Author Topic: Please take a look. (Read 39719 times)

Ivy · « **on:** September 22, 2007, 07:44:55 AM »

Today my virus scan detected Trojans but they were cleaned(deleted),
i have expreanced repeated infections on my comp before, and i want to prevent it this time.
Im using Windows XP Pro., comodo and McAfee antivirus, i have run HJT and here are the logfile , could someone please tell me if there is anything suspecious on it.

Logfile of HijackThis v1.99.1
Scan saved at 7:04:22 PM, on 9/22/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Documents\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://in.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://in.search.yahoo.com
O1 - Hosts: 203.27.235.25 www.payseal.icicibank.com
O1 - Hosts: 210.210.19.82 www.sifymall.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6543E2C5-829D-414B-B44F-96201B0C51B6}: NameServer = 202.144.13.50,202.144.66.6
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

Thankyou.

Ivy · « **Reply #1 on:** September 22, 2007, 08:53:23 AM »

http://www.payseal.icicibank.com/
BTW i have never seen or visited the above mentioned site (or that sifimall thing) $:-\$ , i just saw them for the first time on the logfile itself.
Thankyou

Safety_First · « **Reply #2 on:** September 22, 2007, 10:25:06 AM »

I would recommend dowloading Ad-Aware (if you don't already have it [custom scan>scan within archives] ) - scan with that (although it is an adware/malware scanner) , reboot and scan again (with all your AV scanners.) , that's what I do. Additionally do you have system restore turned on I've heard that viruses can restore themselves via system restore. However don't count on me wait for an expert to seal the deal

hope your problem gets sorted soon.
Additionally, your log file looks fine but again wait for the pro's

Ivy · « **Reply #3 on:** September 22, 2007, 10:37:21 AM »

Thanks !

and yes lets wait for CBmatt to have a look at this.

unlovedwarrior · « **Reply #4 on:** September 22, 2007, 11:33:59 AM »

wait to mess with the restore after we have cleared you.. google trend micro house call and give that a try and see if it finds something

Ivy · « **Reply #5 on:** September 22, 2007, 12:13:00 PM »

Okay im gonna go to http://housecall.trendmicro.com/ and see what the results are.

unlovedwarrior · « **Reply #6 on:** September 22, 2007, 12:31:55 PM »

post them here too

Fed · « **Reply #7 on:** September 22, 2007, 05:45:53 PM »

Update your Windows (critical updates)

Use HJT to remove the following.
O1 - Hosts: 203.27.235.25 www.payseal.icicibank.com
O1 - Hosts: 210.210.19.82 www.sifymall.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

Change the attributes on your HOSTS file to 'read only'.

Consider installing Spybot S&D and using the realtime protection offered in the 'Tools' section.

Ivy · « **Reply #8 on:** September 22, 2007, 07:41:20 PM »

Thankyou Fed,
i will do the rest of the above mentioned, how do i do this?

Quote from: Fed on September 22, 2007, 05:45:53 PM

Change the attributes on your HOSTS file to 'read only'.

Ivy · « **Reply #9 on:** September 22, 2007, 08:05:19 PM »

As you know that since yesterday i have been trying to scan my comp with this http://housecall.trendmicro.com/ but everytime it trys to scan my computer i lose my server, i dont usually have any troubles with my internet connection , as soon as i close the site windw my internet starts working again!!!!!! even on the site when it starts scanning my computer it displays a message saying my internet speed is too slow , when i troubleshoot it says'' unable to reach server'', but as soon as i close that window it starts working again.
please help.

Fed · « **Reply #10 on:** September 22, 2007, 09:06:59 PM »

Navigate to your HOSTS file, it will be in the following directory.

C:\Windows\system32\drivers\etc

Right click on the file and select 'Properties' and 'Read Only'.
Click Apply OK etc...

For the online scan try Panda Activescan

You should run Ccleaner Slim first just to clear the clutter.
If Panda finds anything it doesn't clean for you then clean up the rest at Ewido/AVG Anti-Spyware Online Scan in fact you're better off going there first anyway.

Ivy · « **Reply #11 on:** September 22, 2007, 09:22:37 PM »

I have Changed the attributes on my HOST file to 'read only'.im gonna follow the next steps now.

Fed · « **Reply #12 on:** September 22, 2007, 09:29:38 PM »

We'll keep the light on Ivy, Good Luck!
When you come back there's one thing I'd like to share with you.

Ivy · « **Reply #13 on:** September 22, 2007, 09:32:23 PM »

Im here what would you like to share Fed?

Ivy · « **Reply #14 on:** September 22, 2007, 10:24:39 PM »

Do i need to click on scan now or download now?
here--->(http://www.ewido.net/en/)

Computer Hope Forum

News:

Author Topic: Please take a look. (Read 39719 times)

Ivy

Please take a look.

Ivy

Re: Please take a look.

Safety_First

Re: Please take a look.

Ivy

Re: Please take a look.

unlovedwarrior

Re: Please take a look.

Ivy

Re: Please take a look.

unlovedwarrior

Re: Please take a look.

Fed

Re: Please take a look.

Ivy

Re: Please take a look.

Ivy

Re: Please take a look.

Fed

Re: Please take a look.

Ivy

Re: Please take a look.

Fed

Re: Please take a look.

Ivy

Re: Please take a look.

Ivy

Re: Please take a look.