Hijackthis logs - Techist - Tech Forum

Go Back   Techist - Tech Forum > Security | Computer, Devices, Software and Systems > Viruses, Spyware and Malware > HijackThis Logs (finished)
Click Here to Login
 
 
Thread Tools Display Modes
 
Old 03-22-2005, 02:53 AM   #1 (permalink)
Super Techie
 
Join Date: Oct 2004
Posts: 384
Default Hijackthis logs

My sisters pc has been picking up the Win32.Tibick.F worm (I think thats the correct name) virus for the past couple of days. My virus software (vet antivirus) says its been deleted but it keeps appearing as another filename...

I did all the online and offline spyware scans, virus scans, cwsshredder... EVERYTHING. They didn't pick up anything but the virus keeps coming back...

This is what came up in the logs:

2005/03/18 08:01:23.061 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014628.exe is Win32.Tibick.F worm. Deleted.

2005/03/21 12:28:57.210 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014629.exe is Win32.Tibick.F worm. Deleted.

2005/03/21 12:50:41.506 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014630.exe is Win32.Tibick.F worm. Deleted.

2005/03/21 13:40:46.487 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014631.exe is Win32.Tibick.F worm. Deleted.

2005/03/21 14:39:41.470 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014632.exe is Win32.Tibick.F worm. Deleted.

2005/03/21 15:39:41.477 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014633.exe is Win32.Tibick.F worm. Deleted.

2005/03/21 16:45:21.622 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014634.exe is Win32.Tibick.F worm. Deleted.

2005/03/21 18:17:35.409 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014635.exe is Win32.Tibick.F worm. Deleted.

2005/03/21 18:39:41.566 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014636.exe is Win32.Tibick.F worm. Deleted.

2005/03/22 07:07:04.112 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014637.exe is Win32.Tibick.F worm. Deleted.

2005/03/22 07:42:26.474 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014638.exe is Win32.Tibick.F worm. Deleted.

2005/03/22 09:00:24.400 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014639.exe is Win32.Tibick.F worm. Deleted.

2005/03/22 10:44:56.739 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014640.exe is Win32.Tibick.F worm. Deleted.

2005/03/22 13:43:20.119 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014641.exe is Win32.Tibick.F worm. Deleted.

2005/03/22 14:42:15.122 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014642.exe is Win32.Tibick.F worm. Deleted.

2005/03/22 15:43:20.002 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014643.exe is Win32.Tibick.F worm. Deleted.

2005/03/22 16:43:20.028 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014644.exe is Win32.Tibick.F worm. Deleted.

2005/03/22 17:42:14.981 File infection: C:\System Volume Information\_restore{2F627D24-7AFA-4189-8837-627BBF6BAE54}\RP53\A0014645.exe is Win32.Tibick.F worm. Deleted.

Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 6:49:17 PM, on 22/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Vet\isafe.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Vet\VetTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
C:\Program Files\AceLogix\StartupGuard\sg.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
\Network\ben\Software\Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.google.com/gmail
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sygate.com/swat/support/spf50_reg.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
O4 - HKCU\..\Run: [Startup Guard] C:\Program Files\AceLogix\StartupGuard\sg.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1107332110673
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
__________________

Mr. tech is offline  
Old 03-22-2005, 03:13 PM   #2 (permalink)
Ultra Techie
 
Join Date: Apr 2004
Posts: 617
Default

Hi Mr. tech

you need to clear out your systems restore . you are safe as long as they stay in there but if you do a systm restore then the viruses will come back .

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

this should clear them out do another scan and see if it gets detected again.

your log looks clean by the way.

Lobos
__________________

__________________
AdAware | Spybot S&D 1.4 | spyware guard & spyware blaster |

How did I get infected in the first place By Tony Klein

If you use IE I suggest using thes two programs IE Hosts & IE-SPYAD


Lobos is offline  
Old 03-22-2005, 04:05 PM   #3 (permalink)
Super Techie
 
Join Date: Oct 2004
Posts: 384
Default

Thanks mate, will do
Mr. tech is offline  
Old 05-20-2005, 10:21 AM   #4 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default

Remove entries at your own risk

Not to bad


R3 - Default URLSearchHook is missing Should be fixed if you do not know the application or if no application is mentioned. This entry should be fixed.
__________________
Osiris is offline  
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 08:50 AM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2018, vBulletin Solutions, Inc.