Can someone confrim a few things

Started by englishmen, Aug 01 2005 01:21 PM

You cannot reply to this topic

6 replies to this topic

#1 OFFLINE englishmen

Power Member

Members
955 posts

Location:London, UK

Posted 01 August 2005 - 01:21 PM

I believe it is clean but am concerned about a few things can someone either confirm my worry or confirm they are safe, cheers.

Logfile of HijackThis v1.99.1
Scan saved at 14:09:42, on 01/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Installed Software\Avast Antivirus\aswUpdSv.exe
C:\Program Files\Installed Software\Avast Antivirus\ashServ.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\security\FireDaemon.exe
C:\WINDOWS\security\FireDaemon.exe
C:\WINDOWS\security\msagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\security\netclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\INSTAL~1\AVASTA~1\ashDisp.exe
C:\Program Files\Installed Software\ZoneAlarm\zlclient.exe
C:\Program Files\Installed Software\PeerGuardian2\pg2.exe
C:\Program Files\Installed Software\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Installed Software\Rainlendar\Rainlendar.exe
C:\Program Files\Installed Software\Avast Antivirus\ashWebSv.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Installed Software\Seti@Home\SETI@home.exe
C:\Program Files\Installed Software\Mozilla Firefox\firefox.exe
D:\Shared Documents\Free Or Open Source Software & Games\HijackThis (1.99.1)\HijackThis (1.99.1).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\INSTAL~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\INSTAL~1\AVASTA~1\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Installed Software\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\Installed Software\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Installed Software\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Installed Software\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119540975875
O17 - HKLM\System\CCS\Services\Tcpip\..\{6933693C-A036-4223-B8AA-E2F59C379B51}: NameServer = 62.241.162.200 158.43.240.3
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Installed Software\Avast Antivirus\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Installed Software\Avast Antivirus\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Installed Software\Avast Antivirus\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Installed Software\Avast Antivirus\ashWebSv.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: FireDaemon Service: msagent (msagent) - Sublime Solutions Pty Ltd - C:\WINDOWS\security\FireDaemon.exe
O23 - Service: FireDaemon Service: netclient (netclient) - Sublime Solutions Pty Ltd - C:\WINDOWS\security\FireDaemon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

My concern are as follows:

Why are their 2 of these?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

What is this?
O17 - HKLM\System\CCS\Services\Tcpip\..\{6933693C-A036-4223-B8AA-E2F59C379B51}: NameServer = 62.241.162.200 158.43.240.3

What are these?
O23 - Service: FireDaemon Service: msagent (msagent) - Sublime Solutions Pty Ltd - C:\WINDOWS\security\FireDaemon.exe
O23 - Service: FireDaemon Service: netclient (netclient) - Sublime Solutions Pty Ltd - C:\WINDOWS\security\FireDaemon.exe

Back to top

#2 OFFLINE rridgely

I hate computers

Moderators
8,874 posts

Gender:Male

Posted 01 August 2005 - 02:04 PM

Yeah you have some bad entries in their. Try ewido and run Trend Micro online scanner. Look at Djlizards response here:
http://forum.CCleane...?showtopic=1766

Back to top

#3 OFFLINE oli

Advanced Member

Members
448 posts

Posted 01 August 2005 - 02:22 PM

O17 - HKLM\System\CCS\Services\Tcpip\..\{6933693C-A036-4223-B8AA-E2F59C379B51}: NameServer = 62.241.162.200 158.43.240.3

i have this aswell what is it? expect the ip is different

Homer: I never apologise, im sorry Lisa. Thats just the way i am

Back to top

#4 OFFLINE englishmen

Power Member

Members
955 posts

Location:London, UK

Posted 01 August 2005 - 04:11 PM

I scanned my pc via Trend micro just yesterday and i scanned during boot up via Avast this morning no infections found. I also updated spyware blaster adware se and spybot yesterday and scanned with adware-se and spybot and nothing.

Back to top

#5 OFFLINE Andavari

Captain Spectacular

Moderators
13,490 posts

Gender:Male
Location:Shadow Moses

Posted 02 August 2005 - 12:10 AM

englishmen, on Aug 1 2005, 08:21 AM, said:

Why are their 2 of these?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

<{POST_SNAPBACK}>

I suspect HKCU is the start up page for the current user, and the HKLM one is the default one when you click to use the default startup page to reset IE to it's defaults.

englishmen, on Aug 1 2005, 08:21 AM, said:

What is this?
O17 - HKLM\System\CCS\Services\Tcpip\..\{6933693C-A036-4223-B8AA-E2F59C379B51}: NameServer = 62.241.162.200 158.43.240.3

<{POST_SNAPBACK}>

HijackThis shouldn't be using abbreviations like "CCS" when the references "I believe" are actually in one of these or all of them:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip]

I also had the reference when I scanned with HijackThis. The confusing part is the IP address didn't match mine.

Complexity of incoherent design.

Back to top

#6 OFFLINE Mike Rochip

Power Member

Members
844 posts

Posted 09 August 2005 - 09:47 PM

Andavari, on Aug 1 2005, 06:10 PM, said:

I suspect HKCU is the start up page for the current user, and the HKLM one is the default one when you click to use the default startup page to reset IE to it's defaults.

HijackThis shouldn't be using abbreviations like "CCS" when the references "I believe" are actually in one of these or all of them:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip]

I also had the reference when I scanned with HijackThis. The confusing part is the IP address didn't match mine.

<{POST_SNAPBACK}>

Quote

What is this?
O17 - HKLM\System\CCS\Services\Tcpip\..\{6933693C-A036-4223-B8AA-E2F59C379B51}: NameServer = 62.241.162.200 158.43.240.3

I was reading a HJT tutorial here:

Tutorial

that said to input the addresses here:

Net tools

and if the IP is your's or your provider's it's OK to leave as is. Mine were from my provider.

Back to top

#7 OFFLINE englishmen

Power Member

Members
955 posts

Location:London, UK

Posted 24 August 2005 - 09:25 AM

Thanks for all the help guys

Back to top

Back to Spyware Hell