HijackThis ...am I missing something here?
csimon
Acadiana Icrontian
As the title states.
With all of the omegasearch stuff being advertised I thought I would download HijackThis and give it a shot.
Anyone experienced care to give it a look?
Logfile of HijackThis v1.97.7
Scan saved at 5:23:49 PM, on 4/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
D:\Coolmon\CoolMon.exe
D:\f@h\EMIII\EMIII.exe
d:\f@h\srvany.exe
d:\f@h\FAH4Console.exe
d:\f@h\FahCore_78.exe
D:\Bak\Utilities\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38060.0004976852
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
With all of the omegasearch stuff being advertised I thought I would download HijackThis and give it a shot.
Anyone experienced care to give it a look?
Logfile of HijackThis v1.97.7
Scan saved at 5:23:49 PM, on 4/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
D:\Coolmon\CoolMon.exe
D:\f@h\EMIII\EMIII.exe
d:\f@h\srvany.exe
d:\f@h\FAH4Console.exe
d:\f@h\FahCore_78.exe
D:\Bak\Utilities\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38060.0004976852
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
0
This discussion has been closed.
Comments
d:\f@h\FAH4Console.exe
d:\f@h\FahCore_78.exe
Dexter...
So what exactly brings about this omegasearch thing so I know what to avoid? I don't use an antivirus or ad-detectives or anything ...I guess to me it's kinda like using a condom (not that there's anything wrong with that if you're not a monogamouse).
actually I'm in the process of 20 installations at school in my lab with a different antivirus software.
Will do tomorrow when I can grab the disc chief.
Thanks Leon
csimon
http://www.short-media.com/review.php?r=235
Everything you ever wanted to know about Omegasearch
Dexter...
Um, csimon, the defs with the CD will be for sometime in 2002. Only about 20 THOUSAND virus variants ago even if trojans are not counted. Please install, update, and make yourself a floppy rescue disk set or rescue CD. Then, at worst, you will have a rescue\virus scan image that is not two plus years out of date when you need it (2003 version was issued in about June of 2002 at the latest, last I looked the def dates on the CD were at least a month earlier).
Right now, there are too many viruses that happily kill older NAV on sight, for an updated NAV 2003. One of the updates you will get will be a renamed NAV, after initial install. I think they are up to name subversion G or H now for the core scanner engine executable. Would not be surprised if the core scanner version name on your CD was NAVEX. Substitute letters above for the E in that name.
Sounds like you are conservative in surfing. This helps a lot. Getting email through a virus-protected email server will always help some, but even that is not perfect. I've even caught Comcast with a few that slipped through, and some emails thta BYPASSED the incoming email scanner server appliance. THOSE, the headers got sent verbatim to Comcast's abuse address, some holes got closed.
Problem is, no setup is perfect, always some holes to be found if folks are stubborn enough-- and right now three groups of virus writers are having an attack\exploit impact contest. The way the AV folks know that, is that the writers are messaging each other in the source code that the AV folks are disassembling after unarchiving it-- on Linux and BSD and Unix and Solaris boxes. Those three groups have spawned about 100 variants in two months that are known out in the wild now, and I have gotten so many virus def updates from my AV vendor that it is not even close to funny. F-Prot now has recognition for 114,279 viruses and trojans and javascript and macro malwares known to be in the wild on the web, as of today.
John D.
The one thing that stands out to me is redswoosh ...no idea what that is ...anyway here it is:
Logfile of HijackThis v1.97.7
Scan saved at 12:40:00 PM, on 4/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
d:\f@h\f@h1\srvany.exe
d:\f@h\f@h1\FAH4Console.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
d:\f@h\f@h1\FahCore_78.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
D:\CoolMon\CoolMon.exe
C:\WINDOWS\System32\devldr32.exe
D:\Bak\Utilities\Security\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - Startup: CoolMon.lnk = D:\CoolMon\CoolMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
Performance De-hancing:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
Questionable:
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
IPBill? Do you use some sort of online payment processing?
the only online payment processing I use is paypal