I assume my PC is in good shape but....

SIMP

SIMP

Member
I assume my PC is in good shape but what does my HiJackThis log reveal? I was wondering if someone could review my HiJackThis log and let me know if they see any immediate threats or suspicious items. Any and all help is greatly appreciated!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1194059075062
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

Thanks again!!
 
The only thing I can see is this autostartup: O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

It's nothing nasty, just a monitoring tool which realtek use to collect data about their customers. I'd just disable the startup: click start>run, type msconfig, go to the 'startup' tab and look for alcmtr.exe.. Once you found it, simply untick the checkbox next to the entry and click 'ok' to disable it.

But just to be 100% we should check that this line (O4 - HKLM\..\Run: [nwiz] nwiz.exe /install) is actually from your nvidia graphics card, and not a variant of the gaobot worm.

To check this, open regedit (start>run, then type regedit) and see if you can find either of these entries: (note: DON'T delete anything, just look and report back!)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Norton Wizzard = nwiz.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Norton Wizzard = nwiz.exe"

And while you're in regedit, also check if there is a value called:

winapii %windir%\Winapii\Winapii.exe

in the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

But I'm fairly confident you won't find it, as you have an nvidia graphics card and the entry that made me suspicious (C:\WINDOWS\system32\nvsvc32.exe) is usually just part of a nvidia driver. (Again: just look, don't delete anything!)

And yeah gamemaster is probably right - I'm just being paranoid and want to make 100% sure, lol...
 
Last edited:
No it's ok. The thing is ALCMTR.EXE is put on your startup is trues yes; remove it from startup only if you didn't put and if you find your computer a bit slower.
 
GameMaster said:
No it's ok. The thing is ALCMTR.EXE is put on your startup is trues yes; remove it from startup only if you didn't put and if you find your computer a bit slower.
Click to expand...
personally, I'd disable it anyway - I usually get rid of anything I don't need. It's up to you simp. Don't delete it though, as doing so may cause your realtek drivers to not update properly..
 
Pietzki said:
But just to be 100% we should check that this line (O4 - HKLM\..\Run: [nwiz] nwiz.exe /install) is actually from your nvidia graphics card, and not a variant of the gaobot worm.

To check this, open regedit (start>run, then type regedit) and see if you can find either of these entries: (note: DON'T delete anything, just look and report back!)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Norton Wizzard = nwiz.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Norton Wizzard = nwiz.exe"
Click to expand...
I suggest you check how those entries would appear in a HijackThis log - they will be quite different to the legitimate nVidia entry (only the legitimate entry is present in his log). You'll see nwiz in a lot of logfiles and checking in this manner is not really appropriate.

ALCMTR.EXE should indeed be removed, even though it's not really malicious. See http://www.castlecops.com/s5306-ALCMTR_EXE.html. You can disable it in msconfig if you'd like, but I'd remove the entry permanently with HijackThis.

To do so, please run HijackThis and choose Do a system scan only.

Place a check next to the following entry:
  • O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
Please close all open windows except for HijackThis and choose Fix checked
 
ceewi1 said:
I suggest you check how those entries would appear in a HijackThis log - they will be quite different to the legitimate nVidia entry (only the legitimate entry is present in his log). You'll see nwiz in a lot of logfiles and checking in this manner is not really appropriate.
Click to expand...
thanks, I'm still learning (using bleepingcomputers tutorial) so any advice helps! So how would I check how the malicious ones would appear in hijackthis? Just google or what?
 
To elaborate, the syntax of HijackThis O4 entries is as follows:

O4 - Loading Point: [Name] Filename

If I search the CastleCops O4 listing for nwiz.exe, I get the following results: http://www.castlecops.com/modules.php?name=StartupList&query=nwiz.exe

We can see that of the three entries, only the legitimate nVidia entry matches both in name and filename, and thus is the only entry present.

If the gaobot registry keys you referred to were present, they would appear as follows:

  • [*]O4 - HKLM\..\Run: [Norton Wizzard] nwiz.exe
    [*]O4 - HKLM\..\RunServices: [Norton Wizzard] nwiz.exe

Reading the publicly visible tutorials will only get you so far. If you want to learn more I suggest signing up for the training course at any of the major anti-malware sites, I've listed a few of them at http://www.computerforum.com/853855-post10.html
 
You must log in or register to reply here.
Back
Top