|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
durgen
Cadet
Joined: Sep 11, 2006
Posts: 3
Location: USA
|
|
| Back to top |
|
 |
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
 Posted: Mon Sep 11, 2006 7:23 pm Post subject: |
|
|
Do you have the O2-BHO entry?
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
durgen
Cadet
Joined: Sep 11, 2006
Posts: 3
Location: USA
|
| Posted: Mon Sep 11, 2006 8:01 pm Post subject: |
|
|
| wrote: | | Do you have the O2-BHO entry? |
Greek?
What is the "02-BHO Entry"
Are you talking about my ref log?
What is HKCU, is it bad by nature?
Because I have read some, this poses more questions than when I was ignorant in this area. Which causes me to spend more hours reading more.
I appreciate your responce.
I am continuing to work down the prevention/removal list as I am now on step 6. but want to make sure I am not deleting anything I need. Here is the log: Thanks again.
Logfile of HijackThis v1.99.1
Scan saved at 11:31:44 AM, on 9/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\norton antivirus 2006\navapsvc.exe
D:\Program Files\norton antivirus 2006\IWP\NPFMntor.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\svchost.exe
D:\webroot_spysweeper\Spy Sweeper\WRSSSDK.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ITE\Smart Guardian\ITESmart.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Ahead\InCD\InCD.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Documents and Settings\Administrator\My Documents\i-hate-keyloggers.exe
D:\OfficeJet 6200\Digital Imaging\bin\hpqtra08.exe
D:\OfficeJet 6200\Digital Imaging\bin\hpqgalry.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Hijackthis\HijackThis.exe
D:\Program Files\Messenger\msmsgs.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\adobe 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - D:\Program Files\norton antivirus 2006\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - D:\Program Files\norton antivirus 2006\NavShExt.dll
O4 - HKLM\..\Run: [SmartGuardian] D:\Program Files\ITE\Smart Guardian\ITESmart.exe
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [I-Hate-Keyloggers] D:\Documents and Settings\Administrator\My Documents\i-hate-keyloggers.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\OfficeJet 6200\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\OfficeJet 6200\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140400098324
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\norton antivirus 2006\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\norton antivirus 2006\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - D:\Program Files\norton antivirus 2006\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\webroot_spysweeper\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
|
|
| Back to top |
|
|
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
| Posted: Mon Sep 11, 2006 10:26 pm Post subject: |
|
|
OK, you have several questions, and I have a couple of answers.
The O2-BHO question referred to this paragraph in the wiki:
| Quote: | The following are symptoms of the Gromozon Rootkit in a HijackThis Log, but please be aware that they are not always present:
* R0 - HKCU/Software/Microsoft/Internet Explorer/Main,Local Page =
* R0 - HKLM/Software/Microsoft/Internet Explorer/Main,Local Page =
* R3 - Default URLSearchHook is missing
* O2 - BHO: Class - {1A06B098-0011-88C0-89F1-281F7413084A} - C:/WINDOWS/krctv1.dll (file missing)
Note: The 02 BHO entry is nearly always present and the biggest giveaway. Its file name is random but it will always take the form of **1.dll (where ** is a wildcard that represents random characters). The CLSID is also variable and though it says file missing, that is not the case.
|
HKCU is a reference to the registry hive that contains information about the current user - it is a normal part of your registry, along with HKLM which is the registry hive for your local machine. Plus others. The registry in NT based OSes is not a single file, like most users think of it - it is made up of a number of individual files, which when taken together is called the "registry".
Do not remove anything unless the wiki specifically instructs you to do so. If you think an entry should be removed, but have not been instructed to do so, wait for one of the 1st Responders or Security Experts and then raise that concern with them. At the moment, there is no indication of Gromozon.
In addition, I think it would be useful to have this thread moved to our HJT Forum for further analysis. I have marked this thread to be moved by one of our moderators. Continue through the MRP and let one of our 1st Responders or Security Experts review your system. If they determine that you do have a rootkit that requires our assistance, you will then be referred back to this forum for more help. This way, you can have your system comprehensively and systematically cleaned of all malware and rootkits if there are any.
_________________
Don't read? Can't learn!
|
|
| Back to top |
|
|
Oodin
Colonel
Premium Member
Joined: Jul 19, 2004
Posts: 2678
|
| Posted: Wed Sep 20, 2006 2:25 pm Post subject: |
|
|
Thank you for your patience. If you still require help then we would ask you to:
1/ Ensure that you are using the latest version of HijackThis which should be v1.99.1 and that it is running from a permanent folder (such as C:\HJT), rather then a temporary or desktop one. (Note: To create a new folder open Windows Explorer, click on File, select New then Folder. Type in the name of the new folder in the box provided and press Enter.)
You can download the latest version here, then unzip it to that permanent folder: HijackThis!
2/ Whilst you are waiting for an expert to examine your log, we recommend that you follow our Malware Removal and Prevention , a new system we have devised to enable users to either partially, or fully clean their systems without the direct aid of an expert. Should you still require HJT assistance after completing malware removal, this step will eliminate the need for you to repeat these scans during your log analysis.
3/ Post a fresh post scan log into this thread (under my post right here). A lot can happen in a few days so a new scan log is important.
Please post any feedback on how easy you found it to follow the steps in our
Malware Removal and Prevention in this same topic reply.
Your input will enable us to refine it for other users.
We thank you for your participation.
4/ Copy (the URL in your address-bar) and paste this link of your HijackThis Log thread into this page here:
 /p629342-Unhandled_Logs.html#629342 <<-- Here, click it. Put the address URL of your HijackThis Log thread in that topic thread.
Do NOT post your address URL as a new topic.
.....and someone will help you ASAP! 
_________________
Jon
|
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
Powered by phpBB © 2001 phpBB Group
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
