Help - Search - Members - Calendar
Full Version: am I infected
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
ediber
May 19 2006, 11:45 AM
Logfile of HijackThis v1.99.1
Scan saved at 14:29:10, on 19/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Babylon\Babylon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\FDF\FAST2.EXE
E:\programs\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FAST Defrag] C:\PROGRA~1\FDF\FAST2.EXE -tray
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128960887062
O17 - HKLM\System\CCS\Services\Tcpip\..\{230C5354-6937-4807-8AF5-42B2AF2F2552}: NameServer = 212.143.212.143 194.90.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{230C5354-6937-4807-8AF5-42B2AF2F2552}: NameServer = 212.143.212.143 194.90.1.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{230C5354-6937-4807-8AF5-42B2AF2F2552}: NameServer = 194.90.1.5 212.143.212.143
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Bobbi Flekman
May 20 2006, 09:43 AM
Hi ediber,

Your log looks clean. Are you having problems?
ediber
May 20 2006, 11:28 AM
QUOTE (Bobbi Flekman @ May 20 2006, 09:43 AM) *
Hi ediber,

Your log looks clean. Are you having problems?



what is this line ? : O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

the pc restart once in a while without reasonable reason (rare but happens)
Bobbi Flekman
May 21 2006, 09:38 AM
QUOTE (ediber @ May 20 2006, 01:28 PM) *
what is this line ? : O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
This is part of Windows Genuine Advantage. The only problem with it is that the line appears to be misformed.

QUOTE
the pc restart once in a while without reasonable reason (rare but happens)
Is there a logic to it? Like... Does this happen when you run a cwertain program? Or after a set amount of time? does the computer simply restart, or does it go into a Blue Screen?
ediber
May 21 2006, 03:38 PM
QUOTE (Bobbi Flekman @ May 21 2006, 09:38 AM) *
QUOTE (ediber @ May 20 2006, 01:28 PM) *
what is this line ? : O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
This is part of Windows Genuine Advantage. The only problem with it is that the line appears to be misformed.

QUOTE
the pc restart once in a while without reasonable reason (rare but happens)
Is there a logic to it? Like... Does this happen when you run a cwertain program? Or after a set amount of time? does the computer simply restart, or does it go into a Blue Screen?


what is cwertain ?
the computer is simply restart and when it restart it start of the percent process and so on. and again rare but happens
Bobbi Flekman
May 22 2006, 10:18 AM
QUOTE (ediber @ May 21 2006, 05:38 PM) *
what is cwertain ?
A typo! cwertain = certain.
QUOTE
the computer is simply restart and when it restart it start of the percent process and so on. and again rare but happens
If it is rare, then it will be very hard to fix. I would need something to base a search on. So sorry, but I cannot help with this... :(
ediber
May 23 2006, 03:55 PM
thx anyway :)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.