Thread: Hijackthis log - Nasty CWS about:blank hijacker, and more!
View Single Post
Old 07-11-2005, 12:27 AM   #6 (permalink)
wrybri
Registered User
 
Join Date: Jul 2005
Posts: 5
OS: XP


Round 3
Ok, I've cleaned up the unwanted IE Favourites and other lingering files, emptied the trash and the Java cache. I did forget to empty the trash again between clearing Java cache and running Panda activescan. Oops! Hopefully not major.

In the folder C:\WINDOWS\Downloaded Program Files - I deleted a PopCapLoader Program File from the list, but I can't see the popcaploader.dll in the folder, even though Panda Activescan says it's still there. The folder seems to have some sort of special viewing mode...

Here are the results of fresh Activescan and HijackThis scans:

HijackThis - KRC
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec

Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) -

Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton

AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:

\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:59:19 PM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://

google.ca/
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI

Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02

\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.

exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1

\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI

Multimedia\RemCtrl\ATIRW.EXE
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI

Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI

Multimedia\main\ATISched.EXE
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -

AutoStart
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI

Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O8 - Extra context menu item: Open Client to monitor &1 - C:

\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:

\WINDOWS\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C

:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84}

- C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:

\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download

Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://

software-dl.real.com/05c24f3ce4bf28632d02/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.co.../en/x86/client

/wuweb_site.cab?1100597589093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program

Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:

\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================


Panda Activescan

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/SearchAid No disinfected C:\Program Files\HijackThis\backups\backup-20050710-125234-650.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-1003\Dc2.exe
Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc5.cab[WinadX.dll]
Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc5.cab[WinadX.inf]
Adware:Adware/Howprotect No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc6.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\RECYCLER\S-1-5-21-790525478-484763869-682003330-500\Dc7.exe
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crpz32.dll
wrybri is offline