Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

Please reveiw my HJ log.

1507 Views 15 Replies 4 Participants Last post by  Flrman1
M
We are having a problem with this computer. I found the BKDR_IRCFLOOD.X trojan on here with the Trend Micro online scanner. After deleting it I ran two other scanners, trojanscan, and pandasoftware. Both of those showed up clean. Next I ran Ad aware and SpyBot, they only found some tracking cookies.

I am not completely sure everything is running well so I thought I would post the results of the HJ log for review. I removed the server names and IP.

Let me know what you think all help is appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 4:21:39 PM, on 3/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\sfmprint.exe
C:\MSP\mspadmin.exe
C:\MSSQL7\binn\sqlservr.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\srunner.exe
C:\WINNT\system32\RsFsa.exe
c:\winnt\system32\netsrv.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\MSSQL7\binn\sqlagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\MSP\wspsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\MSP\mailalrt.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\FaxTalk FaxCenter 4.0\FTCtrl32.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Navnt\navapw32.exe
C:\WINNT\system32\mshta.exe
C:\Program Files\FaxTalk FaxCenter 4.0\FAPIEXE.EXE
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\mshta.exe
C:\WINNT\system32\mshta.exe
C:\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CallControl] C:\Program Files\FaxTalk FaxCenter 4.0\FTCtrl32.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AdobeA] C:\WINNT\hm\adobes.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Customado Supremo.lnk = C:\ASTA\Servers\CustomADO.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.6151041667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F7F570D-D9E2-43B8-9C7A-262F4DEFFE4F}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{60DC7AEB-CEAC-45DE-8C27-E60FB42EAB70}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
See less See more
Save
Like
Status
Not open for further replies.
1 - 9 of 16 Posts
M
I forgot the active scan results as well from the online scanner.

W32/Randon Disinfected C:\WINNT\system32\navdb.dbx
Bck/Xayflu.srv Disinfected C:\WINNT\system32\PipeCmd.exe

Thank you all for any help.
Save
Like
M
flrman1,

I did like you suggested and fixed O4 - HKLM\..\Run: [AdobeA] C:\WINNT\hm\adobes.exe with HJ and made sure my folder view settings were correct, then restarted in safe mode.

When I went to C:\WINNT\hm there was no file there only a folder that says download and no adobes.exe file in there?

Should I be concerned? I have found this on another machine in the network and would like to rid them all of this.

There is something else that sent up a red flag lately, every now and then when I close, open, or change a setting on this other machine, it attempts to install Outlook 2000 or so it seems. I cancel it about 3 or 4 times before it stops. Any suggestions?

Thank you for your help so far, this is what the internet was intended for anyways, sharing of knowledge to help others, too bad we have to combat all the other crap on it.
Save
Like
M
I found the registry entry and deleted it as well now.

Is it safe to delete the C:\WINNT\hm\ folder or is it used for some other obscure Windows app?
Save
Like
M
Hey Rog, flrman1,

Thanks for the input and concern. Rog, the only thing in the hm folder is a folder named download and it is empty.

The machine runs apps created by a programmer. We can probably shut down some of the obscure services running on this machine with no harm.

It is a development machine on the network that needs a cleaning. It is overlooked by most of the admin duties becuse only one programmer uses it and no one has bothered to pay attention to it.

I was snooping for viruses the other day and looked on that machine as well and thats when it hit the fan!

How can I tell if the mshta is a valid program or a trojan?

Thanks for the link to the explination!
See less See more
Save
Like
M
Hey Rog and flrman1,

The mshta's were there because the programmer was trying to add/remove program and it would not work, but he just kept clicking on the damn button.

I resolved the add/remove program error and they went away. Here is a new log from HJ.

Please tell me if there is something else that looks out of the ordinary, I am not seeing anything.

Thanks for all the great help.

Logfile of HijackThis v1.97.7
Scan saved at 5:53:58 PM, on 3/24/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\sfmprint.exe
C:\MSP\mspadmin.exe
C:\MSSQL7\binn\sqlservr.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\srunner.exe
c:\winnt\system32\netsrv.exe
C:\WINNT\system32\RsFsa.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\MSSQL7\binn\sqlagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\MSP\wspsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\MSP\mailalrt.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\FaxTalk FaxCenter 4.0\FTCtrl32.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\ASTA\Servers\CustomADO.exe
C:\Program Files\Navnt\navapw32.exe
C:\Raize\CodeSite\CodeSite.exe
C:\Program Files\FaxTalk FaxCenter 4.0\FAPIEXE.EXE
C:\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CallControl] C:\Program Files\FaxTalk FaxCenter 4.0\FTCtrl32.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Customado Supremo.lnk = C:\ASTA\Servers\CustomADO.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.6151041667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F7F570D-D9E2-43B8-9C7A-262F4DEFFE4F}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{60DC7AEB-CEAC-45DE-8C27-E60FB42EAB70}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
See less See more
Save
Like
M
Thanks for your help guys.

Here is an updated screenshot from HJT.

Logfile of HijackThis v1.97.7
Scan saved at 3:36:10 PM, on 3/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\MSSQL7\binn\sqlservr.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\MSSQL7\binn\sqlagent.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\ASTA\Servers\CustomADO.exe
C:\Program Files\Navnt\navapw32.exe
C:\Raize\CodeSite\CodeSite.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - Global Startup: Customado Supremo.lnk = C:\ASTA\Servers\CustomADO.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.6151041667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F7F570D-D9E2-43B8-9C7A-262F4DEFFE4F}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{60DC7AEB-CEAC-45DE-8C27-E60FB42EAB70}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
See less See more
Save
Like
M
Does anyone know what this is for??

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Some kind of plugin, but no hits on the goo?
Save
Like
M
Never mind, I typo'd my google question, it is a plugin for Acrobat.
Save
Like
1 - 9 of 16 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top