Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

Please reveiw my HJ log.

1507 Views 15 Replies 4 Participants Last post by  Flrman1
M
We are having a problem with this computer. I found the BKDR_IRCFLOOD.X trojan on here with the Trend Micro online scanner. After deleting it I ran two other scanners, trojanscan, and pandasoftware. Both of those showed up clean. Next I ran Ad aware and SpyBot, they only found some tracking cookies.

I am not completely sure everything is running well so I thought I would post the results of the HJ log for review. I removed the server names and IP.

Let me know what you think all help is appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 4:21:39 PM, on 3/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\sfmprint.exe
C:\MSP\mspadmin.exe
C:\MSSQL7\binn\sqlservr.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\srunner.exe
C:\WINNT\system32\RsFsa.exe
c:\winnt\system32\netsrv.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\MSSQL7\binn\sqlagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\MSP\wspsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\MSP\mailalrt.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\FaxTalk FaxCenter 4.0\FTCtrl32.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Navnt\navapw32.exe
C:\WINNT\system32\mshta.exe
C:\Program Files\FaxTalk FaxCenter 4.0\FAPIEXE.EXE
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\mshta.exe
C:\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CallControl] C:\Program Files\FaxTalk FaxCenter 4.0\FTCtrl32.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AdobeA] C:\WINNT\hm\adobes.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Customado Supremo.lnk = C:\ASTA\Servers\CustomADO.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.6151041667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F7F570D-D9E2-43B8-9C7A-262F4DEFFE4F}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{60DC7AEB-CEAC-45DE-8C27-E60FB42EAB70}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
See less See more
Save
Like
Status
Not open for further replies.
1 - 4 of 16 Posts
Flrman1
Originally posted by Sephiroth11:
Looks clean to me.:up:
Click to expand...
NOT! ;)

This one:

O4 - HKLM\..\Run: [AdobeA] C:\WINNT\hm\adobes.exe

That's the IRC/Flood.ba trojan. See here:

http://vil.nai.com/vil/content/v_100373.htm

Fix that entry with Hijack This.

Restart to safe mode and delete:

The C:\WINNT\hm\adobes.exe file

This file may be hidden so click on My Computer then click Tools > Folder Options. In Folder options click on the View tab. Under Files and Folders tick "Show hidden files and folders" then uncheck "Hide file extensions for known file types" and uncheck "Hide protected operating system files (recommended)". Now click "Like current folder" then "Apply" and "OK"

How to start your computer in safe mode.
See less See more
Save
Like
Flrman1
Thanks Rog. I'm glad you picked up on those mshta's. I saw them last night and then forgot all about them. :eek:
Save
Like
Flrman1
The log looks fine now. I believe I would delete that C:\WINNT\hm folder.
Save
Like
Flrman1
Assuming that you determined what this is:

O4 - Global Startup: Customado Supremo.lnk = C:\ASTA\Servers\CustomADO.exe

and you decided you needed it and that you chose to leave this in the startups for some reason,:

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

everything looks fine.
Save
Like
1 - 4 of 16 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top