kavithasmenon HJT log

kavithasmenon · 12-27-2004, 02:50 AM

Hi Folks,

I need some comments from you on a problem one of my very close friend is facing.

So the situation goes like this-they had a new computer installed at their office and it was meant for exclusively my friend's usage.
The person in charge of the comp section came installed it and went but they had lots of probs regarding getting connected to the internet ( it was a dial up connection) and also the comp seemed to shut down half teh time.

That was in fact ok coz my friend had to face another embarassing situation in which upon plugging in the network cable, a pop up window (error window) came up which referred to a porn site and that proves to be really embarassing.

This is a mystery coz only she and 2 other users had access to the machine and then the internet was also not functioning well.
What could the problem be due to?
Could it be some virus/trojans etc doing this act?

Please advise. It would be of immense help.

Thanks,
K

CTSNKY · 12-27-2004, 03:26 AM

First advice is to not post your questions in someone else's thread. This is why I split yours off by itself.

Second piece of advice is to do this......

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it in the forum. Do not fix anything in HijackThis since they may be harmless.

kavithasmenon · 12-27-2004, 04:45 AM

Thank you. AM new to this hence the mistake occurred of posting a reply onto another therad.
Shall try out ur suggestion.
Shall ask my friend to try out what u have suggested.
Meanwhile a qn...may b foolish...what is a spyware?and y wld it cause such problems?

greyknight17 · 12-27-2004, 06:04 AM

Spyware is installed (most likely) without your knowledge. They could do anything from keeping track of what you are doing to causing a major slowdown on your computer. Usually popups and toolbars are associated with spyware. Hence the problems.

Make sure to post a log file.

kavithasmenon · 12-27-2004, 07:58 PM

Thank you so much. I shall advise my friend to run the checks that u have suggested...It would be great if you could give me some reference sites wherein it is indicated that popping up of such windows does not mean that an user has accessed those sites coz it seems she is in soup because of the matter having been taken to higher officials which is indeed very silly of them to do without having actually looked into the matter.
Her job is now at stake and the poor thing is very worried. I was suggesting that if she happens to catch hold of some relevent material to show it to the higher authorities and convince them of the same.
The comp was new and installed for her usage only. It was connected and probably left for a day or so without any antivirus software. Could any relevant link be obtained wherein she could show it to her boss and prove that she is innocent. She is in a very pathetic state and i so desperately want to do my best to pull her out of this situation but am not well versed about computers hence am turning to you for help.
Thank you so much for the help indeed.
regards,
K

greyknight17 · 12-28-2004, 01:49 PM

Depending on what kind of spyware your friend has on that computer, it may have come from software or websites.

If the company has a decent IT department, they should know that spyware could spread like wildfire if a computer is not protected. We'll try our best to help you and your friend determine the cause of the infection and remove it also. We'll need the HijackThis log.

kavithasmenon · 12-28-2004, 08:55 PM

thank u friend.
I shall get abck to you after hearing from her. I have given her your suggestions.
Thanks a ton for ur help.
Happy new year.
k

kavithasmenon · 01-07-2005, 05:04 AM

Hi Folks,

Wish you a happy new year.

Well, coming back to the problem I had been discussing with you, my friend has managed to get the log file as u had suggested:

Its as follows:

Logfile of HijackThis v1.99.0
Scan saved at 12:51:33 PM, on 1/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wauamgr.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\HJT\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Windows Auto Update Agent Manager] wauamgr.exe
O4 - HKLM\..\RunServices: [Windows Auto Update Agent Manager] wauamgr.exe
O4 - HKCU\..\Run: [Windows Auto Update Agent Manager] wauamgr.exe
O4 - HKCU\..\RunServices: [Windows Auto Update Agent Manager] wauamgr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

Then it was analysed as instructed by you and the result is as follows:

===========================================================================================================================
Log was analyzed using HijackThis Analyzer - Updated on 1/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 12:55:28 PM, on 1/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\wauamgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
F2 - REG:system.ini: Shell=explorer.exe
O4 - HKLM\..\Run: [Windows Auto Update Agent Manager] wauamgr.exe
O4 - HKLM\..\RunServices: [Windows Auto Update Agent Manager] wauamgr.exe
O4 - HKCU\..\Run: [Windows Auto Update Agent Manager] wauamgr.exe
O4 - HKCU\..\RunServices: [Windows Auto Update Agent Manager] wauamgr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

End of HijackThis Analyzer Log.

