question about hijackthis report

[mentalcrisis00]

Hey all

My computer has been running fine but I'm paranoid. Paranoid as I am I installed adaware last night and ran a scan and found a trojan, surprised the heck out of me because I use spyware blaster and AVG antivirus. Anyway I ran hijackthis and wondered if anyone sees anything suspicious, it all looks fine to me but maybe someone more savy with malware could identify something that I missed.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\FRAPS\FRAPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MESA2\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\RunOnce: [KB926239] rundll32.exe apphelp.dll,ShimFlushCache
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

[mechBgon]

It appears to me that your log is OK.

1) What was the Trojan in question?

2) consider getting a second opinion from a different antivirus program by using online scanners. Suggestion: F-Secure's online scanner, use Internet Explorer since this is ActiveX-driven. If it detects malware, get the report at the end and post exactly what malware it found. This will take a while, so maybe run it overnight (or watch a movie or something ).

3) vet your system for vulnerable stuff using Secunia's Personal Software Inspector :thumbsup: and fix any issues it brings up.

4) if you have any high-risk browsing (or even if you don't), you can declaw lots of exploits and attacks by running your browser from a non-Admin user account.

 

[mentalcrisis00]

it looks like F-secure scanner found 3 viruses, two W32/TiBs.BKHE and 1 W32/Downloader. I actually got a Thus worm from an attachment that one of my professors sent me a week ago, could this be where all my problems are stemming from? At any rate I disinfected the entries, should I have deleted them? It looked like the files were attached to important registry entries. Should I just reformat and be done with it? Every time I find a virus I feel the need to reformat, must be an OCD thing.

Suggestions?

 

[mentalcrisis00]

Result: 4 malware found
Tracking Cookie (spyware)

* System (Disinfected)

W32/Downloader (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{84B2F8B5-0BBB-4B74-8477-BD56095E0BD8}\RP15\A0007369.EXE (Submitted)

W32/Tibs.BKHE (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{84B2F8B5-0BBB-4B74-8477-BD56095E0BD8}\RP27\A0011100.EXE (Submitted)
* C:\PROGRAM FILES\COMMON FILES\GTK\2.0\BIN\GSPAWN-WIN32-HELPER.EXE (Submitted)

Theres the report, should I get a different antivirus? AVG doesn't seem to be doing the job, though it did stop that Thus worm from running a week ago.

 

[mentalcrisis00]

Also I have a question on making a non admin account, I have a huge amount of programs that I need on my admin. Is there a way to make an exact copy of the admin on another account? It doesn't really specify on your site, unless I'm blind.

 

[mentalcrisis00]

well the disinfect didn't take, I scanned again with F-Secure and the 3 malwares showed again, I deleted them. I scanned yet again and still had 1 infection.

Result: 1 malware found
W32/Tibs.BKHE (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{84B2F8B5-0BBB-4B74-8477-BD56095E0BD8}\RP170\A0016657.EXE (Deleted & Submitted)

 

[mechBgon]

Originally posted by: mentalcrisis00
well the disinfect didn't take, I scanned again with F-Secure and the 3 malwares showed again, I deleted them this time and scanned again and that seemed to do the trick

That's good news. From F-Secure's results, it may be that your system didn't have a "live" infection, depending on whether the GSPAWN-WIN32-HELPER.EXE was a false-positive or not, and whether anything was launching it. The HJT log seems to indicate not. We may never know

Anyway, you might want to try AntiVir's free version if you want a free antivirus, since it has good detection rates. It's a trade-off in a few ways (its real-time scanner will ask you what to do with each infected file, for example). If you decide to try AntiVir, then get it installed, right-click the tray icon, choose "Configure AntiVir" and enable Expert mode, then max out the detection options.

Regarding non-Admin accounts, what I suggest is to make a new Administrator account, so you can then change your existing account from Admin to non-Admin (and back again if necessary). Tada, all your settings are preserved The downside is that you may run into some "gotchas" on WinXP. They can often be resolved, but it's not guaranteed to be 100% hassle-free. PM me if you need help ironing out problems with non-Admin accounts.

Personally, I'd rather be 100% certain that my system didn't have leftover infections that are simply too well-hidden to be found, so if my rig got infected, I would unplug all but my boot drive, nuke it with DBAN to wipe all data and the boot sector, then reinstall Windows and fix whatever security shortcomings let the infection occur. But I know that would be a big chore for most people who've got lots of games and software to reinstall.

 

[Medea]

FYI, in the future, if you should scan and see something like what you had, i.e., C:\SYSTEM VOLUME INFORMATION\_RESTORE{84B2F8B5-0BBB-4B74-8477-BD56095E0BD8}\RP170\A0016657.EXE, this is from a restore point. It's not active unless you restore the restore point where it's located.

All you need to do is create a new restore point and delete the old ones.

One last thing: Your Java is out of date. Download the latest update. Via Add/Remove Programs, delete ALL of the Java versions - they'll have the coffee cup icon next to them. Then, run CCleaner. Reboot.
Now, install the update.