hijackthis.log - Help

Discussion in 'adware, spyware & hijack cleaning' started by izi, Mar 22, 2004.

Thread Status:
Not open for further replies.
  1. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Here is my hijackthis.log I have used Ad-aware 6 and Spybot - Search & Destroy. Could someone tell me more about HotFixQ0306270.exe. Is this a trojan or something else?


    Logfile of HijackThis v1.97.7
    Scan saved at 18:19:50, on 22.3.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\WINDOWS\PL15Co2K.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    C:\WINDOWS\webshots.scr
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\HotFixQ0306270.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Izi/My%20Documents/index.html
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {442599A9-EB41-4F1F-B999-737BC587F314} - C:\WINDOWS\DOWNLO~1\NAJDIS~1.DLL
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0 CE\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0 CE\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Najdi.si - {442599A9-EB41-4F1F-B999-737BC587F314} - C:\WINDOWS\DOWNLO~1\NAJDIS~1.DLL
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {69C84F03-837A-4A66-8B03-6584687207A3} (NajdiSiToolbarInstallCheck Class) - http://www.najdi.si/toolbar/najdisitoolbar.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38038.0609606481
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DFBAE5E9-11B5-455F-B0C0-31110B8AA40F}: NameServer = 192.168.0.1
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    at first glance it looks like a windows hotfix that has got stuck, but I cannot find any trace of that number on the M$ site

    That makes me very suspicious

    I would Zip it and send to samples@nod32.com with a short note for their examination

    you could also try to upload it to http://www.kaspersky.com/remoteviruschk.html and see what KAV says about it

    if the online kav says it's ok submit it to them as well at newvirus@kaspersky.com
    post back with the findings and we can advise better from there

    in the meantime I would rename the file from HotFixQ0306270.exe to HotFixQ0306270.old to prevent it running just in case it is bad. If it turns out to be a needed file for some strange reason (unlikely)it's easy to rename back again
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I've looked at the file you sent me. It seems to be something to do with a prolific card reader from what I can see looking at the file

    I am not an expert though and would still advise you to send it to both NOD & Kapersky who have some of the best analysts around and they will definitely confirm if it is bad or not.
     
  4. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Reply from KAV virus analyst:

    File is clear.
    No virus code detected.


    Izi

    PS: File send at 19:26, respond at 21:09.
    Still waiting respond from ESET.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,439
    Location:
    Netherlands
    Hi Izi,

    Where did you get these from?
    O2 - BHO: (no name) - {442599A9-EB41-4F1F-B999-737BC587F314} - C:\WINDOWS\DOWNLO~1\NAJDIS~1.DLL

    O3 - Toolbar: Najdi.si - {442599A9-EB41-4F1F-B999-737BC587F314} - C:\WINDOWS\DOWNLO~1\NAJDIS~1.DLL

    Just curious,

    Pieter
     
  6. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,439
    Location:
    Netherlands
    Thanks Izi,

    Added: http://www.sysinfo.org/bholist.php?filter=najdi&count=&type=edit

    Regards,

    Pieter
     
  8. CCon

    CCon Guest

    Hi, i have the file too, and after a binary examination... It belongs to a USB-Stick "Prolific Technology Inc."

    Konny
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.