[Solved]Please Help in deciphering HJT Log, for Review please. 1 Trojan 1 Virus found

ShalimarShalimar Touching the Stars
edited November 2006 in Spyware & Virus Removal
Hello Spyware Busters. :)

If anyone could help with the dechiphering of the below logs, it would really be appreciated.

Thank you.

The problem i had was not having the ability to access the start menu.

So i followed the "Compendium" and decided to go all the way with all the available scanners and came up with the "BackDoor.Theef.111" which was found by AVG Anti Spyware which gave it a high risk rating.

Problem 2 infections: Very old files

Status Deleted!

I re ran AVG Anti Spyware after rebooting in both safe & normal modes with a clean bill of health both times.

Kaspersky online Scanner found 1 virus with 7 files being infected.

Status Deleted!

I Re ran Kaspersky online Scanner after rebooting and it confirmed there were no viruses infecting anything.

Kaspersky/Bitdefender/Macafee/Symantec/AVG New 7.5 Antivirus etc are all now coming back with a clean bill of health. "All latest definitions"

Spybot 1.4/Adaware/Stinger/AVG Anti Spy Ware, Latest definitions installed also now come back with a clean bill of health.

Below are 2 HJT Log files, one in safe mode one in normal mode with the executable being renamed as ScannerA.

It would be very much appreciated if someone could give me a yay or nay on wether Hijack this looks good or not. Log files are as follows:

PC Now appears to be working in a proper fashion a looking healthy. :)

Windows Safe Mode:

Logfile of HijackThis v1.99.1
Scan saved at 5:12:23 PM, on 5/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\ScannerA-HJK\ScannerA.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_03\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Rupsmon Daemon.lnk = ?
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ICE-CAP\blackice.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.6.0.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141558032593
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144242402984
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4886/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ICE-CAP\blackd.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ICE-CAP\rapapp.exe
O23 - Service: Rupsmon - Mega System Technologies, Inc. - C:\Program Files\Megatec\UPSilon 2000\RupsMon.exe
O23 - Service: USBMate - Mega Corp. - C:\Program Files\Megatec\UPSilon 2000\USBMate.exe


Log File Running Windows in normal Mode:

Logfile of HijackThis v1.99.1
Scan saved at 5:57:10 PM, on 5/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Megatec\UPSilon 2000\Monw32.exe
C:\Program Files\ICE-CAP\blackice.exe
C:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ICE-CAP\blackd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Megatec\UPSilon 2000\RupsMon.exe
C:\Program Files\Motherboard Monitor 5\MBM5.exe
C:\WINDOWS\system32\wuauclt.exe
D:\FAH-1\FAH502-Console.exe
D:\FAH-2\FAH502-Console.exe
D:\FAH-1\FahCore_78.exe
D:\FAH-2\FahCore_78.exe
D:\ScannerA-HJK\ScannerA.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_03\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Rupsmon Daemon.lnk = ?
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ICE-CAP\blackice.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.6.0.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141558032593
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144242402984
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4886/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ICE-CAP\blackd.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ICE-CAP\rapapp.exe
O23 - Service: Rupsmon - Mega System Technologies, Inc. - C:\Program Files\Megatec\UPSilon 2000\RupsMon.exe
O23 - Service: USBMate - Mega Corp. - C:\Program Files\Megatec\UPSilon 2000\USBMate.exe

Sorry to be a pest guy's. :)

Shal

Comments

  • TroganTrogan London, UK
    edited November 2006
    Everything looks good, but you need to update Java as older versions have vulnerabilities that malware can use to infect systems.

    Follow these steps to remove older version Java components and update to the latest version...

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement."
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-1_5_0_09- windowsi586-p.exe to install the newest version.

    :)
  • ShalimarShalimar Touching the Stars
    edited November 2006
    Hello Trogan_1000..:)

    Thank you for assisting.

    I have downloaded the version you have linked me to, but i have one minor problem.

    In my add remove programs, i have nothing remotely pertaining to any type of java at all. Do i just install the new java version?

    Shal :)

    PS: I will be purchasing AVG Anti Spy Ware as i think it is a very good program to have handy.
  • TroganTrogan London, UK
    edited November 2006
    Yeah, just install the new one. :)

    Let me know when that is done please.
  • ShalimarShalimar Touching the Stars
    edited November 2006
    jre-1_5_0_09- windowsi586-p.exe is now installed.

    It did not ask for a reboot, anything else you would like for me to do. :)

    Shal
  • TroganTrogan London, UK
    edited November 2006
    Well, I don't see a Firewall in your log, but I'm guessing your using Windows Firewall?
  • ShalimarShalimar Touching the Stars
    edited November 2006
    Running a hardware firewall and one software firewall.

    ICE-CAP "BlackIce" is the software one. With the windows firewall running as well.

    Shal :)
  • TroganTrogan London, UK
    edited November 2006
    I've never heard of BlackIce Firewall, but it is not recommended to run two Firewalls i.e the Software and Windows Firewall, because they will conflict. I would say to disable Windows Firewall.
  • ShalimarShalimar Touching the Stars
    edited November 2006
    Trogan_1000 wrote:
    I would say to disable Windows Firewall.

