Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Please take a look.  (Read 30894 times)

0 Members and 1 Guest are viewing this topic.

Ivy

  • Guest
Please take a look.
« on: September 22, 2007, 07:44:55 AM »
Today my virus scan detected Trojans but they were cleaned(deleted),
i have expreanced repeated infections on my comp before, and i want to prevent it this time.
Im using Windows XP Pro., comodo  and McAfee antivirus, i have run HJT and here are the logfile , could someone please tell me if there is anything suspecious on it.

Logfile of HijackThis v1.99.1
Scan saved at 7:04:22 PM, on 9/22/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Documents\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://in.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://in.search.yahoo.com
O1 - Hosts: 203.27.235.25 www.payseal.icicibank.com
O1 - Hosts: 210.210.19.82 www.sifymall.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6543E2C5-829D-414B-B44F-96201B0C51B6}: NameServer = 202.144.13.50,202.144.66.6
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

Thankyou.

Ivy

  • Guest
Re: Please take a look.
« Reply #1 on: September 22, 2007, 08:53:23 AM »
http://www.payseal.icicibank.com/
BTW  i have never seen or visited the above mentioned site (or that sifimall thing) :-\, i just saw them for the first time on the logfile itself.
Thankyou
« Last Edit: September 22, 2007, 09:56:33 AM by Ivy »

Safety_First

  • Guest
Re: Please take a look.
« Reply #2 on: September 22, 2007, 10:25:06 AM »
I would recommend dowloading Ad-Aware (if you don't already have it [custom scan>scan within archives] ) - scan with that (although it is an adware/malware scanner) , reboot and scan again (with all your AV scanners.) , that's what I do. Additionally do you have system restore turned on I've heard that viruses can restore themselves via system restore. However don't count on me wait for an expert to seal the deal :) hope your problem gets sorted soon.
Additionally, your log file looks fine but again wait for the pro's

Ivy

  • Guest
Re: Please take a look.
« Reply #3 on: September 22, 2007, 10:37:21 AM »
Thanks ! :)
and yes lets wait for CBmatt to have a look at this.

unlovedwarrior



    Guru

  • someday this name will be known
  • Thanked: 13
    Re: Please take a look.
    « Reply #4 on: September 22, 2007, 11:33:59 AM »
    wait to mess with the restore after we have cleared you.. google trend micro house call and give that a try and see if it finds something

    Ivy

    • Guest
    Re: Please take a look.
    « Reply #5 on: September 22, 2007, 12:13:00 PM »
    Okay im gonna go to http://housecall.trendmicro.com/ and see what the results are.

    unlovedwarrior



      Guru

    • someday this name will be known
    • Thanked: 13
      Re: Please take a look.
      « Reply #6 on: September 22, 2007, 12:31:55 PM »
      post them here too

      Fed

      • Moderator


      • Sage
      • Thanked: 35
        • Experience: Experienced
        • OS: Windows XP
        Re: Please take a look.
        « Reply #7 on: September 22, 2007, 05:45:53 PM »
        Update your Windows (critical updates)

        Use HJT to remove the following.
        O1 - Hosts: 203.27.235.25 www.payseal.icicibank.com
        O1 - Hosts: 210.210.19.82 www.sifymall.com
        O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

        Change the attributes on your HOSTS file to 'read only'.

        Consider installing Spybot S&D and using the realtime protection offered in the 'Tools' section.

        Ivy

        • Guest
        Re: Please take a look.
        « Reply #8 on: September 22, 2007, 07:41:20 PM »
        Thankyou Fed,
         i will do the rest of the above mentioned, how do i do this?
        Change the attributes on your HOSTS file to 'read only'.

        Ivy

        • Guest
        Re: Please take a look.
        « Reply #9 on: September 22, 2007, 08:05:19 PM »
        As you know that since yesterday i have been trying to scan my comp with this http://housecall.trendmicro.com/ but everytime it trys to scan my computer i lose my server, i dont usually have any troubles with my internet connection  , as soon as i close the site windw my internet starts working again!!!!!! even on the site when it starts scanning my computer it displays a message saying my internet speed is too slow , when i troubleshoot it says'' unable to reach server'', but as soon as i close that window it starts working again.
        please help.

        Fed

        • Moderator


        • Sage
        • Thanked: 35
          • Experience: Experienced
          • OS: Windows XP
          Re: Please take a look.
          « Reply #10 on: September 22, 2007, 09:06:59 PM »
          Navigate to your HOSTS file, it will be in the following directory.

          C:\Windows\system32\drivers\etc

          Right click on the file and select 'Properties' and 'Read Only'.
          Click Apply OK etc...

          For the online scan try Panda Activescan

          You should run Ccleaner Slim first just to clear the clutter.
          If Panda finds anything it doesn't clean for you then clean up the rest at Ewido/AVG Anti-Spyware Online Scan in fact you're better off going there first anyway.

          Ivy

          • Guest
          Re: Please take a look.
          « Reply #11 on: September 22, 2007, 09:22:37 PM »
          I have Changed the attributes on my HOST  file to 'read only'.im gonna follow  the next steps now.


          Fed

          • Moderator


          • Sage
          • Thanked: 35
            • Experience: Experienced
            • OS: Windows XP
            Re: Please take a look.
            « Reply #12 on: September 22, 2007, 09:29:38 PM »
            We'll keep the light on Ivy, Good Luck!
            When you come back there's one thing I'd like to share with you.

            Ivy

            • Guest
            Re: Please take a look.
            « Reply #13 on: September 22, 2007, 09:32:23 PM »
            Im here what would you like to share Fed?

            Ivy

            • Guest
            Re: Please take a look.
            « Reply #14 on: September 22, 2007, 10:24:39 PM »
            Do i need to click on scan now or download now?
            here--->(http://www.ewido.net/en/)