PDA

View Full Version : do these logs look clean to you?



billyjoey
2007-01-29, 18:20
i believe that i have a keylogger on my system. i have taken a few steps to secure my machine and i would like a confirmation that my computer is clean.
if anyone could offer further suggestions as to how i can be certain that i am clean again, i would really apperiate it.

Logfile of HijackThis v1.99.1
Scan saved at 11:13:13 AM, on 1/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Acer Inc\Acer GridVista\GridVistaU.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\wuauclt.exe
D:\New Folder\Utilities\autoruns.exe
D:\New Folder\Utilities\process explorer\procexp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgw.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
D:\New Folder\Utilities\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Acer GridVista.LNK = C:\Program Files\Acer Inc\Acer GridVista\GridVistaU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)

pskelley
2007-01-30, 15:08
Welcome to the forum, since I see no online virus scan, you must have missed this information:
"BEFORE you POST" -Preliminary Steps
http://forums.spybot.info/showthread.php?t=288

I can report on what I see in the HJT log.

1)You are running two antivirus programs (or more) at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html

C:\Program Files\Alwil Software\
C:\PROGRA~1\Grisoft\AVGFRE~1\
C:\Program Files\ClamWin\

2) Your Java program is outdated and a security risk, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

3) I can see no obvious "malware" in the HJT log.

Thanks

billyjoey
2007-01-30, 19:36
ok thank you for your reply.
the AVG antivirus and the clamwin antivirus were only installed becuase avast was not finding anything and i wanted to make sure it wa gone.
i am currently running the scan. but in the mean while i will describe my problem.
after visting a website that i thought i could trust i ran a .exe, which i am really exetremely stupid about becuase i know better than that.:sick: my avast has always worked and stops connection very quickly, (it wont even let panda run while it is active) however this one got through. i also run spybot resident as you may have noticed. when the infection occured
1/27/2007 4:16:23 PM Denied value "Microsoft Genetic Procress" (new data: "C:\WINDOWS\svchost.exe") added in System Startup global entry!
sypbot blocked it several times and then spybot crashed.
i still have the .exe however i have made it unrunable at themoment. i uploadeded it to several online scanners and all they found was that it was a suspicious file, with no specific name as to what i might have.
as soon as i saw that spybot was being spammed i shut off the computer but spybot crashed right before it powered off. after i noticed suspicious activity (accounts that only i have access to were being accesed and values were being changed) i booted into safe mode and removed several start up intries and used windows restore to go back to a revory point about a week old. these are some of the intries that i removed
1/27/2007 9:27:40 PM Allowed value "LaunchApp" (new data: "") deleted in System Startup global entry!
1/27/2007 9:30:19 PM Allowed value "RTHDCPL" (new data: "") deleted in System Startup global entry!
1/27/2007 9:30:37 PM Allowed value "MSPY2002" (new data: "") deleted in System Startup global entry!
1/27/2007 9:32:00 PM Allowed value "IMJPMIG8.1" (new data: "") deleted in System Startup global entry!
1/28/2007 1:08:30 AM Allowed value "{EF791A6B-FC12-4C68-99EF-FB9E207A39E6}" (new data: "") added in ActiveX Distribution Unit!
1/28/2007 1:24:37 AM Allowed value "Persistence" (new data: "") deleted in System Startup global entry!
1/28/2007 1:24:53 AM Allowed value "Tweak UI" (new data: "") deleted in System Startup global entry!
1/28/2007 1:25:03 AM Allowed value "MSPY2002" (new data: "") deleted in System Startup global entry!
1/28/2007 1:25:10 AM Allowed value "IMJPMIG8.1" (new data: "") deleted in System Startup global entry!
1/28/2007 2:06:21 AM Allowed value "{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}" (new data: "") deleted in Global browser toolbar!
1/28/2007 5:43:49 AM Allowed value "LaunchApp" (new data: "") deleted in System Startup global entry!
1/28/2007 5:43:50 AM Allowed value "Alcmtr" (new data: "") deleted in System Startup global entry!
1/28/2007 5:44:00 AM Allowed value "&Sample Toolband Serach" (new data: "") deleted in Browser menu extension!
1/28/2007 5:44:01 AM Allowed value "Sothink SWF Catcher" (new data: "") deleted in Browser menu extension!
i also have removed the svchost start up that the infection was caused by.
and manually updated my virus defintions.
i will post the panda scans as soon as they are finished

billyjoey
2007-01-30, 20:43
well its suprisingly a huge list....


i have looked at it and the area of interest it here:
Spyware:spyware/web3000 Not disinfected C:\WINDOWS\HH.ICO
Possible Virus. Not disinfected C:\WINDOWS\SVCHOST.EXE

the rest of the list is too long to post at once

billyjoey
2007-01-30, 20:49
well i was going to split it into 2 posts but ut had 4046 characters which would require 3 posts and alot of reading.
as it was mostly cookies i am going to clear my cache and cookies and then repeat the scanner hopefully that will produce a shorter one.

pskelley
2007-01-30, 20:57
For starters this one does not identify with Google: C:\WINDOWS\HH.ICO
I may not have ever seen that file before, but it does not surprise me. Hackers can call their junk anything they want.
C:\WINDOWS\SVCHOST.EXE This is probably a trojan, the legitimate svchost would run from the System32 folder. I will suggest you do this:

