HijackThis - Vishal Gupta

[vaibhavtek]

After seing this (askvg.com), I am posting my log file details generated by HijackThis here in this forum rather than askvg.com due to some reason I will post the reason afterwards...!!!*gigasmilies.googlepages.com/34a.gif

Vishal Gupta I had generated the below content by HijackThis. Can u tell me whether my pc is infected by any Virus, Spyware, Adware or Torjan..???*gigasmilies.googlepages.com/38a.gif

My log file:-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:57 PM, on 2/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Plustek\OpticBook 3600 Corporate\Am32Plus.exe
C:\Program Files\Plustek\OpticBook 3600 Corporate\book express.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\GIMP-2.0\bin\gimp-2.4.exe
C:\Program Files\GIMP-2.0\lib\gimp\2.0\plug-ins\script-fu.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\PlayerIE\playerIE.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - *www.updatesgate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - *www.updatesgate.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - *fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DC57D1B-AB60-497E-B614-87A96FD08BC1}: NameServer = 218.248.240.23 218.248.240.141
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFE70012-96BD-4465-A852-D748E86E7E29}: NameServer = 172.16.0.1,202.138.103.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{EAACC208-8BF2-4C6C-9F90-373A7B3AD60B}: NameServer = 4.2.2.1,4.2.2.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
--
End of file - 8156 bytes

Plz reply ASAP.

VG Plz help.*gigasmilies.googlepages.com/32a.gif

Thanks in advance VG..!!!

 

[Vishal Gupta]

Please fix following:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - *www.updatesgate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - *www.updatesgate.com/redirect.php (file missing)

You can also fix following entries which are useless and can be safely removed to speedup Windows:

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

 

[Gigacore]

Use CCleaner

 

[vaibhavtek]

Please fix following:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - *www.updatesgate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - *www.updatesgate.com/redirect.php (file missing)

Ok according to u this is Virus, Spyware, Adware or Torjan..???

Correct.

I am posting my log file details generated by HijackThis here in this forum rather than askvg.com due to some reason I will post the reason afterwards...!!!*gigasmilies.googlepages.com/34a.gif

So my reason is that how did u detect that those file (quoted above) are virus or spyware or Adware or Trojan...???

i.e. there are many file in log details but how did u detect that these file are only infected...???

Hope u understand my question...!!!

You can also fix following entries which are useless and can be safely removed to speedup Windows:

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"

How did u get that these entry are useless..???

Hope my question is clear to u..!!

Plz reply ASAP.

 

[Count Dracula]

Dude,why did you create a seperate thread for this purpose?,Should've PM'ed Vishal Gupta.

 

[vaibhavtek]

Use CCleaner

What do u want to say abt using CCleaner..??

Ccleaner doesnot remove any virus, spware etc etc..

Useleess suggestion

 

[Vishal Gupta]

^^ The entries which I usually tell to fix are based on experience. for example, first 2 entries which I suggested to fix show that there are some restrictions in Internet Explorer. It may be toolbar restrictions, homepage restrictions, Settings restrictions and most of the time these are set by virus, spyware. So I suggested to fix them.

Other 2 entries show that a site is redirecting you somewhere which is suspicious, so its better to remove it.

Other entries which I tools you to fix to speedup Windows are obvious. Those are related to Java update checker, Graphics Cards startup entry, etc. These can be disabled from startup to speedup your startup.

I hope you understood it.

 

[vaibhavtek]

Dude,why did you create a seperate thread for this purpose?,Should've PM'ed Vishal Gupta.

PM is blocked by Vishal Gupta.
Thats why started a seperate thread.

^^ The entries which I usually tell to fix are based on experience. for example, first 2 entries which I suggested to fix show that there are some restrictions in Internet Explorer. It may be toolbar restrictions, homepage restrictions, Settings restrictions and most of the time these are set by virus, spyware. So I suggested to fix them.

Other 2 entries show that a site is redirecting you somewhere which is suspicious, so its better to remove it.

Other entries which I tools you to fix to speedup Windows are obvious. Those are related to Java update checker, Graphics Cards startup entry, etc. These can be disabled from startup to speedup your startup.

I hope you understood it.

Thanks VG.

U guys just rock.

According to u, u see each and every line of my log file and said that.

Thanks for repling.

 

[Vishal Gupta]

^^ Of course. I check every line thats why I ask to post the log file content. A few ppl think that it might be auto analyzed at hijackthis site but I never advise it cause the results are not accurate. They are just based on the older results. Its always better to manually analyze it and fix the required entries.

 

[vaibhavtek]

^^ Are u sure that after removing this file in Safe Mode, I will not get any Virus, Trojan etc etc detected in any Anti-Virus, Anti-Spyware Software..???

 

[utsav]

After looking at the thread title i thought Vishal Gupta got hijacked

 

[vaibhavtek]

auto analyzed at hijackthis site

are u taliking of this site:- www.hijackthis.de

Plz reply me:-*www.thinkdigit.com/forum/showpost.php?p=758808&postcount=10

 

[Vishal Gupta]

^^ Yep. Reg. to your problem. After removing those entries your system should work fine.

After looking at the thread title i thought Vishal Gupta got hijacked

lol.

 

[Gigacore]

What do u want to say abt using CCleaner..??

Ccleaner doesnot remove any virus, spware etc etc..

Useleess suggestion

heh... use CCleaner to fix those registries

u r a funky guy!

 

[vaibhavtek]

^^ Of course. I check every line thats why I ask to post the log file content. A few ppl think that it might be auto analyzed at hijackthis site but I never advise it cause the results are not accurate. They are just based on the older results. Its always better to manually analyze it and fix the required entries.

Thanks for repling and understanding me.

After looking at the thread title i thought Vishal Gupta got hijacked

lol

heh... use CCleaner to fix those registries

u r a funky guy!

Ccleaner doesnot removes any Virus, Adware, Spware etc etc.
Ccleaner fixs registry prob. but there are none in my system.
I use Ccleaner for a long time.

 

[Gigacore]

^ okie *gigasmilies.googlepages.com/actions1.gif

 

[anandk]

Just as one cannot trust automated analysis, one cannot trust an expert NOT to make mistakes. While an experts judgement may be his own individually only, the following sites auto-analyse logs, based on tons of data collected, to make their recommendations ! Ultimately, you need to make your own call, considering all.

HijackThis.de
Prevx
Networktechs
Help2Go

One can also download HijackThis Reader and use it.

 

[Vishal Gupta]

^^ Neither I said I'm an expert nor I said I can't make mistakes. Since he asked for my help, I tried my best to help him. I posted my personal experience. Its always better to check the file manually instead of automatic process.

@vaibhav
Please don't ask problems to a particular member. Its a forum not a site. Everyone wants to help and asking one member for help is like insulting the others. I hope you can understand it.

 

[Gigacore]

@ anand, what happened to u bro ?

 

[Quiz_Master]

anandk.. Thanks for the links buddy...