Hi Jack Log

[eddds40]

Would some one read this Hi jack LOG
Ad Aware and SPY S&D have been run.
AVG is showing 6 trojans but unable to fix them
Logfile of HijackThis v1.97.7
Scan saved at 6:19:39 PM, on 7/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\ET4Tray.exe
D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\WISPTIS.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\HiJACK THIS\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=D:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EasyTuneIV] D:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\ET4Tray.exe
O4 - HKLM\..\Run: [Windows SA] D:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [MoneyAgent] "D:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ClockSync] D:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/1...L/PhPSetup.cab
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...164.4605671296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5828E4DC-221E-4CC8-A728-BF7EFB577733}: NameServer = 10.150.1.10,10.***.*.**
O17 - HKLM\System\CS1\Services\Tcpip\..\{5828E4DC-221E-4CC8-A728-BF7EFB577733}: NameServer = 10.150.1.10,10.***.*.**
O17 - HKLM\System\CS2\Services\Tcpip\..\{5828E4DC-221E-4CC8-A728-BF7EFB577733}: NameServer = 10.150.1.10,10.***.*.**

[eddds40]

got it down to 5 viri found by AVG but unable to heal.
PSW.BRISS.C
PSW.BRISS.H
1stbar.3ae
polall1T.exe
Alchem.exe
Anybody got a fix?

[eddds40]

I feel that their may be a key logger installed on this machine anyone HELP
Please.

[Byan]

try running AVG while in safe mode...., that way (hopefully) AVG will have access to the files so it can rid of them...

I hope this helps,
Byan

[markp62]

The files that AVG cannot heal are the virui themselves, delete them or let it remove them to the Virus Vault, then delete them from there. They are not system files.
Or use MoveOnBoot to delete them. After installing, it creates a new item to the right click menu, instead of Delete, choose Delete at Next Boot, and reboot, they will be gone.

Close all browsers and Windows Explorer and have HJT 'fix' these.

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=D:\Windows\System32\wsaupdater.exe
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Windows SA] D:\Program Files\WindowsSA\omniscient.exe

Reboot and delete the D:\Program Files\WindowsSA folder and delete the D:\Windows\System32\wsaupdater.exe file. These area part of the Blazefind hijacker. It is a good thing Ad-Aware did not do anything about these, you would not be able to get into windows. HJT can do it safely.

[VerLux]

Moved to the HJT forum

[eddds40]

ok here new log
thanks for help so far
Logfile of HijackThis v1.97.7
Scan saved at 7:11:11 PM, on 7/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\ET4Tray.exe
D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\HiJACK THIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EasyTuneIV] D:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\ET4Tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [MoneyAgent] "D:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ClockSync] D:\PROGRA~1\CLOCKS~1\Sync.exe /q

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/1...L/PhPSetup.cab
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://video.manheim.com/lib/LiveSound.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...164.4605671296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O17 - HKLM\System\CCS\Service

[markp62]

Looks clean to me.

[crunchie]

Not quite.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

O4 - HKCU\..\Run: [ClockSync] D:\PROGRA~1\CLOCKS~1\Sync.exe /q

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

D:\PROGRA~1\CLOCKS~1-folder

Reboot normally.

[TJolly]

Originally posted by crunchie
Not quite.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

O4 - HKCU\..\Run: [ClockSync] D:\PROGRA~1\CLOCKS~1\Sync.exe /q

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

D:\PROGRA~1\CLOCKS~1-folder

Reboot normally.

I'm trying to learn about HJT. Can you pse. explain what is wrong with that entry?

[P3-450]

ClockSynck - synchronizes your system clock with an internet time server. It's by WhenU, the makers of the Save Now spyware, and they're usually seen in tandem, so it's advised to replace it with one of may spyware free alternatives available

From Sysinfo

[TJolly]

Thanks P

[eddds40]

Manty thanks to All of you.
Chrunchie did put the finish on it as after doing the 04 clocks ect, it shows no virius when doing a AVG scan.
Unless it becomes reinfected It is working nicely. The pc is on a LAN if that helps any of you gyru's at solving one Like this in the future.Thank's again

[crunchie]

You are welcome