| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 81302 | 2007-07-23 09:32:00 | My Hijackthis log needs analysing. | *Sparky* (311) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 571804 | 2007-07-23 09:32:00 | Any hijackthis experts help appreciated. Does everything look ok? Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:48:33 p.m., on 23/07/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe D:\PC Tools\PC Tools Firewall Plus\FWService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe D:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\System32\mdm.exe D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe D:\PROGRA~1\Grisoft\AVG7\avgemc.exe D:\PC Tools\PC Tools Firewall Plus\FirewallGUI.exe D:\PC Tools\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe D:\Downloads\HiJackThis.exe C:\Program Files\Internet Explorer\iexplore.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.nzcity.co.nz/ R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PCTOOL~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Program Files\Free Download Manager\iefdmcks.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\System32\mdm.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [00PCTFW] "D:\PC Tools\PC Tools Firewall Plus\FirewallGUI.exe" -s O4 - HKCU\..\Run: [Microsoft Office] C:\WINDOWS\System32\mdm.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\PC Tools\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - www.pcpitstop.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - www.update.microsoft.com O17 - HKLM\System\CCS\Services\Tcpip\..\{577C6D54-D6B3-445C-AAD9-73DC87DD5715}: NameServer = 210.55.12.1 210.55.12.2 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Disk Volume Shadow Copy (dvssf) - Unknown owner - C:\WINDOWS\system32\dvssvc.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe (file missing) O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - D:\PC Tools\PC Tools Firewall Plus\FWService.exe -- End of file - 4725 bytes |
*Sparky* (311) | ||
| 571805 | 2007-07-23 09:44:00 | What sort of problems are you seeing that raises this suspicion? Copy and paste the entire log into this (www.hijackthis.de). The only alert that shows is: O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe (file missing) Any reason why you do not have SP2 or have updated IE? The automatic log analyser isn't perfect, but gives you a fair idea on what is happening and you should be familiar with what is a valid program or not. Some of the others will no doubt give the log a going over. :) |
Jen (38) | ||
| 571806 | 2007-07-23 10:02:00 | Run HJT again tick these entries then tick fix checked. Close browser/s. This isnt nasty O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe This looks like it belongs to a Worm (www.sophos.com) O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe (file missing) I would also get trojan remover, in my sig, install it update it then click on scan. See if it picks anything up. It looks like this worm is also known as: * W32/RAHack * Exploit-DcomRpc.gen The sophos site says this is a worm but the Symantec site says its a trojan (www.symantec.com) Under its other name. I dont know what this belongs to. I dont think its part of XP. O23 - Service: Disk Volume Shadow Copy (dvssf) - Unknown owner - C:\WINDOWS\system32\dvssvc.exe (file missing) After u tick the above, I would update Windows. |
Speedy Gonzales (78) | ||
| 571807 | 2007-07-23 10:36:00 | Thanks Speedy, I knew I could rely on you for some informative help. I'll try the things you mentioned and report back. Cheers. |
*Sparky* (311) | ||
| 571808 | 2007-07-23 10:42:00 | No worries HTH :) | Speedy Gonzales (78) | ||
| 571809 | 2007-07-23 11:20:00 | Ran Trojan Remover and it found the two you were talking about, ie. urdvxc.exe and dvssvc.exe Have removed them and fixed those two hijack thingees. Will see now if this machine behaves a bit better. Thanks again. |
*Sparky* (311) | ||
| 1 | |||||