Author Topic: need assistance, please take a look at this HijackThis Log  (Read 5165 times)

Offline Ragnor

  • Newbie
  • *
  • Posts: 6
need assistance, please take a look at this HijackThis Log
« on: November 09, 2010, 04:56:25 PM »
 Comodo has helped me get my system back under control but I'm sure There is still something left in here.
I have persistant attempts to connect from china and suadi arabia. My system keeps trying to announce itself to various IP's and I just dont feel comfortable with it. I wish I had time to learn to counterhack but I'm afraid I have a "real job" I have to go and waste my life at =) oh well. Thanks for looking

[attachment deleted by admin]

Offline Valentin N

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2869
  • Usability Study Group
    • My homepage at the moment
Re: need assistance, please take a look at this HijackThis Log
« Reply #1 on: November 09, 2010, 05:14:59 PM »
I have looked at it but I will look into it again tomorrow; i will go to sleep but it looks quite okey.

I will look at the software that you have installed.

Regards,
            Valentin
Skype: comodohelper (Personal)

CEVPN: Valentin N

CIS 6.3

Keep CTM alive by voting


Offline jay2007tech

  • Malware Research Group
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2113
Re: need assistance, please take a look at this HijackThis Log
« Reply #2 on: November 09, 2010, 05:28:42 PM »
Quote
MSIE: Unable to get Internet Explorer version!
that can't be good

delete the following

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common
O23 - Service: [at]%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

I strongly recommend running a boot disk (there various resue systems, but this is what I use)
http://www.avira.com/en/support-download-avira-antivir-rescue-system

then use the windows installer.  run it. click on check for repairs(something like that)

P.S.  change all your passwords incuding the email
« Last Edit: November 09, 2010, 05:36:38 PM by jay2007tech »
It's hard being a crooked Admin when the files won't pass an md5checksum test.  But like any other good crooked Admin it can be done, it just takes time(and lots of it) and a few aspirins

Offline Ragnor

  • Newbie
  • *
  • Posts: 6
Re: need assistance, please take a look at this HijackThis Log
« Reply #3 on: November 10, 2010, 06:35:04 PM »
 Thanks for your response I deleted the files as you said here is the new hjtlog.
Sorry for the delay I had to do that work thing and will be headed back there soon.

[attachment deleted by admin]

Offline Ragnor

  • Newbie
  • *
  • Posts: 6
Re: need assistance, please take a look at this HijackThis Log
« Reply #4 on: November 10, 2010, 06:36:51 PM »
I am particularly concerned with the %systemroot% files with unknown owners

Offline jay2007tech

  • Malware Research Group
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2113
Re: need assistance, please take a look at this HijackThis Log
« Reply #5 on: November 10, 2010, 06:46:21 PM »
Quote
I am particularly concerned with the %systemroot% files with unknown owners
I agree too

Do you have the windows 7 installer disc??  If not, you can get a windows 76 system recovery disc from here
(choose from 32x and 64x)
http://neosmart.net/blog/2009/windows-7-system-repair-discs/
Follow the steps here because there torrent files (It has step by step guild to getting it and running it)

You'll choose the one to repair files :)

sorry I don't know what I was thinking ???

just follow this below (it's easy) :)
http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html

sorry :)

« Last Edit: November 10, 2010, 06:50:42 PM by jay2007tech »
It's hard being a crooked Admin when the files won't pass an md5checksum test.  But like any other good crooked Admin it can be done, it just takes time(and lots of it) and a few aspirins

Offline Valentin N

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2869
  • Usability Study Group
    • My homepage at the moment
Re: need assistance, please take a look at this HijackThis Log
« Reply #6 on: November 11, 2010, 04:55:02 AM »
can someone tell me what this is for exe? CIJURJTAC.exe
Skype: comodohelper (Personal)

CEVPN: Valentin N

CIS 6.3

Keep CTM alive by voting


Offline Jagdish

  • Comodo Member
  • **
  • Posts: 36
Re: need assistance, please take a look at this HijackThis Log
« Reply #7 on: November 11, 2010, 09:08:53 AM »
Mod break: the following advice is flawed and therefor edited. Please don't follow it. The considerations of JamesFrance and jay2007tech given after this hit the nail on the head here.

Delete these entries:
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F67D0F1-A561-4780-B3B7-E206FF2E020D}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F67D0F1-A561-4780-B3B7-E206FF2E020D}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS2\Services\Tcpip\..\{4F67D0F1-A561-4780-B3B7-E206FF2E020D}: NameServer = 156.154.70.22,156.154.71.22
O23 - Service: [at]%systemroot%\system32\CISVC.EXE,-1 (CISVC) - Unknown owner - C:\Windows\system32\CISVC.EXE (file missing)

Hope it helps!
 :)
« Last Edit: November 11, 2010, 07:11:06 PM by EricJH »

Offline JamesFrance

  • Comodo's Hero
  • *****
  • Posts: 1275
Re: need assistance, please take a look at this HijackThis Log
« Reply #8 on: November 11, 2010, 02:28:56 PM »
Delete these entries:
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F67D0F1-A561-4780-B3B7-E206FF2E020D}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F67D0F1-A561-4780-B3B7-E206FF2E020D}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS2\Services\Tcpip\..\{4F67D0F1-A561-4780-B3B7-E206FF2E020D}: NameServer = 156.154.70.22,156.154.71.22
O23 - Service: [at]%systemroot%\system32\CISVC.EXE,-1 (CISVC) - