Logile analyzed?

[westlake33]

Hi :]

The PC I'm using has encountered a lot of malware/viruses, and I remembered this site from when I used to own a PC, (now a Mac ;])

Anyway, I always warned people about the risks of viruses and spyware etc but being a 14 year old girl no one ever listened. Even when i INSISTED on a reformat.

Anyway.

Here is a log

Logfile of HijackThis v1.99.1
Scan saved at 18:16:20, on 27/03/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07. exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\wltray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\internat.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\autodown.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINNT\system32\WISPTIS.EXE
C:\Program Files\Microsoft Office\OFFICE11\MSPUB.EXE
C:\Program Files\Microsoft Office\OFFICE11\MSPUB.EXE
C:\WINNT\System32\mspaint.exe
C:\Documents and Settings\Ben Westlake\Desktop\aawsepersonal.exe
C:\WINNT\system32\MSIEXEC.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINNT\System32\mspaint.exe
C:\WINNT\system32\mshta.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=w...FbXAJHrR3zapY=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07. exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [wltray.exe] C:\WINNT\system32\wltray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136232549625
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/media/6512bd/games...ploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: SBHookSvc - Unknown owner - C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\SBHookSvc.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\winvnc4.exe" -service (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\wltrysvc.exe




Any help appreciated, as I'm not a regular PC user.

[TurcoLoco]

Hi WestLake,

Too bad Judy (jholland) is away. If she was here, girl-to-girl you guys would have cleaned this system up in a jiffy. Anyhow, though I don't usually deal with this section, I will try to help so you won't think IANAG people also ignores 14-yo girls!

I am assuming this is for a personal home computer? If not some of the instructions may not be proper to follow so let me know.

Here is the portion of the log (analyzed through our own Online Log Analyzer) that I wanted you to pay attention to:

R3 - URLSearchHook: (no name) - - (no file)
File Missing
When a file is missing, you should always have HijackThis fix the item.
tipIDs[tipIDs.length] = "38"
O2 - BHO: (no name) - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - (no file)
File Missing
When a file is missing, you should always have HijackThis fix the item.
tipIDs[tipIDs.length] = "42"tipIDs[tipIDs.length] = "43"
O3 - Toolbar: (no name) - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - (no file)
File Missing
When a file is missing, you should always have HijackThis fix the item.

O4 - HKCU\..\Run: [internat.exe] internat.exe
internat.exe
2 possibilities for the above entry!
a. internat.exe is installed with Windows and is a process to provide Microsoft's multi-lingual features in Microsoft Windows.
or
b. internat.exe could also be also a process which is registered as the Win32.Lydra.a information stealing Trojan. This Trojan allows attackers to access your computer, personal data and information.
*** If multi-lingual features are indeed installed and being used then it should be safe so ignore it.

tipIDs[tipIDs.length] = "60"tipIDs[tipIDs.length] = "61"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Internet Explorer Restrictions
Spybot or some other security program/plug-in could be doing this but this is a user selected option. If there was no such settings opt'ed by the user then have HJT fix this as well.
tipIDs[tipIDs.length] = "62"tipIDs[tipIDs.length] = "63"tipIDs[tipIDs.length] = "65"
tipIDs[tipIDs.length] = "66"O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
Related
Alexa_registry_entry Registry key that creates a menu item that points to a local web page that points to an MSN search page that uses the Alexa engine.
tipIDs[tipIDs.length] = "67"
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
Related
Alexa_registry_entry Registry key that creates a menu item that points to a local web page that points to an MSN search page that uses the Alexa engine.
tipIDs[tipIDs.length] = "80"
O23 - Service: SBHookSvc - Unknown owner - C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\SBHookSvc.exe (file missing)
File Missing
When a file is missing, you should always have HijackThis fix the item.
tipIDs[tipIDs.length] = "81"tipIDs[tipIDs.length] = "82"
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\winvnc4.exe" -service (file missing)
File Missing
When a file is missing, you should always have HijackThis fix the item.

*** Additionally the following entries are non-essential and I advise people to remove them but entirely up to user's preference:

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07. exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe

This is all I could see with the exception of the Proxy override which could be a legit settings placed by the ISP:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1

Do the above steps while Windows running in Safe Mode, also before booting in Safe Mode, download ATF-Cleaner and run it after using HJT.

Afterwards, if there are still any issue, please provide detailed info please.


~TL

[jholland1964]

Hi westlake,
Just returned from vacation. A few other items I noticed in the log, other than those noted by ~TL
These entries;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
Look like Yahoo but they are not.
They are a click through search engine. Minor malware but should be fixed by HJT.

I would like to suggest that you do the following.
First of all the Java on this machine is way out of date. Go to Add/Remove and uninstall any java programs found.

Then go to this link
and download the latest edition of Sun Java which is Version 5.0 Update 11.
I always suggest the manual install. Once you have installed then go to this verification link
to be certain the download was properly installed.
Next go to this link
Follow the instructions and download the ATF-Cleaner and the AVG Anti-spy program, updating of course after you download. Run the online Kaspersky scan specifically. It will NOT fix anything but will generate a log noting any problems AND the locations so that we can better remove them.
Reboot in SAFE MODE and first run ATF-Cleaner in Safe Mode and also the AVG-Anti-spy program. Allow the AVG to clean anything found, it will also generate a log. Save that log for posting here.
Reboot in normal mode and run a new HJT scan, save the log and post it back here with the AVG log and the Kaspersky log.
Judy