PDA

View Full Version : Attention Speedy Gonzalez Or Anyone Re Hijack This



Term_X
13-07-2006, 02:45 PM
hi team

just recently, avg detected a virus infected file similar to rsvp.dll or similar cant remember exactly, which avg placed in the vault and said would heal, but kept detecting it every restart, so deleted it instead. this stopped the detection but also meant i could get online but not connect to websites , check email outlook etc. there was also a svchost.exe file which was always on 100% cpu usage, i killed the process , things went back to system idle 99%, reinstalled tcp/ip and also used a reset winsock command. ran hijack this and "guessed" which things looked dodgy. seems like everything is fine now.. can connect to websites now etc like normal, email via outlook and avg updates fine. ive run another log below to see if theres anything left that might be worth deleting/checking also.

run winxp pro sp2

Logfile of HijackThis v1.99.1
Scan saved at 1:32:34 PM, on 7/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\WINDOWS\system32\tcpsvcs.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\fxssvc.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ioloDelayModule] "E:\Program Files\iolo\System Mechanic Professional 6\delay.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O8 - Extra context menu item: &Clean Traces - E:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - E:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{01D03E4B-ABCD-47C8-AF97-33E6D9B9B017}: NameServer = 210.48.65.2 210.48.66.2
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

kjaada
13-07-2006, 05:33 PM
It does not look as if Speedy or Pancake are about.
017 is a baddy unless it is something put there by yr ISP or yr work server.
I do not know how you tell if it was put there by one of them tho.All else looks OK

SurferJoe46
13-07-2006, 07:18 PM
Nothing really too much to worry over in that log...try running it in safe mode...turn off system restore (I don't ever run it at all) and submit a log again....send a copy to WordPad or NoteBook in a folder on the desktop so you can access it in normal boot up and send it out from there.

You got a couple of harmless entries, but they aren't causing any troubles that I can see.

This one:

Winpcap service. Open source packet sniffing library for network analysis or sniffing of passwords. Often used by intrusion detection systems.

is a sniffer or use logger...did your parents install it?

Speedy Gonzales
13-07-2006, 09:20 PM
The log looks fine to me. Altho, I would install some kind of firewall.

Term_X
13-07-2006, 10:57 PM
thanks speedy!, i used to have kapersky firewall but it had a habit of stopping everything lol was a bit tooooo good (if theres such a thing) so hence no firewall running. although must admit, the infection started after uninstalling the firewall :-(

the wincap thing i think needed to be installed , as i got some software to capture streaming music videos from youtube.com but they never worked! so uninstalled the capture prog but forgot about wincap.

seen all the posts about hijack this and didnt think i needed it . but i did, and it is definately a very good lil program.

thanks for the feedback people