Advice Needed

Lord_Vader · Aug 14, 2005

Hi Everyone

I have done a scan using Hijackthis and this is my result. Some programs that have appeared are outlined at the bottom.

I just wanted to ask, which of these command keys below can be or should be removed?

Logfile of HijackThis v1.99.1
Scan saved at 9:59:23 PM, on 14/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Vet\isafe.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\System32\rundll32.exe
C:\Vet\VetTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer from OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 0<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [Start Page] C:\WINDOWS\system32\svcnt32.exe home
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NoAdware3] "C:\Program Files\NoAdware3\NoAdware3.exe" /s
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\HijackThis\HijackThis.exe /startupscan
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: OSA.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123836572846
O16 - DPF: {EF4DCD99-D26B-44A4-BA77-CFDCC97E7291} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1062_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD51FF98-D99D-4B30-AD63-344DFBA1DF69}: NameServer = 203.2.75.132 198.142.0.51
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

VET = Anti-Virus Program
PPActiveDetection = systempest scan
Optus or optusnet = internet dialup

Kindest Regards
Lord Vader

Lorand · Aug 14, 2005

This entry is very dubious (but found no info of what it could be):
O4 - HKLM\..\Run: [Start Page] C:\WINDOWS\system32\svcnt32.exe home
Anyway, I'd remove it...

dragon2309 · Aug 14, 2005

Process Name = svcnt.exe

Added by unidentified adware - recognized by Kaspersky antivirus as a variant of the FAVADD TROJAN

I know its not an exact match to the filename of the one found in HJT but it has the same root name, i'd definitely remove it.

Byteman · Aug 14, 2005

Vader,
Can you please upload that file using the link below, and let us know of the results? After that, we'll instruct further..

http://virusscan.jotti.org/

Lord_Vader · Aug 16, 2005

Hi All

Sorry for the late reply... The result is below, even when I used my vet scanner, it did not detect the file as a virus. Let me know what to do.

Thankyou again for your assistance

Vader.....

Service load: 0% 100%

File: svcnt32.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 35afbdbb55d4b6feb66b3b48be0f53dc
Packers detected: UPX
Scanner results
AntiVir Found TR/Dldr.Delf.KS.2
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found BehavesLike:Trojan.StartPage (probable variant)
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found W32/Delf.KS-dldr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Delf.ks
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan-Downloader.Win32.Delf.ks

Lorand · Aug 16, 2005

So it's a malware after all. Get rid of it.

neochivers · Aug 16, 2005

makware?

Byteman · Aug 16, 2005

Lord Vader,

In Hijackthis put a check by the following items and click Fixed Checked:

O16 - DPF: {EF4DCD99-D26B-44A4-BA77-CFDCC97E7291} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1062_XP.cab
O4 - HKLM\..\Run: [Start Page] C:\WINDOWS\system32\svcnt32.exe home

Now click the Config button, then Misc Tools button, the Delete File on Reboot button and browse to the following file, and click the Open button:

C:\WINDOWS\system32\svcnt32.exe

Click Yes to reboot your system.

Now some other considerations...

I would suggest uninstalling the NoAdware program, (it has the worst detection capabilities). Also, why do you have HijackThis running on boot?

After all that, please run the virus scans in the sticky to get any leftovers from that virus.

Your WindowsXP is outdated, you need Service Pack 2 and the security updates as well. There are some great suggestions in the prevention sticky, you would do well to implement...

Advice Needed

Lord_Vader

New Member

Lorand

<b>VIP Member</b>

dragon2309

P.I Dragon

Byteman

Malware Destroyer