I have got a query. This was the log file as done today.
Does the result include details of work done earlier on the machine?
I just wanted to clarify with you.
Please help us out by clarifying our dbts.
Thanks a ton.
happy new year once again.
k

CTSNKY · 01-07-2005, 05:12 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\System32\wauamgr.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [Windows Auto Update Agent Manager] wauamgr.exe
O4 - HKLM\..\RunServices: [Windows Auto Update Agent Manager] wauamgr.exe
O4 - HKCU\..\Run: [Windows Auto Update Agent Manager] wauamgr.exe
O4 - HKCU\..\RunServices: [Windows Auto Update Agent Manager] wauamgr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\System32\wauamgr.exe

Reboot into Normal Mode and run new HijackThis scan. Save the log file and run HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

kavithasmenon · 01-07-2005, 10:17 PM

Hi,
Thanks for the reply. Got a dbt...
Does this mean that:
C:\WINDOWS\System32\wauamgr.exe
is a spyware?
I am not able to interpret teh results. Wld be great if you explain it to me.
Another piece of information is that:
the computer was cleaned and reformatted b4 this log file was taken using HJT software as u asked me to do.
Thanks a ton again,
regards,
K

kavithasmenon · 01-08-2005, 12:43 AM

Hi,

To prover her innocent we need to get proof that the system was attacked by the spyware or any other malicious program and then show those log files to the senior officers so that they can get convinced that it was not her who accessed the site.
What should we do to get that information out?
Please help. My friend is quite worried since her job and reputation is at stake.
Thanks,
K

greyknight17 · 01-08-2005, 06:18 AM

This one is very hard to prove since it has little traces of where it came from. It could also be a possible virus/trojan.

Did you run Ad-aware or Spybot before? If they caught spyware, we may be able to assist you there better.

kavithasmenon · 01-10-2005, 05:58 AM

Hi,

I dont think she has run SpyBot before.
Given this l;og file is there any indication that the system was hacked or there were these malicious files lurking on the comp that caused this problem?
Does anything in the file hint so.
Its all greek and latin to us.
Thanks again.
with warm regards,
K

greyknight17 · 01-10-2005, 06:03 AM

How about Ad-aware? We need more information.

This file doesn't have enough information for us to trace it back. In that log, this is the only file that is bad -> wauamgr.exe

So even if it's removed, she will still have to prove it wasn't her who caused that? Without more information (like Ad-aware logs or others if she used them), we can't help you out more.

12-27-2004, 02:50 AM	#1 (permalink)
kavithasmenon Registered User Join Date: Dec 2004 Posts: 8 OS: WinXP	hEY COMPUTER EXPERTS HELP ME OUT PLZZ!!! Hi Folks, I need some comments from you on a problem one of my very close friend is facing. So the situation goes like this-they had a new computer installed at their office and it was meant for exclusively my friend's usage. The person in charge of the comp section came installed it and went but they had lots of probs regarding getting connected to the internet ( it was a dial up connection) and also the comp seemed to shut down half teh time. That was in fact ok coz my friend had to face another embarassing situation in which upon plugging in the network cable, a pop up window (error window) came up which referred to a porn site and that proves to be really embarassing. This is a mystery coz only she and 2 other users had access to the machine and then the internet was also not functioning well. What could the problem be due to? Could it be some virus/trojans etc doing this act? Please advise. It would be of immense help. Thanks, K

12-27-2004, 03:26 AM	#2 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	First advice is to not post your questions in someone else's thread. This is why I split yours off by itself. Second piece of advice is to do this...... Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it in the forum. Do not fix anything in HijackThis since they may be harmless. __________________ GO BIG BLUE!!

12-27-2004, 06:04 AM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Spyware is installed (most likely) without your knowledge. They could do anything from keeping track of what you are doing to causing a major slowdown on your computer. Usually popups and toolbars are associated with spyware. Hence the problems. Make sure to post a log file. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

12-28-2004, 01:49 PM	#6 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Depending on what kind of spyware your friend has on that computer, it may have come from software or websites. If the company has a decent IT department, they should know that spyware could spread like wildfire if a computer is not protected. We'll try our best to help you and your friend determine the cause of the infection and remove it also. We'll need the HijackThis log. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

01-07-2005, 05:12 AM	#9 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\System32\wauamgr.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [Windows Auto Update Agent Manager] wauamgr.exe O4 - HKLM\..\RunServices: [Windows Auto Update Agent Manager] wauamgr.exe O4 - HKCU\..\Run: [Windows Auto Update Agent Manager] wauamgr.exe O4 - HKCU\..\RunServices: [Windows Auto Update Agent Manager] wauamgr.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\System32\wauamgr.exe Reboot into Normal Mode and run new HijackThis scan. Save the log file and run HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ GO BIG BLUE!!

12-27-2004, 04:45 AM	#3 (permalink)
kavithasmenon Registered User Join Date: Dec 2004 Posts: 8 OS: WinXP	Thank you. AM new to this hence the mistake occurred of posting a reply onto another therad. Shall try out ur suggestion. Shall ask my friend to try out what u have suggested. Meanwhile a qn...may b foolish...what is a spyware?and y wld it cause such problems?