    Windows firewall now disabled!

    http://www.iss.net

    http://www.iss.net/download/index.html

    http://blackice.iss.net/update_center/readme_pcp.txt

    It has outgoing protection as well.

    Is there anything else i should do. :)

    Shal

    And thank you for helping
  • ShalimarShalimar Touching the Stars
    edited November 2006
    Also i will be puchasing AVG Anti Spy Ware "I think it is worth it. :)

    Shal
  • TroganTrogan London, UK
    edited November 2006
    Yep, I think AVG-AS is worth it too. I can't think of anything else at the moment, lol! :D

    If you have no other questions, we could mark this resolved?
  • ShalimarShalimar Touching the Stars
    edited November 2006
    This is what was added to the latest update "which is current on my pc at the moment" :)



    1. New Security Content For 3.6.cpu

    IssueID SecChkID ProductCheckName Event Type Risk Level
    3113042 16269 UDP_Ares_Galaxy Protocol Signature Medium
    2106243 25840 DPS_String_Overflow Unauthorized Access Attempt High
    2106242 25841 DPS_IpAddr_Overflow Unauthorized Access Attempt High
    2106241 25844 DPS_Magic_Number_DoS Denial of Service Low
    2106246 27653 CompoundFile_Excel_Style_BO Unauthorized Access Attempt High
    2118082 28620 HTTP_Apache_Expect_XSS Suspicious Activity Medium
    2109008 28658 HTML_Asp_Dot_Net_XSS Unauthorized Access Attempt Medium
    2114015 28775 CompoundFile_Word_Malformed_Stack Unauthorized Access Attempt High
    2110105 29209 CompoundFile_Improper_Memory_Access Unauthorized Access Attempt High
    2114017 29215 CompoundFile_Word_Malformed_String Unauthorized Access Attempt High
    2114018 29216 CompoundFile_Word_SmartTag_BO Unauthorized Access Attempt High
    2109009 29224 CompoundFile_Word_Table_CodeExec Unauthorized Access Attempt High
    2118083 29232 CompoundFile_PowerPoint_TextByte_BO Unauthorized Access Attempt High
    2106248 29234 CompoundFile_PowerPoint_TableProp_Overflow Unauthorized Access Attempt High
    2106245 29238 CompoundFile_Excel_DateTime_BO Unauthorized Access Attempt High
    2106247 29239 BIFF_Excel_Lotus123_CodeExec Unauthorized Access Attempt High
    3114002 29253 HTTP_Microsoft_Error_Report Status/Control Messages Low


    2. Security Content Improvements in 3.6.cpu
    - JavaScript_NOOP_Sled has been updated to detect additional patterns.
    - Synflood performance has been improved.
    - No longer trigger the decode HTTP_IE_HTML_Embed_Overflow for browser clients known to be unsusceptible to the issue.
    - Removed false positive for CompoundFile_Publisher_String_BO
    - Removed false positive for HTML_IE_Table_Spoof by fixing HTML parser's recognition of ********** directives with empty contents that would cause the parser to get out of synch.
    - Changed parsing of Via data to remove a false positive for SIP_Unknown_Via_Parameter when using Microsoft Live Communication Server.
    - Changed JavaScript parser to properly recognize comments delimited with /* and */, eliminating a false positive with JavaScript_Wscript_Shell_Object.



    3. Event Blocking Notes
    3.1 Blocking was added for the following events:

    SecChkID ProductCheckName
    20610 HTTP_MailEnable_Auth_Overflow
    23022 Flash_ActionDefineFunction_Name_BO
    26802 HTTP_ASP_AppFolder_Disclosure
    27456 HTTP_IE_HTA_Remote_Exec
    28653 ICMP_Phishing_Trojan


    3.2 Blocking was removed for the following events:

    SecChkID ProductCheckName
  • TroganTrogan London, UK
    edited November 2006
    The Firewall sounds good, and it seems your happy with it!?!? I may give it a try.
  • ShalimarShalimar Touching the Stars
    edited November 2006
    The only question i have now is about the microsoft defender, in the "Compendium" the link provided led me to the Xsoft something anti spyware.

    Is it worth installing and if so do you have a link for it.

    Apart from that i consider this resolved.

    Thank you Trogan_1000 for assisting me. :)

    Shal
  • TroganTrogan London, UK
    edited November 2006
    Don't install that XoftSpy program. Thanks for the heads up on the link. I'll inform Keebs or someone to fix it.

    As for Windows Defender, I don't think there is any use for it personally. You could download it and see what you think. Here is the link --> http://www.microsoft.com/athome/security/spyware/software/default.mspx

    :)
  • ShalimarShalimar Touching the Stars
    edited November 2006
    Thank you very much Trogan_1000. :)

    I am now happy, and you may mark the thread as resolved if you wish.

    Later Shal. :)
  • TroganTrogan London, UK
    edited November 2006
    Your very welcome! :)

    Thread resolved/closed!
This discussion has been closed.