Jump to content

Recommended Posts

Posted

Haven't cleaned up my laptop in a long time, just updated everything, ccleaned, and defraged (free of viruses/spyware as well), if there is anything left to clean up in the log please let me know:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:32:14, on 01/12/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\COMODO\Firewall\cfp.exe

C:\Program Files\ClamWin\bin\ClamTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h

O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O13 - Gopher Prefix:

O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/anglia/support/...s/ebraryRdr.cab

O20 - AppInit_DLLs:

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 3888 bytes

  • Administrator
Posted

Log looks clean. I would recommend getting avast over ClamAV because ClamAV has a horrible detection rate. You may also want to run JavaRa to get rid of old Java versions.

Generated by Tarun of Lunarsoft's HijackThis Converter v0.53 Beta.

Default-color items are optional, red are known to be malicious.

Created registry value

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

Changed registry value

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

Malware added these

O1 - Hosts: ::1 localhost

Enumeration of existing IE's BHO's

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Enumeration of suspicious auto-loading registry entries

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

Hijack of default URL prefixes

O13 - Gopher Prefix:

Downloaded Program Files item

O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/anglia/support/...s/ebraryRdr.cab

AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys

O20 - AppInit_DLLs:

Posted

Hmmm, I already ran JavaRa before hand; I updated to Jave 6 Update 10 and removed all older versions. I know what you mean about avast, but I really want it to run stand-alone, which I don't know how to do.

Can all of the above safely be deleted then? Just worried what these are:

O1 - Hosts: ::1 localhost (pretty sure I haven't had malware in ages)

O13 - Gopher Prefix:

O20 - AppInit_DLLs:

If yo9u could just explain these for me please, I'll happily remove them all.

  • Administrator
Posted

I'd rather have an av installed that I know works rather than have a poor standalone one. Avast doesn't take many resources or RAM so there shouldn't be any problem running it.

The O13 and O20 are blank. You can keep or remove the O1 entry for hosts. Just ignore it if you want, it's IPv6 format.

Posted

I'll do a clean up later and post here. Avast still slows down startup a lot, and I just don't need it running all the time. I;m genuinely interested in seeing what the detection rates are like for clamwin compared to other avs.

  • Administrator
Posted

I've not seen avast slow down any machines that I've installed it on unless they were very old/outdated. You don't have much loading on startup. Prefetch and Superfetch should ease what's loading too, so be sure to allow them time to learn about avast on boot.

Posted

I've not seen avast slow down any machines that I've installed it on unless they were very old/outdated. You don't have much loading on startup. Prefetch and Superfetch should ease what's loading too, so be sure to allow them time to learn about avast on boot.

How do I do the prefetch and superfetch thing? Also, where did you learn about the bad detection rates for clamwin?

  • Administrator
Posted

If you haven't changed any services, Windows will take care of prefetch and superfetch automatically.

av-comparatives doesn't have it listed and I cannot recall where I've seen it, but I saw many places say ClamAV is horrible (I've used it and completely agree). I did find this however.

Posted

If you haven't changed any services, Windows will take care of prefetch and superfetch automatically.

av-comparatives doesn't have it listed and I cannot recall where I've seen it, but I saw many places say ClamAV is horrible (I've used it and completely agree). I did find this however.

I admit, looks bad, lol, I'll go back to avast and see how things are tomorrow.

However, are there no avs that are or have the option for stand-alone that are good?

Posted

I tried Kaspersky AVP tool quite a while back - it does tie up some memory, even though it has no real-time protection. Awful big download (27.8 MB), considering that the only way to update it is to download the whole thing again! It installed itself on my desktop, without giving me a chance to select the install location, and couldn't be moved. May have improved since then, however - I haven't tried it again since.

It uses the same engine as the full Kaspersky AV, which is quite good (though Avast is better), but it may not have its advanced heuristics (according to an old listing on AV-Comparatives, don't know if it still applies).

As for Clam, I did find a "secondgrouptest" from Feb. 07 on AV-Comparatives where they tested ClamWin; it had an overall detection rate of 53%. Dismal - but, it did better than Comodo AV! ;)

Posted

I tried Kaspersky AVP tool quite a while back - it does tie up some memory, even though it has no real-time protection. Awful big download (27.8 MB), considering that the only way to update it is to download the whole thing again! It installed itself on my desktop, without giving me a chance to select the install location, and couldn't be moved. May have improved since then, however - I haven't tried it again since.

It uses the same engine as the full Kaspersky AV, which is quite good (though Avast is better), but it may not have its advanced heuristics (according to an old listing on AV-Comparatives, don't know if it still applies).

As for Clam, I did find a "secondgrouptest" from Feb. 07 on AV-Comparatives where they tested ClamWin; it had an overall detection rate of 53%. Dismal - but, it did better than Comodo AV! ;)

Cheers for the info. What are your views Tarun? You tested Kaperspy recently?

EDIT: Tried Kaperspy, horrible, keeps trying to uninstall when I close, no option to up-date, not what I'm looking for at all unfortunately. Here is my log after the cleaning, anything else Tarun?

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:59:21, on 04/12/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\COMODO\Firewall\cfp.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\HijackThis\HijackThis.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\system32\SearchFilterHost.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O1 - Hosts: ::1 localhost

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 2454 bytes

  • Administrator
Posted

Looks good to me. I've tried Kaspersky before but never cared much for it. Then again, I don't really care much for any av software since I don't have the need, but if I had to use any I'd pick avast for sure.

Guest
This topic is now closed to further replies.
×
×
  • Create New...