HijackThis - Log Analysis

Discussion in 'adware, spyware & hijack cleaning' started by Jerry48, Jun 12, 2004.

Thread Status:
Not open for further replies.
  1. Jerry48

    Jerry48 Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    3
    I have run Spybot-S&D, PestPatrol and AdAware, removing all discoveries

    they presented. Yet a certain problem persist, returns intermittently,

    it is CWS, see at http://pestpatrol.com/PestInfo/c/cws.asp

    My pc sys info is as follows:

    System Information report written at: 06/12/2004 09:35:53 AM

    [System Summary]



    Item Value

    OS Name Microsoft Windows 2000 Professional

    Version 5.0.2195 Service Pack 4 Build 2195

    OS Manufacturer Microsoft Corporation

    System Manufacturer TYAN

    System Model S1854 Trinity 400

    System Type X86-based PC

    Processor x86 Family 6 Model 8 Stepping 6 GenuineIntel ~999 Mhz

    BIOS Version Award Modular BIOS v4.51PG

    Windows Directory C:\WINNT

    System Directory C:\WINNT\system32

    Boot Device \Device\Harddisk0\Partition1

    Total Physical Memory 1,048,048 KB

    Available Physical Memory 623,128 KB

    Total Virtual Memory 3,569,912 KB

    Available Virtual Memory 2,830,496 KB

    Page File Space 2,521,864 KB

    Page File C:\pagefile.sys


    Once a trusted confirmation is accomplished, I will make an image of my

    system. :rolleyes:

    Please, analyze my HijackThis Log for me. I will forever be in your

    debt. *puppy*

    Logfile of HijackThis v1.97.7
    Scan saved at 12:59:34 PM, on 6/12/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\GEARSec.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\Program Files\LIUtilities\WinTasks\wintasks.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\Program Files\LIUtilities\SpeedUpMyPC\SpeedUpMyPC.exe
    C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\QuickPopup\QuickPopup.exe
    C:\Program Files\Atom Timer\AtomT.exe
    C:\Program Files\LIUtilities\SpeedUpMyPC\helper.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no

    file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -

    C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -

    {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}

    - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon

    initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

    Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec

    Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check]

    C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton

    Ghost 2003\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [WinTasks Traybar] C:\Program

    Files\LIUtilities\WinTasks\wintasks.exe traybar
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center]

    C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [SpeedUpMyPC] C:\Program

    Files\LIUtilities\SpeedUpMyPC\SpeedUpMyPC.exe traybar
    O4 - HKLM\..\Run: [PinnacleDriverCheck]

    C:\WINNT\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Program

    Files\Acronis\TrueImage\TrueImageMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common

    Files\Acronis\Schedule2\schedhlp.exe
    O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad

    Filter\PopFilter.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Startup: AtomTimer.lnk = C:\Program Files\Atom Timer\AtomT.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

    Office\Office10\OSA.EXE
    O4 - Global Startup: QuickPopup.lnk = C:\Program

    Files\QuickPopup\QuickPopup.exe
    O8 - Extra context menu item: &Dictionary -

    http://files.db3nf.com/scripts/ie.htm
    O8 - Extra context menu item: &Encyclopedia -

    http://files.db3nf.com/scripts/ie-e.htm
    O8 - Extra context menu item: Allow Popups - C:\Program

    Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet

    Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .UVR: C:\Program Files\Internet

    Explorer\Plugins\NPUPano.dll
    O15 - Trusted Zone: https://www.wilderssecurity.com
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update

    Installation Engine) -

    http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38133.3

    96724537
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) -

    http://www.gamespot.com/KDX/zd/kdx.cab


    NOTE: I'm curiously untrusting :doubt: of this last line:

    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) -

    http://www.gamespot.com/KDX/zd/kdx.cab
     
  2. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello Jerry !

    Welcome to Wilders ! :)

    Jerry, In order to accurately ascess your problem, you need to eloborate it more. It will help immensely if you able to put some more light on your problem. Also, there are various types of CWS infections so be specific about it.

    At last, Let us know what were the findings of Adware / Spybot S& D / Pestpatrol.

    With Thanks !
    Newkid !
     
  3. Jerry48

    Jerry48 Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    3
    To elaborate, I'm having no bad report from findings of Adware / Spybot S& D / PestPatrol at this time. No problems exist at this time at all. Only am interested in if anything in my Logfile of HijackThis were found in error, suspicious, and or threatening prior to my creating an excellent image of my system to burn on a DVD.:rolleyes: The CWS is intermittently occurring, no example to relate at this time other than the web PestPatrol referred me to, i.e., http://pestpatrol.com/PestInfo/c/cws.asp.

    Please help me with your expertise if at all possible.

     
  4. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Jerry !

    Your log is looks clean to me. :)

    As you said, CWS is intermittently occurring so I guess you not downloaded the ByteVerify vulnerability Patch which is how you got infected in the 1st place.

    CWS installs thru byte verifyer bug in the Microsoft Java Virtual machine. Go download the ByteVerify Patch from Microsoft.com.

    Also, I'd recommend you to please have a look a worth to read article :

    Why did I get infected in the first place ?

    With Thanks !
    Newkid !
     
  5. Jerry48

    Jerry48 Registered Member

    Joined:
    Jun 11, 2004
    Posts:
    3
  6. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Jerry !

    Please post a fresh hijackthis log.

    With thanks !
    Newkid !
     
Thread Status:
Not open for further replies.