Use these free online scans to find out what they are, if they scan as bad, delete them:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

You may need enable hidden files and folders to see them:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

You may also need to delete them in safe mode:
http://www.bleepingcomputer.com/tutorials/tutorial61.html

Let's take a look with this scan, please make sure you delete or at least quarantine anything the program locates, then save the scan report and post it for me to view. Include a new HJT log with that.
http://forums.security-central.us/showthread.php?t=3165


Thanks

pskelley
2007-01-30, 21:03
In response this this post: #5 I assumed most of those were probably cookies. AVG Anti-Spyware will find a lot of cookies also, just be sure to DELETE them and then you can edit them from the scan report to make it shorter. If you need help to stop storing junk cookies, please let me know.

Thanks

billyjoey
2007-01-30, 21:35
results from scaning svchost:

You're clean!
Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.

virus total found:
Antivirus Version Update Result
AntiVir 7.3.1.33 01.30.2007 TR/Agent.10589
Authentium 4.93.8 01.30.2007 Possibly a new variant of W32/new-malware!Maximus
Avast 4.7.936.0 01.30.2007 no virus found
AVG 386 01.30.2007 no virus found
BitDefender 7.2 01.30.2007 Generic.Malware.SL!B.A9597FAC
CAT-QuickHeal 9.00 01.30.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 01.30.2007 no virus found
DrWeb 4.33 01.30.2007 no virus found
eSafe 7.0.14.0 01.30.2007 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.128 01.30.2007 no virus found
eTrust-Vet 30.3.3358 01.29.2007 no virus found
Ewido 4.0 01.30.2007 no virus found
Fortinet 2.85.0.0 01.30.2007 suspicious
F-Prot 4.2.1.29 01.30.2007 W32/new-malware!Maximus
Ikarus T3.1.0.27 01.30.2007 Generic.Malware.SL!B
Kaspersky 4.0.2.24 01.30.2007 no virus found
McAfee 4952 01.30.2007 no virus found
Microsoft 1.2101 01.30.2007 no virus found
NOD32v2 2021 01.30.2007 probably unknown NewHeur_PE virus
Norman 5.80.02 01.30.2007 Suspicious_F.gen
Panda 9.0.0.4 01.30.2007 Suspicious file
Prevx1 V2 01.30.2007 no virus found
Sophos 4.13.0 01.28.2007 Mal/Packer
Sunbelt 2.2.907.0 01.26.2007 VIPRE.Suspicious
Symantec 10 01.30.2007 no virus found
TheHacker 6.0.3.159 01.28.2007 no virus found
UNA 1.83 01.30.2007 no virus found
VBA32 3.11.2 01.29.2007 no virus found
VirusBuster 4.3.19:9 01.30.2007 novirus:Packed/FSG

jotti found:
AntiVir
Found TR/Agent.10589
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Generic.Malware.SL!B.A9597FAC
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found Possibly a new variant of W32/new-malware!Maximus
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control
Found Suspicious_F.gen
VirusBuster
Found novirus:Packed/FSG
VBA32
Found nothing

i will be removing it as soon as i finish posting this

billyjoey
2007-01-30, 21:44
scann results for hh.ico

You're clean!

Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.

virus total found nothing

jotti found nothing

billyjoey
2007-01-30, 23:19
ran panda scan again found only this
i guess i missed it hidden among the thousand of cookies.

Adware:adware/cws.svchost Not disinfected c:\windows\system32\SVCHOST.DLL
Adware:adware/sbsoft Not disinfected Windows Registry



New hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 4:15:17 PM, on 1/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Acer Inc\Acer GridVista\GridVistaU.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
D:\New Folder\Utilities\Hijack This\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Acer GridVista.LNK = C:\Program Files\Acer Inc\Acer GridVista\GridVistaU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)

pskelley
2007-01-30, 23:50
c:\windows\system32\SVCHOST.DLL <<< Here is the Google on that item:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=SVCHOST%2eDLL+
There is little doubt that is a very nasty worm, you can scan it with the same tools if you like.

I want to make sure you understand you must be very careful you do not delete this item:
C:\WINDOWS\system32\svchost.exe <<< this is valid and you will see it running as often as you ask Windows to host other programs.

I suggest you try this tool first:
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: c:\windows\system32\SVCHOST.DLL and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.

Once that is done, then making sure all hidden files and files and folder are showing, use Search Companion to make sure that file:
SVCHOST.DLL is gone from your computer.

As far as I can see, there is no malware showing in your HJT log. Once you are sure you are clean, do this:

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

billyjoey
2007-01-31, 01:01
thank you very much for your help.
i have removed both the svchost.exe from the windows folder and the svchost.dll from the system32 folder

from the looks of your last post these are the last steps need to secure my computer. but i would like like to know if you think there is anything else i can do.

thank you again for your time and assistance

pskelley
2007-01-31, 01:13
You sure are welcome, I was not rushing, just trying to get information in your hands. Once you have reviewed those links from experts, if you still have questions, post them. I will do my best to give you any answers you need.

Thanks...Phil:)

pskelley
2007-02-11, 18:55
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.