Infected Business PC, customer desperate

To those here to help thanks.

I recently acquired a business pc that was believed to be "infected" upon running and installing ad-aware,spybot s&d, and a anti-virus app.And scanning the anti-spy came back 100% clean but the a/v came back with 3 trojans. I ran Hijack This and came up with this log-file . . .

Logfile of HijackThis v1.99.1
Scan saved at 12:04:05 AM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Softwin\BitDefender9\bdnagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Hijack This!\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.actlink.net:8081
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{87A66E96-718F-4A56-A196-BD1D76FE3D1B}: NameServer = 63.71.245.4 63.71.245.5
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I was mainly concerned with entries 17 and the three #20 entries. I am not very skilled yet at reading these log files but am working on it. If someone could tell me if anything in this logfile shouldnt be running that would be great.

Many thanks for helping. - PeaInAPod :~)

 

number 20 is good its from spysweeper, i am also concerned about no 17, have you tried selecting and clicking fix.

i dont know what that is, have peer guardian running in the background, fully updated and surf the net, see if it tries to connect and if it is bad, peer guardian should pick it up and block it, and give you the name of what it is, otherwise i dont know.

soz couldnt be more help

 

I'm learning also but came up with these results for the items in question:

[bold]O17 - HKLM\System\CCS\Services\Tcpip\..\{87A66E96-718F-4A56-A196-BD1D76FE3D1B}: NameServer = 63.71.245.4 63.71.245.5 [/bold]

This is an internet/LAN connection to IP 63.71.245.4 and 5. It connects to Applied Computer Technologies of Illinois.

[bold]O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll [/bold]

In order they are:
Intel Graphics Accelerator Helper Module
Windows Genuine Advantage
WebRoot SpySweeper Module

All the 020 items seem to be OK. The one is question is the 017. Is it needed?

EDIT: I forgot to mention that sometimes SpySweeper and the Windows Genuine Advantage stuff don't always play nice together. I don't know what the problems are, but that's something to look at.

 

I searched dogpile.com for "Applied Computer Technologies of Illinois" and came up with a dial-up internet service thats operated by none other than ACT Internet (A=Applied, C=Computer, etc) so I guess it had something to do with his internet which he confirmed was with the ACT company. I still dont understand what it was doing but its from his Internet Company so it cant be anything malicious/harmful.

I would like to say Thank You to all who took time out of their day to reply to my thread so quickly. So to Dolphin2 and Phantom69 I wish you and the best of luck and many thanks.

I was wondering I would like to learn how to better read HijackThis logs is there any specific info/internet site that you can think of that would be a good place for me to start learning?? thanks :~)

-PeaInAPod

 

im not sure about where to learn, but if you read a couple of threads here on ad where people have posted their hijack this logs and the problem has been solved. and you start familiarising yourself with windows processes and certain common software executables and registry keys. its really easy to pick up.

oh and btw, no problem dude.

 

thats a good idea. Ill probably do that. again, thanks Phantom69

 

np

 

There are several different ways to learn HiJackThis logs. The best is: http://forum.malwareremoval.com/viewtopic.php?t=233&sid=256efac3aa9f648cb37a08621efe470d

It's like a course you take to learn what tools to use.

Another site:
http://www.security-forums.com/viewtopic.php?t=13810&
------
http://www.malwarehelp.org/how-to-curepart-3-using-hijackthis-scan-

Then there is this: http://digg.com/security/HijackThis_Log_File_Analysis

I haven't used the last one, but it is supposed to be good. You just Copy and Paste the log file and it tells you the results.

Hope this helps.

 

hey thats really good stuff dolphin, i never knew about them, i had to learn myself lol

 

I'm in the beginning stages of taking the course offered by the first link.

 

im already at school, i think il stick to teaching myself lol, 3 months is a while for me, homework too. dang man

 

I understand.

That last link can always be used for quick checks.

I just ran the posted log thru the HijackThis Log File Analysis on line. The only thing it questions was that 017 entry which we now know as safe. It asked if the IP address was known and if not, the entry should be deleted. Don't know how it will do with other infections but I'm going to try it out and see what it shows. Mostly I'm interested if it shows how to get rid of somethings that are bad.

Will post back results of some log scans.

---------

Here's a link to an infected log. Take a look at what it reports.
http://www.hijackthis.de/logfiles/f1ce011c64f68d3b5e946d8344172668.html

[note]This is only there for 3 days

 

@ dolphin2

That online Malware Class thing is right up my alley. I am currently finishing high school and during the summer I can work on it at night and sometime during the day seeing as my job doesnt require me to be their full time (its great to be a kid :~) lol) anyway the links are awesome.

 

- Double Post -

 

lol, im only on a 3 week holiday right now, i cant use summer hols for it cause im going overseas this year. so there really is not time for me but i am learning from what others say lol

 

@PeaInAPod
Glad you found them as useful. Also good to hear that you so interested that you would work on it during the summer and after work. You sound like a very energenic young person.

@Phantom69
I also understand your feelings on the course. Where are you planning on going? Just a general tour or do you have planned stops?

 

im going south to tasmania for a 6 day 60 km hike

plus i have a whole bunch of other stuff that i have to do like major assignments and things during the holidays so its pretty much already packed lol

 

That's quite a hike. What are the temps going to be like at this time of year in that area?

 

well actually at that time of year its supposed to be unpredictable conditions so we have to carry heaps of stuff in case of emergencies etc

more than likely it will be subzero during some stages though

 

I live in the desert. That's way, way to cold for me! I'd freeze my tail off!! LOL!