Can Someone Take a Look at This?


  1. Posts : 1,083
    Windows 7 Enterprise 64-bit
       #1

    Can Someone Take a Look at This?


    I scanned my computer with HijackThis this because I'm always trying to make sure nothing hidden is running on my computer. Call me paranoid, but I call it good security. Anyways, I noticed what seems to be a trojan or worm (see red bolded string) and was wondering what I should do about it and if there's anything else in this log I should be concerned about. Avira and Malwarebytes' both didn't find it so I'm really surprised to see it. Anyways, here's the log, thanks in advance:

    Code:
     
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:11:23 PM, on 3/25/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal
     
    Running processes:
    C:\Program Files (x86)\ASUS\EPU-4 Engine\FourEngine.exe
    C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
    C:\Program Files (x86)\RocketDock\RocketDock.exe
    C:\Program Files (x86)\Belvedere\Belvedere.exe
    C:\Users\Frederick\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Users\Frederick\Documents\GDI++\gditray.exe
    C:\Program Files (x86)\Java\jre6\bin\jusched.exe
    C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe
    C:\Program Files (x86)\Creative\Creative Live! Cam\VideoFX\StartFX.exe
    C:\Windows\SysWOW64\V0230Mon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files (x86)\Internet Explorer\IELowutil.exe
    C:\Users\Frederick\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Frederick\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Frederick\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Frederick\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Frederick\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Frederick\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Frederick\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Frederick\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Frederick\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Frederick\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
     
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files (x86)\Creative\Creative Live! Cam\VideoFX\StartFX.exe
    O4 - HKLM\..\Run: [V0230Mon.exe] C:\Windows\System32\V0230Mon.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Frederick\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe"
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - Startup: Dropbox.lnk = Frederick\AppData\Roaming\Dropbox\bin\Dropbox.exe
    O4 - Startup: GDI++ Tray Notifier.lnk = Frederick\Documents\GDI++\gditray.exe
    O4 - Global Startup: Belvedere.lnk = C:\Program Files (x86)\Belvedere\Belvedere.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O13 - Gopher Prefix: 
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/Driver...reqlab_nvd.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CBE67D05-E3DE-49E9-BB81-70834D2F8E17}: NameServer = 151.202.0.84,151.202.0.85
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM, Inc. - C:\ASUS.SYS\config\DVMExportService.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: NMSAccessU - Unknown owner - C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
    O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
     
    --
    End of file - 9727 bytes
    Last edited by Brink; 25 Mar 2010 at 21:36. Reason: added code box
      My Computer


  2. Posts : 568
    Win7 x64 Ultimate SP1
       #2

    If Malwarebytes doesn't mind it,I'd leave it. Check again in a few days and see if it's been added to the black list.
    Ken
      My Computer


  3. Posts : 1,083
    Windows 7 Enterprise 64-bit
    Thread Starter
       #3

    Well I know for fact this is malware, but I wanted to decide the best course of action. Just check the box and remove it with HijackThis? Cause nothing else seems to see it and I did Google it to make sure...

    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
      My Computer


  4. Posts : 568
    Win7 x64 Ultimate SP1
       #4

    Then make a backup and remove it.

    Ken
      My Computer


  5. JMH
    Posts : 7,952
    Win 7 Ultimate 64-bit. SP1.
       #5

    This may be worth a try -
    SUPERAntiSpyware.com - Online Scanner
      My Computer


  6. Posts : 1,083
    Windows 7 Enterprise 64-bit
    Thread Starter
       #6

    Yeah I used that as well. Didn't see them either. I just removed them with HijackThis, no negative effects, so I guess everything went well. Nothing else found after. Thanks guys.
      My Computer


  7. Posts : 2,686
    Windows 8.1 Pro w/Media Center 64bit, Windows 7 HP 64bit
       #7

    Product FRED said:
    Well I know for fact this is malware, but I wanted to decide the best course of action. Just check the box and remove it with HijackThis? Cause nothing else seems to see it and I did Google it to make sure...

    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    From what I found online was that the WormRadar entry is a leftover from AVG 8.0 LinkScanner and was probably left behind on an uninstall.
    I suspect the (no name) entry is probably from Window Live Messenger and are not malware. Deleting them is the best action.

    http://www.systemlookup.com/CLSID/39...gssie_dll.html

    http://www.systemlookup.com/CLSID/54865-wlchtc_dll.html


    Jim
    Last edited by Phone Man; 26 Mar 2010 at 00:00.
      My Computer


  8. Posts : 422
    windows 7 64 bit
       #8

    tryed AVG? or a-squared anti-malware i know it finds stuff mbam does not find.
      My Computer


  9. Posts : 1,083
    Windows 7 Enterprise 64-bit
    Thread Starter
       #9

    I used to be a devoted AVG user until a few months ago. Now I use Avira, so it makes sense there were leftover files. Funny thing is I used Revo to get rid of AVG, so I'm surprised there were leftovers.
      My Computer


 

Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 07:16.
Find Us