hijackthis.log - Help

Discussion in 'adware, spyware & hijack cleaning' started by izi, Mar 22, 2004.

Thread Status:
Not open for further replies.
  1. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Here is my hijackthis.log I have used Ad-aware 6 and Spybot - Search & Destroy. Could someone tell me more about HotFixQ0306270.exe. Is this a trojan or something else?


    Logfile of HijackThis v1.97.7
    Scan saved at 18:19:50, on 22.3.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\WINDOWS\PL15Co2K.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    C:\WINDOWS\webshots.scr
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\HotFixQ0306270.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Izi/My%20Documents/index.html
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {442599A9-EB41-4F1F-B999-737BC587F314} - C:\WINDOWS\DOWNLO~1\NAJDIS~1.DLL
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0 CE\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0 CE\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Najdi.si - {442599A9-EB41-4F1F-B999-737BC587F314} - C:\WINDOWS\DOWNLO~1\NAJDIS~1.DLL
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {69C84F03-837A-4A66-8B03-6584687207A3} (NajdiSiToolbarInstallCheck Class) - http://www.najdi.si/toolbar/najdisitoolbar.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38038.0609606481
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DFBAE5E9-11B5-455F-B0C0-31110B8AA40F}: NameServer = 192.168.0.1
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    at first glance it looks like a windows hotfix that has got stuck, but I cannot find any trace of that number on the M$ site

    That makes me very suspicious

    I would Zip it and send to samples@nod32.com with a short note for their examination

    you could also try to upload it to http://www.kaspersky.com/remoteviruschk.html and see what KAV says about it

    if the online kav says it's ok submit it to them as well at newvirus@kaspersky.com
    post back with the findings and we can advise better from there

    in the meantime I would rename the file from HotFixQ0306270.exe to HotFixQ0306270.old to prevent it running just in case it is bad. If it turns out to be a needed file for some strange reason (unlikely)it's easy to rename back again
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I've looked at the file you sent me. It seems to be something to do with a prolific card reader from what I can see looking at the file

    I am not an expert though and would still advise you to send it to both NOD & Kapersky who have some of the best analysts around and they will definitely confirm if it is bad or not.
     
  4. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Reply from KAV virus analyst:

    File is clear.
    No virus code detected.


    Izi

    PS: File send at 19:26, respond at 21:09.
    Still waiting respond from ESET.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Izi,

    Where did you get these from?
    O2 - BHO: (no name) - {442599A9-EB41-4F1F-B999-737BC587F314} - C:\WINDOWS\DOWNLO~1\NAJDIS~1.DLL

    O3 - Toolbar: Najdi.si - {442599A9-EB41-4F1F-B999-737BC587F314} - C:\WINDOWS\DOWNLO~1\NAJDIS~1.DLL

    Just curious,

    Pieter
     
  6. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Thanks Izi,

    Added: http://www.sysinfo.org/bholist.php?filter=najdi&count=&type=edit

    Regards,

    Pieter
     
  8. CCon

    CCon Guest

    Hi, i have the file too, and after a binary examination... It belongs to a USB-Stick "Prolific Technology Inc."

    Konny
     
Thread Status:
Not open for further replies.