you have installed have an uninstaller or clean up file on their web site run it.  AV's are notorious for not clean uninstalling. 

I have not seen any of those fake AV's you experienced in that malwarebytes thread infect someone without user interaction.  IF you indeed closed the browser with task manager it did not install.  Torrents can be a cess pool of infections.
Back to Top
Bomb123 View Drop Down
Senior Member
Senior Member


Joined: 13 October 2009
Status: Offline
Points: 136
Post Options Post Options   Thanks (0) Thanks(0)   Quote Bomb123 Quote  Post ReplyReply Direct Link To This Post Posted: 13 December 2009 at 4:46pm
I confess that's me. I archived the whole downloaded program files folder and sent it to virustotal.com This is what the scanners detected http://www.virustotal.com/analisis/7c82ebbe3358ebca577c0154afcac471d08a35c22c0bee661f256514994f4673-1260722222

Spyware doctor also found sys file from the drivers directory that it detected as backdoor bagle or something like that also something like 20 scanners detected it when i uploaded it in virustotal.com. The program properties says it belongs to the avz tool.
http://www.virustotal.com/analisis/7ae9aae77884ac0baa2f8168b3ed4de0c0c9834a42d8e5a775f47a2c66cec237-1260722663


Back to Top
Bomb123 View Drop Down
Senior Member
Senior Member


Joined: 13 October 2009
Status: Offline
Points: 136
Post Options Post Options   Thanks (0) Thanks(0)   Quote Bomb123 Quote  Post ReplyReply Direct Link To This Post Posted: 13 December 2009 at 5:02pm
Well, i removed the virus chaser and the file missing entries with the hijack this program. I have them stored in my malicious file storage though.
Back to Top
dsilvers View Drop Down
Groupie
Groupie


Joined: 22 January 2008
Status: Offline
Points: 53
Post Options Post Options   Thanks (0) Thanks(0)   Quote dsilvers Quote  Post ReplyReply Direct Link To This Post Posted: 14 December 2009 at 12:42am
If a rootkit were hiding your Bagle infection chances are a hijack this log would not reveal the infection.
Back to Top
Bomb123 View Drop Down
Senior Member
Senior Member


Joined: 13 October 2009
Status: Offline
Points: 136
Post Options Post Options   Thanks (0) Thanks(0)   Quote Bomb123 Quote  Post ReplyReply Direct Link To This Post Posted: 14 December 2009 at 7:24am
Originally posted by dsilvers dsilvers wrote:

If a rootkit were hiding your Bagle infection chances are a hijack this log would not reveal the infection.


I'm not sure it were really a rootkit because i have used only this legitimate tool http://www.z-oleg.com/secur/avz/ and the file had all the information and said its made by Z-Oleg and everything like that. Could it be that those detections were false positives? Anyways i removed it but it truely sucks if it's really true that my computer was really infected even though i have been waiting to find some malware from my computer a very long time. It could be that the virus chaser were malicious or something because there were for example the f-secure detection in the downloaded program files...
Back to Top
Bomb123 View Drop Down
Senior Member
Senior Member


Joined: 13 October 2009
Status: Offline
Points: 136
Post Options Post Options   Thanks (0) Thanks(0)   Quote Bomb123 Quote  Post ReplyReply Direct Link To This Post Posted: 14 December 2009 at 8:54am
It was not long ago since i created a blog account at Okayblogs.net and that site said that it was powered by thoughts.com where it then directed me after creating the blog and it aint no Okayblog it's thoughts.com blog. Well i posted my "high class" blog entries sometimes when suddenly this one guy sent me a private message stating that spamming is not allowed at thoughts.com and  i had not send any spam at there. Then i posted a message in hi's blog for revenge stating that spamming is not allowed at thoughts.com and then i received death threat from someone called PhantomAvengers saying that he will  skin me alive if i mess with hi's friends blog again and hi's friend called me a fool and a little worm and told me to get a life... Cry

Edited by Bomb123 - 14 December 2009 at 8:55am
Back to Top
Bomb123 View Drop Down
Senior Member
Senior Member


Joined: 13 October 2009
Status: Offline
Points: 136
Post Options Post Options   Thanks (0) Thanks(0)   Quote Bomb123 Quote  Post ReplyReply Direct Link To This Post Posted: 14 December 2009 at 8:57am
I'm not sure if my computer was used to hack this guys blog because i went to hi's blog and there was an text added below hi's blog avatar which read Obviously crap. Anyways i had nothing to do with it. Anyways that user PhantomAvengers blog was removed. I think that Trend micro should add somekinda rootkit detector to their hijack this program.


Edited by Bomb123 - 14 December 2009 at 8:59am
Back to Top
 Post Reply Post Reply Page  12>
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.