Help - Search - Members - Calendar
Full Version: My HIJACKTHISLOG file
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
vijaykarthik123
Feb 6 2005, 01:33 AM
Logfile of HijackThis v1.99.0
Scan saved at 7:01:06 AM, on 2/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SaferZone\DefCon Pro\ConfSvc.exe
C:\Program Files\SaferZone\DefCon Pro\SZDcEngn.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\oracle\ora81\bin\ORACLE.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Oracle\Ora81\BIN\OWASTSVR.EXE
C:\Oracle\Ora81\bin\oradim.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\SaferZone\DefCon Pro\SZMQ.exe
C:\Program Files\TCOstream\client\tsrvctl_nt.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe
C:\PROGRA~1\Xpoint\agent\Xpagent.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\Xpoint\SAS\jre\bin\javaw.exe
C:\PROGRA~1\Xpoint\EEClient\xpclient.exe
C:\Program Files\TCOstream\client\tclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.geocities.com/brutecode
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O17 - HKLM\System\CCS\Services\Tcpip\..\{351631D0-601C-431F-938F-378722267168}: NameServer = 202.54.6.50
O23 - Service: ConfService - Unknown - C:\Program Files\SaferZone\DefCon Pro\ConfSvc.exe
O23 - Service: iSeries Access for Windows Remote Command - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DCEngine - SaferZone Inc. - C:\Program Files\SaferZone\DefCon Pro\SZDcEngn.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OracleOraHome81Agent - oracle - C:\Oracle\Ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHome81ClientCache - Unknown - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81DataGatherer - Unknown - C:\Oracle\Ora81\bin\vppdc.exe
O23 - Service: OracleOraHome81TNSListener - Unknown - C:\Oracle\Ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORACLEDB - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleWebAssistant0 - Oracle Corporation - C:\Oracle\Ora81\BIN\OWASTSVR.EXE
O23 - Service: Xpoint PCRadmin Server - Unknown - C:\PROGRA~1\Xpoint\PE\pcradmin.exe
O23 - Service: IBM PSA Access Driver Control - Unknown - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: System Loader - Medialand, Inc - C:\WINDOWS\System32\SysLoader.exe
O23 - Service: SZMQ - Unknown - C:\Program Files\SaferZone\DefCon Pro\SZMQ.exe
O23 - Service: TCO!stream Client Service - Medialand, Inc. - C:\Program Files\TCOstream\client\tclient.exe
O23 - Service: TCO!stream Control Service - Medialand, Inc - C:\Program Files\TCOstream\client\tsrvctl_nt.exe
O23 - Service: OfficeScanNT Listener - Unknown - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Xpoint Admin Server - Unknown - C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe
O23 - Service: Xpoint Agent Server - Unknown - C:\PROGRA~1\Xpoint\agent\Xpagent.exe
LoPhatPhuud
Feb 6 2005, 03:17 AM
Your log looks ok.

What problems are you having. Please provide as much information as possible.
vijaykarthik123
Feb 6 2005, 04:09 AM
Recently I got a virus named BRUTECODE@YAHOO.COM in my p.c. which automatically changes my registry value for RECYCLE BIN as BRUTECODE@YAHOO.COM & also it changes the default home page of my IE. This is not yet been quarantined by even MS office scan & also Symantec NAV 2005. But they had given the side effects. So wud u please gimme a remedy
LoPhatPhuud
Feb 6 2005, 04:31 AM
Try one of the following online scans. They are usually current with exploits.

Please go here and do an AV scan at one (preferably two) of the following:
Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/

eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx


Have you scanned you disk, including archives, with your AntiVirus? Be sure you have the most recent definitions before you do.


For your HomePage:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HiJackThis:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.geocities.com/brutecode

Close all open windows except HiJackThis and press 'Fix Checked'.

Reboot.
Run HiJackThis again and post a new log in this thread.
vijaykarthik123
Feb 6 2005, 10:25 AM
This is my 2nd time LOG file which had been generated as u said


Logfile of HijackThis v1.99.0
Scan saved at 3:48:42 PM, on 2/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SaferZone\DefCon Pro\ConfSvc.exe
C:\Program Files\SaferZone\DefCon Pro\SZDcEngn.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\oracle\ora81\bin\ORACLE.EXE
C:\Oracle\Ora81\BIN\OWASTSVR.EXE
C:\Oracle\Ora81\bin\oradim.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\SaferZone\DefCon Pro\SZMQ.exe
C:\Program Files\TCOstream\client\tsrvctl_nt.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe
C:\PROGRA~1\Xpoint\agent\Xpagent.exe
C:\PROGRA~1\Xpoint\EEClient\xpclient.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\Xpoint\SAS\jre\bin\javaw.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\TCOstream\client\tclient.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O17 - HKLM\System\CCS\Services\Tcpip\..\{351631D0-601C-431F-938F-378722267168}: NameServer = 202.54.6.50
O23 - Service: ConfService - Unknown - C:\Program Files\SaferZone\DefCon Pro\ConfSvc.exe
O23 - Service: iSeries Access for Windows Remote Command - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DCEngine - SaferZone Inc. - C:\Program Files\SaferZone\DefCon Pro\SZDcEngn.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OracleOraHome81Agent - oracle - C:\Oracle\Ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHome81ClientCache - Unknown - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81DataGatherer - Unknown - C:\Oracle\Ora81\bin\vppdc.exe
O23 - Service: OracleOraHome81TNSListener - Unknown - C:\Oracle\Ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceORACLEDB - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleWebAssistant0 - Oracle Corporation - C:\Oracle\Ora81\BIN\OWASTSVR.EXE
O23 - Service: Xpoint PCRadmin Server - Unknown - C:\PROGRA~1\Xpoint\PE\pcradmin.exe
O23 - Service: IBM PSA Access Driver Control - Unknown - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: System Loader - Medialand, Inc - C:\WINDOWS\System32\SysLoader.exe
O23 - Service: SZMQ - Unknown - C:\Program Files\SaferZone\DefCon Pro\SZMQ.exe
O23 - Service: TCO!stream Client Service - Medialand, Inc. - C:\Program Files\TCOstream\client\tclient.exe
O23 - Service: TCO!stream Control Service - Medialand, Inc - C:\Program Files\TCOstream\client\tsrvctl_nt.exe
O23 - Service: OfficeScanNT Listener - Unknown - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Xpoint Admin Server - Unknown - C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe
O23 - Service: Xpoint Agent Server - Unknown - C:\PROGRA~1\Xpoint\agent\Xpagent.exe
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.