HijackThis Log

Hi all

I tryed to find a similar Log on this forum, but unfortunately...
Can anyone help to clean my PC ?
The log I have is:

Logfile of HijackThis v1.97.7
Scan saved at 21:16:47, on 2004.06.08
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender Professional Edition\vsserv.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Opera75\opera.exe
C:\Downloads\software\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic Agent\Web\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.lt/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Name\Local Settings\Temp\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38035.4486226852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F24A9C5-2C62-4BE6-8233-67F45EA45583}: NameServer = 192.168.1.1



Thanks

 

Also when I tryed to fix with Spybot S&D these files (below), nothing was changed after rebooting. Are these files dangerous? And what is next steps fixing them?
-------------------------------------------------------------------------
ossible extension hijack: Default executable handler (Registry change, nothing done)
HKEY_CLASSES_ROOT\exefile\shell\open\command\!="%1" %*

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1060284298-436374069-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


--- Spybot - Search && Destroy version: 1.3 ---
2004-05-25 Includes\Cookies.sbi
2004-05-29 Includes\Dialer.sbi
2004-05-28 Includes\Hijackers.sbi
2004-05-28 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-28 Includes\Malware.sbi
2004-05-04 Includes\Revision.sbi
2004-04-12 Includes\Security.sbi
2004-05-28 Includes\Spybots.sbi
2004-05-24 Includes\Tracks.uti
2004-05-28 Includes\Trojans.sbi
----------------------------------------------------------------------

Any ideas?

 

Hi Paul_,

Nothing to worry about.
Here is some reading: http://forums.net-integration.net/index.php?showtopic=15308

Regards,

Pieter

 

Hi Pieter,

Thanks for helping me.
Like I understand, everyting is ok. Or is there any suspicious with my Logfile of HijackThis v1.97.7?

Because in evenigs I have some trobles (PC restart without any notice, work with Word files is very slow (CPU running 100%, HDD is busy too)). When I try to look running processes with Task Manager (the procentage use for curent programs and histogram CPU load) the load normalize. If I minimaizing Task Manager the load of CPU increasing again.
NOD32 (antivirus program) can't open 4 files.
Ad-aware 6 can't finnish scan process (it scanning too long in my opinion).
I don't think that it is hardware problem. More posible software problems (spyware, worms and viruses).

Please Help

 

Have you tried using all the possible scan methods: the Smart system-scan and the select drives option in AdAware?

I see nothing suspicious in your log. You stated the CPU load normalized when you open TaskManager. Have you tried keeping that minimized in the systray and see what happens then?
It could be that happens just because you stop doing something else.

Regards,

Pieter

 

Hi Pieter,

>Have you tried using all the possible scan methods: the Smart system-scan >and the select drives option in AdAware?

Yes. Today it found something (see log):

ArchiveData(auto-quarantine- 10-06-2004 12-20-47.bckp)
======================================================

WINDOWS
ÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆÆ
obj[0]=RegData : exefile\shell\open\command

AND I blocked:

Ad-watch Logfile, exported on 2004.06.10
Total number of events:1
===============================================
2004.06.10 11:08:11 - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\exefile\shell\open\command
Value:
Data:%1 %*
New Data:"%1" %*

Possible browser hijack attempt (Blocked)

===============================================

>You stated the CPU load normalized when you open TaskManager. Have you >tried keeping that minimized in the systray and see what happens then?

Yes, the CPU load normalized when I open TaskManager => Processes, but when I tried keeping that minimized in the systray suddenly the CPU load increased to 100%. It was like a game, I maximaizing TaskManager => Processes the CPU load normalize, when I minimize it CPU load inreased to 100%. ("DU meter" didn't show any internet traffic). If I stay TaskManager => Processes minimized, the CPU load stays in same 100% for ~5min (but I didn't worked with any progam)
I thought that it could be a smart spyware or something like that, which uses my PC resources and reboots or increases CPU load. I have never seen that things in my all life before. It's very strange.

>It could be that happens just because you stop doing something else.

You mean normalizes the CPU load when I stop doing something else?
No.
Thats why I interested in my log.
More info (hardware):
I am using 1.1GHz Copermine(Celeron), MB A-trend, 192MB, Baraccuda 40GB 7200rpm, GF3 TI 200 64MB, SB Creative AWE 64.

I am going to opinion, that finally I will need to format C:\ .

Thank you Pieter for a help

 

Hi Paul_,

A program able to do that would have to be the "most sophisticated" of all spyware.
Have a look here: http://bagpuss.swan.ac.uk/comms/hxdef.htm

Regards,

Pieter

 

Hi Pieter,

I used your suggestion and with Rootkit Detector v0.6.2 found 1 suspicious file: sockspy.dll
After deleting it in safe mode, everything seems normal. (at least now)


Thanks Pieter, You are real expert.