HJT log

jimmymac

jimmymac

VIP Member
One of the computers at home is running incredibly slowly on the internet at the moment, running spyware as we speak but its been done a few times to no avail. Would someone take a look at the HJT log and let me know if you spot anything untoward...

Logfile of HijackThis v1.99.1
Scan saved at 18:18:26, on 02/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [USRobotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ADUserMon] "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe"
O4 - HKLM\..\Run: [Iomega Drive Icons] "C:\Program Files\Iomega\DriveIcons\ImgIcon.exe"
O4 - HKLM\..\Run: [Deskup] "C:\Program Files\Iomega\DriveIcons\deskup.exe" /IMGSTART
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CDriver] c:\Backup_Drivers\svchost.exe
O4 - HKCU\..\Run: [DDriver] c:\Backup_Drivers\svchost.exe
O4 - HKCU\..\Run: [alpha] c:\Backup_Drivers\svchost.exe
O4 - HKCU\..\Run: [beta] c:\Backup_Drivers\svchost.exe
O4 - HKCU\..\Run: [gamma] c:\Backup_Drivers\svchost.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\CS7D21~1.MAR\LOCALS~1\Temp\dnlsvc.exe (file missing)
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
Click to expand...
 
These entries are usually added by the trojan DELF.WG:
O4 - HKCU\..\Run: [CDriver] c:\Backup_Drivers\svchost.exe
O4 - HKCU\..\Run: [DDriver] c:\Backup_Drivers\svchost.exe
O4 - HKCU\..\Run: [alpha] c:\Backup_Drivers\svchost.exe
O4 - HKCU\..\Run: [beta] c:\Backup_Drivers\svchost.exe
O4 - HKCU\..\Run: [gamma] c:\Backup_Drivers\svchost.exe
Click to expand...

Unless you think it's not suspicious please do the following:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have any questions, don't hesitate! :)
 
combofix log as follows :

ComboFix 08-03-03.6 - C.S. Marks 2008-03-03 11:51:11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1574 [GMT 0:00]
Running from: C:\Documents and Settings\C.S. Marks\My Documents\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.
2008-02-29 11:12 . 2008-02-29 11:12 17,144 --a------ C:\Documents and Settings\C.S. Marks\Application Data\GDIPFONTCACHEV1.DAT
2008-02-20 17:11 . 2008-02-20 17:11 <DIR> d-------- C:\Program Files\iPod
2008-02-20 17:11 . 2008-02-20 17:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-20 17:10 . 2008-02-20 17:10 <DIR> d-------- C:\Program Files\QuickTime
2008-02-14 12:13 . 2008-02-14 12:13 <DIR> d-------- C:\Documents and Settings\C.S. Marks\Application Data\Grisoft
2008-02-14 12:13 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-04 16:19 . 2008-02-04 16:19 <DIR> d-------- C:\Program Files\Serif
2008-02-04 16:19 . 1998-12-08 20:53 212,480 --------- C:\WINDOWS\pcdlib32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 17:44 --------- d-----w C:\Program Files\Quicken
2008-02-24 12:31 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg7
2008-02-20 17:11 --------- d-----w C:\Program Files\iTunes
2008-02-14 12:13 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2008-02-14 12:08 --------- d-----w C:\Documents and Settings\C.S. Marks\Application Data\AVG7
2008-02-04 16:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-13 20:36 1,752 ----a-w C:\Documents and Settings\C.S. Marks\xrt_log.dat
2008-01-13 19:19 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-13 16:50 164 ----a-w C:\install.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 12:00 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 14:16 171464]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"DriverLoad"="" []
"DriverCheck"="" []
"SystemDriverLoad"="" []
"SystemDriver"="" []
"FDriver"="" []
"ADriver"="" []
"CDriver"="c:\Backup_Drivers\svchost.exe" [ ]
"DDriver"="c:\Backup_Drivers\svchost.exe" [ ]
"alpha"="c:\Backup_Drivers\svchost.exe" [ ]
"beta"="c:\Backup_Drivers\svchost.exe" [ ]
"gamma"="c:\Backup_Drivers\svchost.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRobotics Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-10-12 15:28 1290240]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35 90112]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 15:39 147456]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 13:30 86016]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 09:55 32768]
"Lexmark X84-X85 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe" [2003-01-08 12:36 40960]
"Lexmark X84-X85 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe" [2002-09-04 08:36 53248]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-09-18 17:52 36864]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-15 16:47 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 14:18 267048]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 12:00 15360]
"DriverLoad"="" []
"DriverCheck"="" []
"SystemDriverLoad"="" []
"SystemDriver"="" []
"FDriver"="" []
"ADriver"="" []
"CDriver"="c:\Backup_Drivers\svchost.exe" [ ]
"DDriver"="c:\Backup_Drivers\svchost.exe" [ ]
"alpha"="c:\Backup_Drivers\svchost.exe" [ ]
"beta"="c:\Backup_Drivers\svchost.exe" [ ]
"gamma"="c:\Backup_Drivers\svchost.exe" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-13 19:19 219136]
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2007-10-13 12:48:52 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2007-10-13 14:24:22 57344]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"CDriver"= c:\Backup_Drivers\svchost.exe
"DDriver"= c:\Backup_Drivers\svchost.exe
"alpha"= c:\Backup_Drivers\svchost.exe
"beta"= c:\Backup_Drivers\svchost.exe
"gamma"= c:\Backup_Drivers\svchost.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\explorer.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9998:TCP"= 9998:TCP:BitComet 9998 TCP
"9998:UDP"= 9998:UDP:BitComet 9998 UDP
R0 ppa;Iomega Parallel Port Filter Driver;C:\WINDOWS\system32\DRIVERS\ppa.sys [2001-08-17 12:53]
S2 dnlsvc;MS Software Shadow Download Provider;"C:\DOCUME~1\CS7D21~1.MAR\LOCALS~1\Temp\dnlsvc.exe" []
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2004-09-07 15:42]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 11:54:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2008-03-03 11:56:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-03 11:55:54
.
2008-02-14 14:32:08 --- E O F ---
Click to expand...
 
just a note as to the reason for looking into this.

I have two systems on a wireless network here, my main one is absolutely fine, internet running at decent speeds and all is well. On the other system its incredibly slow, downloading it never gets above about 9 kb/s and web pages are taking forever so any other suggestions on what could be at issue would be welcome
 
Hmm one thing bothers me is that svchost.exe is not running from the right place. could be a malware. Let's look more into that.

Looking at your reply, the issue could be from an interference between the router and the receiver on the other computer (a wireless phone, a wall...). If there is no interference, try to look into your router/wireless network's settings if you did not limit the transfers on the other computer.
 
Last edited:
Ok Svchost is not running in the right place. Let's take actions:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
 
You must log in or register to reply here.
Back
Top