Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Please take a look.  (Read 30893 times)

0 Members and 1 Guest are viewing this topic.

Ivy

  • Guest
Re: Please take a look.
« Reply #15 on: September 23, 2007, 02:05:55 AM »
Here is the Logfile of HJT after deleting
O1 - Hosts: 203.27.235.25 www.payseal.icicibank.com
O1 - Hosts: 210.210.19.82 www.sifymall.com


Logfile of HijackThis v1.99.1
Scan saved at 1:32:00 PM, on 9/23/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Sify Broadband\BBImpSec.exe
C:\Documents and Settings\All Users\Documents\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://in.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://in.search.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6543E2C5-829D-414B-B44F-96201B0C51B6}: NameServer = 202.144.13.50,202.144.66.6
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe


Fed

  • Moderator


  • Sage
  • Thanked: 35
    • Experience: Experienced
    • OS: Windows XP
    Re: Please take a look.
    « Reply #16 on: September 23, 2007, 02:27:24 PM »
    Update your Windows (critical updates)

    Use HJT to remove the following.
    O1 - Hosts: 203.27.235.25 www.payseal.icicibank.com
    O1 - Hosts: 210.210.19.82 www.sifymall.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

    Change the attributes on your HOSTS file to 'read only'.

    Consider installing Spybot S&D and using the realtime protection offered in the 'Tools' section.
    Just use the 'Scan Now' button, the program will still download and open on your computer but there will be no trace of it when you're finished.

    Ivy

    • Guest
    Re: Please take a look.
    « Reply #17 on: September 23, 2007, 11:27:25 PM »
    Here is the Report from Ewido Scan:
    _______________________________________ ___________
    ewido anti-spyware online scanner
       http://www.ewido.net
    _______________________________________ ___________


    Name: Adware.Generic
    Path: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
    Risk: Medium

    Name: Adware.Generic
    Path: HKU\S-1-5-21-1004336348-1708537768-725345543-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A}
    Risk: Medium

    Name: TrackingCookie.Msn
    Path: C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\[email protected][1].txt
    Risk: Medium

    Name: Not-A-Virus.RiskTool.Win32.Reboot.e
    Path: C:\System Volume Information\_restore{396B25D7-0623-44D8-8639-682B127B9B19}\RP2\A0001182.exe
    Risk: Low

    Name: Downloader.Agent.bgk
    Path: C:\System Volume Information\_restore{396B25D7-0623-44D8-8639-682B127B9B19}\RP7\A0012074.dll
    Risk: High

    Name: Not-A-Virus.Tool.Win32.RestartCounter
    Path: C:\WINDOWS\system32\Tools\Restart.exe
    Risk: Low

    Name: Downloader.Agent.bgk
    Path: C:\WINDOWS\Winhelp.dll
    Risk: High

    Infections Removed.

    Ivy

    • Guest
    Re: Please take a look.
    « Reply #18 on: September 23, 2007, 11:33:22 PM »
    Here is the Logfile Of HJT after running Ewido :
    Logfile of HijackThis v1.99.1
    Scan saved at 10:53:20 AM, on 9/24/2007
    Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\WINDOWS\system32\ctfmon.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Sify Broadband\BBClient.exe
    C:\Program Files\Sify Broadband\BBImpSec.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\All Users\Documents\New Folder\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://in.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://in.search.yahoo.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6543E2C5-829D-414B-B44F-96201B0C51B6}: NameServer = 202.144.13.50,202.144.66.6
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe



    I also have my windows updates on , do i still need to check for updates?My antivirus McAFee tries to connect to the internet for updates, do i allow it?
    Thanks a lot .

    Ivy

    • Guest
    Re: Please take a look.
    « Reply #19 on: September 23, 2007, 11:51:25 PM »
    I ran the Ewido scan again after cleaning the previous infections, here are the results.
    _______________________________________ ___________
    ewido anti-spyware online scanner
       http://www.ewido.net
    _______________________________________ ___________


    Name: Not-A-Virus.Tool.Win32.RestartCounter
    Path: C:\System Volume Information\_restore{396B25D7-0623-44D8-8639-682B127B9B19}\RP7\A0013314.exe
    Risk: Low

    Name: Downloader.Agent.bgk
    Path: C:\System Volume Information\_restore{396B25D7-0623-44D8-8639-682B127B9B19}\RP7\A0013315.dll
    Risk: High

    Update: I ran the scan again after cleaning the above mentioned infections and now it shows no infection found.

