13 replies to this topic

[Capman]

Anyone spot anything dodgy in this.


Logfile of HijackThis v1.99.1
Scan saved at 22:18:27, on 30/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\WINDOWS\system32\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX0\4.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nlxiszhtaxtr.com/Chb2tjD9IOTS0e...6PIcxDj_aJ.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nlxiszhtaxtr.com/Chb2tjD9IOTS0e...6PIcxDj_aJ.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mcsv.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [REGRUN] C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX0\4.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095959331765
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab31267.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG6 Service (AvgServ) - Unknown owner - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


It is off a friends computer that is definately infected.

[Tarun]

Generated by Tarun's HijackThis Converter v0.35 Beta.


Created registry value. Safe to remove:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nlxiszhta...6PIcxDj_aJ.html

Changed registry value. Safe to remove:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

Created registry value. Safe to remove:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nlxiszhta...6PIcxDj_aJ.html

Changed registry value. Safe to remove:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Changed *.ini file value forced into registry. Safe to remove:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mcsv.com

Enumeration of suspicious auto-loading registry entries. Safe to remove:
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [REGRUN] C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX0\4.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

Extra "Tools" menu items and buttons. Safe to remove:
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

IE plugins for file extensions or MIME types. Safe to remove:
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Downloaded Program Files item. Safe to remove:
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab30149.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab31267.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab

Enumeration of NT Services. Safe to remove:
O23 - Service: AVG6 Service (AvgServ) - Unknown owner - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (file missing)

[Capman]

Thanks Tarun,

I chose to remove just these entries, they looked the most suspicious.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nlxiszhta...6PIcxDj_aJ.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nlxiszhta...6PIcxDj_aJ.html

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mcsv.com

O4 - HKLM\..\Run: [REGRUN] C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX0\4.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) -

O23 - Service: AVG6 Service (AvgServ) - Unknown owner - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (file missing)

[DjLizard]

I'ma tell you again Tarun, cause you're my boy... I agree with McKenna that you should only recommend to remove things that are indeed malware. Just because they are optional does not mean you should suggest to remove *everything*. Most people that come here for a HJT log cleaning are going to checkmark literally everything you tell them to, without thinking about it. This is the unfortunate way that computer users work. They forget all about life and logic when they sit in front of an electronic box.

Stop it!

[Capman]

Had an email from the guy who's computer was infected, all seem's OK now thanks Tarun.

[Tarun]

DjLizard, on Jul 1 2005, 11:30 AM, said:

I'ma tell you again Tarun, cause you're my boy... I agree with McKenna that you should only recommend to remove things that are indeed malware.  Just because they are optional does not mean you should suggest to remove *everything*.  Most people that come here for a HJT log cleaning are going to checkmark literally everything you tell them to, without thinking about it.  This is the unfortunate way that computer users work.  They forget all about life and logic when they sit in front of an electronic box.

Stop it!

<{POST_SNAPBACK}>

Maybe I should just totally give up. No loss, eh?

[rridgely]

No Tarun dont give up. I like it when you tell us what the useless stuff that we have installed is. Besides if the person can read you have it clearly labeled if it's malicious or not.

[Tarun]

rridgely, on Jul 1 2005, 10:45 PM, said:

No Tarun dont give up. I like it when you tell us what the useless stuff that we have installed is. Besides if the person can read you have it clearly labeled if it's milicious or not.

<{POST_SNAPBACK}>

Even if I do give up, I still have my near-dead site anyways.

[rridgely]

Tarun I like your site and you have lots of great info there but it's hard to post their and here when its about the same people and less of them. To be honest if some of the people here like CaPman, Englishmen, Djlizard,ect would start to use your forum I could leave CCleaner. It's just hard to post both their and here when I will get less feedback there. The thing is that you have lots more topics at your forum so it could potentially become a huge community. I really like Dj's new site I have it subscribed on rss in firefox and I read the headlines and respond to the ones I want (I have yours on rss too ) What I think would be cool is if Mr.G would give this forum to you and make it part of your site and CCleaner so that people whould come here for CCleaner and join a great online community while theyre at it. Then you could make your site like Dj's and have a cool blog with all the new tech info and still have all of your stuff like your antimalware package and ff tweaks. Also I really like Jay's blog from your forum maybe he could join here too. That to me is what an ideal situation would be. What do you think? If this pisses you off sorry send me a PM and I will delete this and pretend I never brought it up.

[Tarun]

It's cool. Just kinda bums me that so few people post there. 200 members nearly and hardly 5% of them post. Oh well, maybe activity will pick up soon; I mean with 1000 hits a day.. It just doesn't make sense.

[rridgely]

Your right you would think that with that many hits you would get more members. Maybe what you did about only letting members access the downloads will help. Also you should try making your pc maintenace like that too so you will get more members. I'm sure it will pick up soon. I will try to start more topics in the news sections and stuff and see if that helps.

[hazelnut]

have just been reading all you thoughts on this matter and would like to add my own as a relativly new user. For me THIS site is ideal, it is easy to access, use and read because I am not an "expert" like you lot.The info I recieve here is so easy to apply. You make it so (so Tarun don't lose heart)
As to your site Tarun which I have just been looking at , I feel it is aimed a step higher than me, I would like to see a more simplyfied user interface which may invite more participation. But NEVER give up.
Hazelnut

[Capman]

Tarun, on Jul 2 2005, 03:15 AM, said:

Maybe I should just totally give up.  No loss, eh?

<{POST_SNAPBACK}>

I did actually mean to post the hijackthis log on your site, but I was in work and kept getting distracted, and just happened to post it in here somehow.

Give it time Tarun, your site will pick up.

What about a disclaimer at the top of your analysis stating that it is just making known what can be removed and that not all entries need to be removed, and that further scrutiny is required. Or am I talking a load of rubbish?

[Tarun]

CaPMan, on Jul 2 2005, 07:31 AM, said:

I did actually mean to post the hijackthis log on your site, but I was in work and kept getting distracted, and just happened to post it in here somehow.

Give it time Tarun, your site will pick up.

What about a disclaimer at the top of your analysis stating that it is just making known what can be removed and that not all entries need to be removed, and that further scrutiny is required. Or am I talking a load of rubbish?

<{POST_SNAPBACK}>

I suppose I could pop in a message that it's putting forth a message for an optimized system.