| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 88486 | 2008-03-29 02:53:00 | Hijackthis analysis: why wasn't it picked up by other utilities? | utopian201 (6245) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 653870 | 2008-03-29 02:53:00 | Hi A few weeks ago, I posted that my email account had been used to spam everyone on my contact list. I ran the latest version of spybot search and destroy, ad aware 2007 (with all updates) and the latest version of AVG, but none of those found anything. After browsing the search and destroy system start up details, I came across the entry below in bold, which spybot identified as being linked to several worms. Because it isn't linked to a file, does that mean it is safe to delete? I've run it through some online analysers, which say "no file" objects are safe to remove. Are there any other obvious bad entries here (speedy? any ideas? :D) My question is then, why wasn't this picked up by the programs I tested with? I only found this using a manual eye scan... ================ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:35:28 p.m., on 29/03/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe D:\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Mixer.exe D:\KMaestro\KMaestro.exe D:\Norton Internet Security\IAMAPP.EXE D:\NORTON~1\navapw32.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe D:\Norton AntiVirus\navapsvc.exe D:\Norton Internet Security\NISUM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\System32\svchost.exe D:\Norton Internet Security\SymProxySvc.exe D:\UPHClean\uphclean.exe D:\Norton Internet Security\NISSERV.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\CNAC4RPK.EXE D:\Mozilla Thunderbird\thunderbird.exe D:\Spybot - Search & Destroy\SpybotSD.exe D:\Firefox\firefox.exe C:\WINDOWS\Explorer.EXE D:\HiJackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080 O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\FLASHGET\jccatch.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton AntiVirus\NavShExt.dll O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\FLASHGET\getflash.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton AntiVirus\NavShExt.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\FLASHGET\fgiebar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [BtcMaestro] D:\KMaestro\KMaestro.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [iamapp] D:\Norton Internet Security\IAMAPP.EXE O4 - HKLM\..\Run: [NAV Agent] D:\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O8 - Extra context menu item: Download All by FlashGet - D:\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - D:\FlashGet\jc_link.htm O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FLASHGET\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FLASHGET\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - www.update.microsoft.com O17 - HKLM\System\CCS\Services\Tcpip\..\{48866084-9EA2-4C2F-95E2-E4299D264B06}: NameServer = 208.67.222.222,208.67.220.220 O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Ad-Aware 2007\aawservice.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - D:\Norton Internet Security\NISSERV.EXE O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - D:\Norton Internet Security\NISUM.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - D:\Norton Internet Security\SymProxySvc.exe -- End of file - 4944 bytes =================== |
utopian201 (6245) | ||
| 653871 | 2008-03-29 03:16:00 | O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) well I cant see that that particular BHO is of any consequence as hjt says "no file"........ |
drcspy (146) | ||
| 653872 | 2008-03-29 03:20:00 | Hi I ran the latest version of spybot search and destroy, but none of those found anything. After browsing the search and destroy system start up details, I came across the entry below in bold, which spybot identified as being linked to several worms. My question is then, why wasn't this picked up by the programs I tested with? I only found this using a manual eye scan... O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) That would be because there isn't a file for Spybot to find? And you say Spybot didn't find it, then you say it linked it to several worms. And you can't run 2 anti-virus programs. Get rid of Nortons. |
pctek (84) | ||
| 653873 | 2008-03-29 03:23:00 | Where's AVG if you used it? Did you uninstall it before posting this lol You can tick these, then tick fix checked Close browsers O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe WHAT version of NIS is this?? If you mean this {7E853D72-626A-48EC-A868-BA8D5E23E045} According to the Spybot forum (forums.spybot.info) its safe. So if Spybot detected it as something, it must have been a false + Uninstall ALL versions of Java while youre at it, yours is out of date. Link is in my sig |
Speedy Gonzales (78) | ||
| 653874 | 2008-03-29 03:27:00 | Hi, thanks for your responses. I looked in spybot's system startup tools, and for that particular entry it said: Current filename: Database status: Not required - virus, spyware, malware or other resource hog Value: Filename: system32.exe Description Added by the _AGOBOT-KU_ WORM! Note - has a blank entry under the Startup Item/Name field Source: Paul Collins Startup list ____________________ Current filename: Database status: Not required - virus, spyware, malware or other resource hog Value: Filename: pathex.exe Description Added by the _MKMOOSE-A_ WORM! Note - has a blank entry under the Startup Item/Name field Source: Paul Collins Startup list ____________________ Current filename: Database status: Not required - virus, spyware, malware or other resource hog Value: Filename: svchost.exe Description Added by the _DELF-UX_ TROJAN! Note - this is not the legitimate _svchost.exe_ process which is always located in the System (9x/Me) or System32 (NT/2K/XP) folder and should not normally figure in Msconfig/Startup! This file is located in the Winnt or Windows folder. Note - has a blank entry under the Startup Item/Name field Source: Paul Collins Startup list ____________________ Current filename: Database status: Not required - virus, spyware, malware or other resource hog Value: Filename: MSPF.EXE Description Added by a variant of the _SDBOT_ WORM! This file is located in the Winnt or Windows folder. Note - has a blank entry under the Startup Item/Name field Source: Paul Collins Startup list ____________________ Current filename: Database status: Not required - virus, spyware, malware or other resource hog Value: Filename: dllvirtual.exe Description Added by the _DADOBRA-IW_ TROJAN! Note - has a blank entry under the Startup Item/Name field Source: Paul Collins Startup list ____________________ Current filename: Database status: Not required - virus, spyware, malware or other resource hog Value: Filename: dllvirtual.dll Description Added by the _DADOBRA-IW_ TROJAN! Note - has a blank entry under the Startup Item/Name field Source: Paul Collins Startup list ____________________ Current filename: Database status: Not required - virus, spyware, malware or other resource hog Value: Filename: dllvirtual.js Description Added by the _DADOBRA-IW_ TROJAN! Note - has a blank entry under the Startup Item/Name field Source: Paul Collins Startup list |
utopian201 (6245) | ||
| 653875 | 2008-03-29 03:33:00 | And are these files on the hdd then, since theyre not in this HJT log? Have you got a Canon printer or something? |
Speedy Gonzales (78) | ||
| 653876 | 2008-03-29 03:48:00 | Yes, I have a canon printer attached to another PC on a network. How did you know? The only thing I can see that would indicate that is CNAC4RPK.EXE The only file in that list is svchost.exe, in: C:\WINDOWS\system32\svchost.exe and C:\WINDOWS\ServicePackFiles\i386\svchost.exe Ok, I'm at the point of considering a complete wipe out and restore image (the image was created immediately after a clean install of XP, so I'm reasonably certain it is a good image). Currently I have running a firewall, antivirus program and sometimes run spybot S&D and ad aware. Are there any other programs I should be running? Also do antivirus programs protect against trojans and worms or only viruses? |
utopian201 (6245) | ||
| 653877 | 2008-03-29 03:52:00 | also is it correct that firewalls 'protect' from trojans and worms in that they can stop them from creating outbound connections? | utopian201 (6245) | ||
| 653878 | 2008-03-29 04:05:00 | Yup if you tell it to. You have to be careful about blocking svchost however, as this also deals with windows processes. Block it, whatever needs or uses it, may stop updating or working Svchost.exe is a windows file which is why its in the SP's folder Altho some trojans and worms do use that file to spread or infect it Most virus scanners should deal with trojans, worms etc.. ie: Avast home, Avirt and a few others which are free, or NOD32 and the ones u have to pay for |
Speedy Gonzales (78) | ||
| 1 | |||||