It's a bit of an eye opener isn't it !!

Great choice of HJT school by the way. They have some of the best teachers around at Geekstogo.

Say goodbye to your sanity!! (and social life if you have one) 

I understand exactly what you mean about teaching yourself. When I first started learning HijackThis, I went down the same road but was lucky enough to have a HJT Moderator on Webuser take me under his wing and trian me on a one to one basis. However, two years ago the state of play in the malware removal scene was nothing like was it is today. Two years ago most infections could be removed by HJT and deleting the files manually. Most infections these days require specific removal tools and registry fixes to clean a machine up. You only have to run Ewido anti-malware on a machine suspected of being infected to see where malware hides these days.

I'm now lucky enough to have access to numerous hidden forums on the big anti-spyware sites so keeping abreast of the latest fixes is easy. Without this access, I would spend most of my time googling for a fix to every problem I come across. If you are serious about learning the ways of HJT, I urge you to join at least one anti-spyware school. The wealth of information you will learn by doing so will save you months of personal research. You will learn the dos and don'ts of HJT, the pitfalls and of course the all important fixes to the latest infections you'll come across on a regular basis.

The following sites all provide free malware removal training if you're interested:

GeekstoGo

Malware Removal.com

Bleeping Computer

SpywareInfo

Tom Coyote



Hope that helps. :)

You can test it out on the latest Smitfraud variants by installing a certain codec pack which contains the trojan. I'll pm you the link.

Explorer.exe is fine. As long as it's in the correct location it doesn't make any difference whether it's upper/lower case or a mixture of the two.

As for the rest of the log, you're right, it's fine as far as malware is concerned. I through 2 bogeys in there, one of which you got, one you didn't.

The Reset 5 entry I added. You were right with your first hunch that it's a "crack" or in this case a product activation bypass. This is what CastleCops has to say about the related 023 service:



I was a little sneaky with the other red herring but you'll never forget to check it again. The first thing you should always check is the OS and Service Pack status. If you look at the top of the log you'll see there are no Service Packs. This can often point to a pirated OS. The first thing to do in such circumstances is to get the user to install SP1a. SP2 should always be left until it's been established the machine is completely clean as you'll probably know malware cripples SP2 installations.

Are you teaching yourself HijackThis or have you enrolled in a HJT school?

Better late than never Strum!  :icon_mrgreen:

NOD32 Removal Tools:

http://www.eset.com/download/free-virus-remover.php

Sun Java J2SE Update 7 has been released. Get updating folks. :)

Can you tell me if there's anything wrong with this one?


Logfile of HijackThis v1.99.1
Scan saved at 13:43:01, on 26/05/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJTHotkey\HJTHotkey.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\GIANT Company Software\Spam Inspector\siMain.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120826510781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144828707140
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1DE9C7D-8FAA-48E7-82A1-3516B8911227}: NameServer = 212.159.6.10 212.159.6.9
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe

What a complete joke. Do the makers really expect people to put up with that . In the words of the great Homer Simpson "DOH !"

 

The simplest way to tell is to manually locate the said files or registry entries the program detected. Only then will you know whether you are dealing with detections or false positives. Also bare in mind that different companies can often have differing opinions on what constitutes worthy additions to their definitions.

Looking at the product descriptions, the paid for version of AVG isn't that much beter than the free version. The full product offers scanning of "potentially unwanted programs" so it detects spyware/adware etc (no mention of removing them mind).

The free edition is limited in the following ways.....



So for a single machine in the home, AVG free is fine and I'd much prefer to rely on dedicated anti-spyware apps for the detetion (and removal) of "potentially unwanted programs".

I'd say that chap is talking out of his derriere.  

I'm glad you're sorted Wanabe. I suspect your clock was the problem.

The dll's I had you re-register are needed for Windows Update to work and are a common fix for such problems.

On a side note, you need to install a quality 3rd party firewall to protect your computer. The Windows firewall only blocks incoming traffic. What does this mean to you? Put simply, if you ever pick up a pest which likes to "phone home" to it's controling server, you are powerless to stop it and wouldn't even know it was happening. A software firewall will question any outgoing requests and ask you to set a permission.

Click the link in my signature for a guide on how to protect yourself on the internet.  

John

What firewall software do you have installed?

Double-click the clock in your taskbar and then click the Internet Time tab.

Click the drop down menu and change the server to "time.nist.gov" click Apply > ok.

Then try re-registering the dlls again and rebooting.

Did you navigate to your C:\ using Windows Explorer to find the text file look.txt ?

A few things for you to try Wanabe.

First of all check the process svchost.exe is allowed internet access in your firewall configuration.

Check your clock is set correctly. Windows Update won't work if not correct.

Then reregister these dll files. First, close all instances of Internet Explorer.

Then go to Start > Run and paste each of these commands into the open field clicking OK after each.

regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 wucltui.dll
regsvr32 wups.dll
regsvr32 msxml3.dll
regsvr32 jscript.dll
regsvr32 atl.dll
regsvr32 Mshtml.dll
regsvr32 Shdocvw.dll
regsvr32 Oleaut32.dll
regsvr32 Actxprxy.dll
regsvr32 initpki.dll

If still no joy, paste this command into the Run box:



It will create a text file which you will find at C:\look.txt

Paste the contents back here.

This is the link you want Don.

http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/119/pid/306/post/last/m/1#LAST

:) <--where is the normal smiley?