12-27-2004, 07:58 PM	#5 (permalink)
kavithasmenon Registered User Join Date: Dec 2004 Posts: 8 OS: WinXP	Thank you so much. I shall advise my friend to run the checks that u have suggested...It would be great if you could give me some reference sites wherein it is indicated that popping up of such windows does not mean that an user has accessed those sites coz it seems she is in soup because of the matter having been taken to higher officials which is indeed very silly of them to do without having actually looked into the matter. Her job is now at stake and the poor thing is very worried. I was suggesting that if she happens to catch hold of some relevent material to show it to the higher authorities and convince them of the same. The comp was new and installed for her usage only. It was connected and probably left for a day or so without any antivirus software. Could any relevant link be obtained wherein she could show it to her boss and prove that she is innocent. She is in a very pathetic state and i so desperately want to do my best to pull her out of this situation but am not well versed about computers hence am turning to you for help. Thank you so much for the help indeed. regards, K

12-28-2004, 08:55 PM	#7 (permalink)
kavithasmenon Registered User Join Date: Dec 2004 Posts: 8 OS: WinXP	thank u friend. I shall get abck to you after hearing from her. I have given her your suggestions. Thanks a ton for ur help. Happy new year. k

01-07-2005, 05:04 AM	#8 (permalink)
kavithasmenon Registered User Join Date: Dec 2004 Posts: 8 OS: WinXP	Hi Folks, Wish you a happy new year. Well, coming back to the problem I had been discussing with you, my friend has managed to get the log file as u had suggested: Its as follows: Logfile of HijackThis v1.99.0 Scan saved at 12:51:33 PM, on 1/7/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wauamgr.exe C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\HJT\HijackThis.exe F2 - REG:system.ini: Shell=explorer.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Windows Auto Update Agent Manager] wauamgr.exe O4 - HKLM\..\RunServices: [Windows Auto Update Agent Manager] wauamgr.exe O4 - HKCU\..\Run: [Windows Auto Update Agent Manager] wauamgr.exe O4 - HKCU\..\RunServices: [Windows Auto Update Agent Manager] wauamgr.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe Then it was analysed as instructed by you and the result is as follows: =========================================================================================================================== Log was analyzed using HijackThis Analyzer - Updated on 1/3/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 12:55:28 PM, on 1/7/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\wauamgr.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home F2 - REG:system.ini: Shell=explorer.exe O4 - HKLM\..\Run: [Windows Auto Update Agent Manager] wauamgr.exe O4 - HKLM\..\RunServices: [Windows Auto Update Agent Manager] wauamgr.exe O4 - HKCU\..\Run: [Windows Auto Update Agent Manager] wauamgr.exe O4 - HKCU\..\RunServices: [Windows Auto Update Agent Manager] wauamgr.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm End of HijackThis Analyzer Log. I have got a query. This was the log file as done today. Does the result include details of work done earlier on the machine? I just wanted to clarify with you. Please help us out by clarifying our dbts. Thanks a ton. happy new year once again. k

01-07-2005, 10:17 PM	#10 (permalink)
kavithasmenon Registered User Join Date: Dec 2004 Posts: 8 OS: WinXP	Hi, Thanks for the reply. Got a dbt... Does this mean that: C:\WINDOWS\System32\wauamgr.exe is a spyware? I am not able to interpret teh results. Wld be great if you explain it to me. Another piece of information is that: the computer was cleaned and reformatted b4 this log file was taken using HJT software as u asked me to do. Thanks a ton again, regards, K

01-08-2005, 12:43 AM	#11 (permalink)
kavithasmenon Registered User Join Date: Dec 2004 Posts: 8 OS: WinXP	Hi, To prover her innocent we need to get proof that the system was attacked by the spyware or any other malicious program and then show those log files to the senior officers so that they can get convinced that it was not her who accessed the site. What should we do to get that information out? Please help. My friend is quite worried since her job and reputation is at stake. Thanks, K

01-08-2005, 06:18 AM	#12 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	This one is very hard to prove since it has little traces of where it came from. It could also be a possible virus/trojan. Did you run Ad-aware or Spybot before? If they caught spyware, we may be able to assist you there better. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

01-10-2005, 05:58 AM	#13 (permalink)
kavithasmenon Registered User Join Date: Dec 2004 Posts: 8 OS: WinXP	Hi, I dont think she has run SpyBot before. Given this l;og file is there any indication that the system was hacked or there were these malicious files lurking on the comp that caused this problem? Does anything in the file hint so. Its all greek and latin to us. Thanks again. with warm regards, K

01-10-2005, 06:03 AM	#14 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	How about Ad-aware? We need more information. This file doesn't have enough information for us to trace it back. In that log, this is the only file that is bad -> wauamgr.exe So even if it's removed, she will still have to prove it wasn't her who caused that? Without more information (like Ad-aware logs or others if she used them), we can't help you out more. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools