My "Hijack This" log...

A

alanack

I'm still trying to find the virus I inadvertently(dimly) invited on my cpu yesterday(yesterday's Program added without my knowledge post?). I discovered the "HijackThis" program, which reveals all processes and gives you the choice to delete any that have been planted there against your will, if you are smart enough to know what belongs, and what doesn't. Below is my log... is there anything there that is a definite known virus, or something that is extremely suspicious? Thanks.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\Promon.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\OpenOffice.org1.0.2\program\soffice.exe
C:\Program Files\IBM\Power Management Utility\console\status.exe
C:\WINDOWS\System32\mcshextm.exe
C:\WINDOWS\System32\tsdextsn.exe
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\IBM\Power Management Utility\Engine\paserver.exe
C:\WINDOWS\System32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\alan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [mcshextm] C:\WINDOWS\System32\mcshextm.exe
O4 - HKLM\..\Run: [tsdextsn] C:\WINDOWS\System32\tsdextsn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
O4 - Startup: OpenOffice.org 1.0.2.lnk = C:\Program Files\OpenOffice.org1.0.2\program\quickstart.exe
O4 - Startup: Power Management Log Viewer.lnk = ?
O4 - Startup: Power Management Status Console.lnk = ?
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.lnk = C:\Corel\Graphics8\Programs\MFIndexer.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.2771643519
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
 
the other day someone pointed out to me that if you know the approximate time that you loaded something you can do a search around that time period and see which files were modified.
 
Quote from easyrider:

the other day someone pointed out to me that if you know the approximate time that you loaded something you can do a search around that time period and see which files were modified.
More...

This seems like an excellent approach... does anyone know how to do this type of search?

Alan
 
Try a search of .exe files then sort it according to date modified or you can hit control, alt, delete which will bring up the processes or tasks running and you can look through that to see if some weird program is running, careful on this approach though.
 
Why not just run a virus scan?
There are free web based ones on the net.

Also download and run Spybot to get rid of any
bullshit ad software that you accidently installed
which is NOT considered a virus.

peace

axeman
 
Have you tried running spybot or ad-aware? They're free and would probably be the easiest way to find it. Be sure to update before you run it.
 
Having GATOR would explain everything... its one of the WORST offenders.

peace

axeman



Quote from facultus:

PcPitstop has Gator which is spyware.......Did you intentionally install PC Pitstop? You might want to uninstall it.
More...
 
Quote from axeman:

Why not just run a virus scan?
There are free web based ones on the net.

Also download and run Spybot to get rid of any
bullshit ad software that you accidently installed
which is NOT considered a virus.

peace

axeman
More...

I have run several virus scans, and I run both Ad-Aware and Spybot several times each day, but what I'm trying to find are two files which continue to show up as WERULE when PitStop.com scans my system for running processes. They are obviously described differently in the HijackThis log, but they should be there somewhere. I'm pretty sure this is a virus I downloaded yesterday. Thanks.

Alan
 
You must log in or register to reply here.
Back
Top