    (i know i know, im a good student , i do all my homework  :))
    « Last Edit: September 24, 2007, 12:19:50 AM by Ivy »

    The Saviour

    • Guest
    Re: Please take a look.
    « Reply #20 on: September 24, 2007, 12:26:53 AM »
    Ivy...

    It seems the remaining infections are in your system restore folder.

    You may want to:
    • Turn System Restore Off.
    • Boot into Safe Mode and run your malware scan(s) again.

    Please note that turning System Restore off will clear all System Restore points from your computer.

    Once the scans in Safe Mode are done and your malware protection has found and deleted and/or quarantined any infections...you should then turn System Restore back on and then run the Ewido scan again and post your results.

    Keep your fingers crossed...

    Ivy

    • Guest
    Re: Please take a look.
    « Reply #21 on: September 24, 2007, 12:36:41 AM »
    Update: I ran the scan again after cleaning the above mentioned infections and now it shows no infection found.
    Steve did you read the update in my post? do i still need to do the above suggested steps? if yes then i will just start doing that.
    If all System Restore points from my computer will be clared what will i need to do then?
    Thanks

    The Saviour

    • Guest
    Re: Please take a look.
    « Reply #22 on: September 24, 2007, 12:44:01 AM »
    Sorry, Ivy...I misread that post...I thought they were still there...I'm just a little tired and apologize.

    Now that you know your system is clean...it would be a good idea to turn System Restore off and then back on again.

    The reason being is that you want to start creating System Restore points for the times and dates when you knew your system was clean.

    If you are confident your system is now free of any and all infections...I would clear all previous System Restore points and start anew.

    I hope you understand what I'm referring to...I am a little tired and need to get some shut-eye.  However, if you'd like to wait for CBMatt's recommendation...by all means.

    I won't say that he'd approve 100% of my recommendation, but he will understand where I'm coming from.  I can't speak for him...know what I mean?


    -Steve

    Ivy

    • Guest
    Re: Please take a look.
    « Reply #23 on: September 24, 2007, 12:55:15 AM »
    Thankyou so much Steve, i will do as directed .

    Always keep the kid under your teaching hand  :).
    thanks again.

    The Saviour

    • Guest
    Re: Please take a look.
    « Reply #24 on: September 24, 2007, 12:56:56 AM »
    You're welcome, Ivy...

    Good-night...

    Fed

    • Moderator


    • Sage
    • Thanked: 35
      • Experience: Experienced
      • OS: Windows XP
      Re: Please take a look.
      « Reply #25 on: September 24, 2007, 02:59:43 PM »
      Allow your Antivirus program to update.
      Update WIndows using the Start Menu.
      Do NOT remove the following...
      O17 - HKLM\System\CCS\Services\Tcpip\..\{6543E2C5-829D-414B-B44F-96201B0C51B6}: NameServer = 202.144.13.50,202.144.66.6

      Ivy

      • Guest
      Re: Please take a look.
      « Reply #26 on: September 24, 2007, 08:37:23 PM »
      Thankyou Fed,
      I will let my antivirus to connect to the internet as from now.
      I wonder why unlovedwarriour deleted his previous posts here ???

      unlovedwarrior



        Guru

      • someday this name will be known
      • Thanked: 13
        Re: Please take a look.
        « Reply #27 on: September 24, 2007, 08:40:11 PM »
        tried to modify it and deleted on accident, doing 3 things at once

        Ivy

        • Guest
        Re: Please take a look.
        « Reply #28 on: September 25, 2007, 01:37:27 AM »
        Thanks a lot Fed , i really really appreciate your help.

        I have set comodo to allow my antivirus updated, and i went to the start menu from there to control panel anf from there to Security Centre and there it says that windows updates are on.

        im going to try the other scans now, please let me know what i need to do further.
        thankyou once again, thanks a lot for help.

        Fed

        • Moderator


        • Sage
        • Thanked: 35
          • Experience: Experienced
          • OS: Windows XP
          Re: Please take a look.
          « Reply #29 on: September 25, 2007, 04:05:02 PM »
          Hi Ivy, can you post a fresh HJT log please.
          I think it's time to harden your computer against future infections.
          BTW, do you have a Windows Update entry in your Start Menu?