Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

Please reveiw my HJ log.

1509 Views 15 Replies 4 Participants Last post by  Flrman1
M
We are having a problem with this computer. I found the BKDR_IRCFLOOD.X trojan on here with the Trend Micro online scanner. After deleting it I ran two other scanners, trojanscan, and pandasoftware. Both of those showed up clean. Next I ran Ad aware and SpyBot, they only found some tracking cookies.

I am not completely sure everything is running well so I thought I would post the results of the HJ log for review. I removed the server names and IP.

Let me know what you think all help is appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 4:21:39 PM, on 3/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\sfmprint.exe
C:\MSP\mspadmin.exe
C:\MSSQL7\binn\sqlservr.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\srunner.exe
C:\WINNT\system32\RsFsa.exe
c:\winnt\system32\netsrv.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\MSSQL7\binn\sqlagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\MSP\wspsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\MSP\mailalrt.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\FaxTalk FaxCenter 4.0\FTCtrl32.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Navnt\navapw32.exe
C:\WINNT\system32\mshta.exe
C:\Program Files\FaxTalk FaxCenter 4.0\FAPIEXE.EXE
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\mshta.exe
C:\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CallControl] C:\Program Files\FaxTalk FaxCenter 4.0\FTCtrl32.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AdobeA] C:\WINNT\hm\adobes.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Customado Supremo.lnk = C:\ASTA\Servers\CustomADO.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.6151041667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F7F570D-D9E2-43B8-9C7A-262F4DEFFE4F}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{60DC7AEB-CEAC-45DE-8C27-E60FB42EAB70}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
See less See more
Save
Like
Status
Not open for further replies.
1 - 2 of 16 Posts
Rollin' Rog
The "hm" folder is not a default part of any Windows Operating System. What else, if anything is in there?

I don't think I have seen a Scanlog with so many obscure but "legitimate" Microsoft services, most of them related to server associated applications. Can you tell us what work this particular system is supposed to be configured to do? Any web hosting related applications that would involve administration of server systems or whatever? Sorry for the vagueness, but I'm just not familiar with these configurations and it is difficult to tell if these proceses are required by what you do or were installed by a trojan.

I am particularly concerned by these multiple "mshta" entries which should not normally be seen in a Scanlog.

C:\WINNT\system32\mshta.exe
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\mshta.exe

I would suggest reviewing the info on this page, and if no explanation can be found for them, installing the "hta stop" file they offer.

http://www.nsclean.com/psc-htas.html
Save
Like
Rollin' Rog
Well here would be my personal list of things to be reviewed and choices made as to whether you need them. Any thing I list here would not be a 'default' part of a normal desktop workstation.

O4 - Global Startup: Customado Supremo.lnk = C:\ASTA\Servers\CustomADO.exe

^^ what the heck is this? I don't see any "hits" for it.

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

^^ Microsoft "message queuer". You don't see this in a "normal startup.

http://support.microsoft.com/support/kb/articles/Q202/1/24.asp

The following are all "services" which can be "disabled" through Administrative Tools > Services.

C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\sfmprint.exe
C:\MSP\mspadmin.exe
C:\MSSQL7\binn\sqlservr.exe
C:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
C:\WINNT\system32\srunner.exe
c:\winnt\system32\netsrv.exe
C:\WINNT\system32\RsFsa.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\System32\locator.exe
C:\WINNT\System32\snmp.exe
C:\MSSQL7\binn\sqlagent.exe
C:\WINNT\System32\wins.exe
C:\MSP\wspsrv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\MSP\mailalrt.exe
C:\ASTA\Servers\CustomADO.exe
C:\Raize\CodeSite\CodeSite.exe

I've excluded from this list ones that are obviously associated with installed software such as antivirus or fax installations.

I haven't looked most of them up (some I know what they are), I can just tell you they would not be on a routine desktop workstation.

You can get information on them using links such as the following.

http://www.blackviper.com/WinXP/servicecfg.htm
http://snakefoot.fateback.com/tweak/winnt/services.html
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
See less See more
Save
Like
1 - 2 of 16 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top