Jump to content


Photo

Some New Objects in HijackThis i do not recognise


  • This topic is locked This topic is locked
4 replies to this topic

#1 epichero

epichero

    Member

  • New Member
  • Pip
  • 3 posts

Posted 04 July 2004 - 06:44 AM

There are no immediate threats to my computer so dont spend too much time on me, unless neccessary, as I know you guys volunteer.

Stumbled across porn pop-ups downloading things off of Kazaa Lite...
After which I was doing my nightly scans with AVG, Ad-Aware, SpyBot, Memory Watcher etc.. and noticed these two new registries in HijackThis..

I dont know a whole lot about this kind of thing, so any help would be useful, Thanks.

Here is my log file:


Logfile of HijackThis v1.97.7
Scan saved at 4:32:52 AM, on 7/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\BUILDB~1\Internet Keep.exe
C:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\STUART WATT\Desktop\Folder that fixes shit\HJT.exe
C:\Program Files\Internet Explorer\iexplore.exe

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Pile Tick] C:\PROGRA~1\BUILDB~1\Internet Keep.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)

#2 epichero

epichero

    Member

  • New Member
  • Pip
  • 3 posts

Posted 04 July 2004 - 08:26 AM

I know you guys are busy, but i know you've taken a look at this as well...so a reply would be welcomed..
thanks

#3 mjp65aa

mjp65aa

    Advanced Member

  • Full Member
  • PipPipPip
  • 128 posts

Posted 04 July 2004 - 09:26 AM

epichero,

There are many people in training on this site who will look at every log as a means to learn more about logs and how to fix them. As part of the rules, trainees are not supposed to respond even if they think they know how to fix it until they have passed a test and been approved. Many other people read the logs to see if they can get insight into their own malware problems. As soon as somebody qualified reads your log who knows how to help you, you will get a response. You should not, however, feel neglected if you get many views and no help. That is just part of how this site works. :D
mjp65

#4 epichero

epichero

    Member

  • New Member
  • Pip
  • 3 posts

Posted 06 July 2004 - 12:30 AM

Oh, and i know m8, I been using the sight for a while under a different username..The only problem I have is that I'll post something on here, knowing full well that it takes time...but slowly my topic will phase out towards page 4 and never get answered..

It's been 2-3 days now since I've posted, and gotten nowhere...That's my only point. ;)

Ep

Edited by epichero, 06 July 2004 - 12:30 AM.


#5 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 11 July 2004 - 03:22 PM

The fact that someone has viewed your thread doesn't mean anything since anyone can view it whether they are qualified to do fixes or not...

There is one malware item here and a couple of clues about where it came from... KazaaLite is a cracked program, meaning it is illegal and it opens the door to malware even if it is not installing malware the way Kazaa does... The whole Kazaa network is riddled with malware and if you use it, you are almost certain to get infected... I strongly urge that you get rid of it and look into alternatives if you perceive a need to do file sharing... Here are choices:

http://www.spywarein...m/articles/p2p/

Also, the MemoryWatcher people are the ones who created the Peper trojan and I would avoid them as much as possible... You do not have a Peper infection right now and it is a good idea to keep it that way...

In this log you have a new LOP infection and a rather nasty trojan... Please close all open windows and browsers, open HJT and mark/fix:

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
O4 - HKLM\..\Run: [Pile Tick] C:\PROGRA~1\BUILDB~1\Internet Keep.exe

Then reboot to Safe Mode and delete this file and folder:

C:\WINDOWS\system32\fservice.exe
C:\PROGRA~1\BUILDB~1\Internet Keep.exe

It would be a good idea to download the trial version of TrojanHunter and run it to clean out the trojan... You will need to download it before booting to Safe Mode, but then it would be a good idea to run it in Safe Mode...

Then please reboot to Normal mode, download the latest version of HJT (1.98) and run it after closing all other windows and browsers, then post the new log here... You can download the new version here:

http://www.subratam.org/?page=removal
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button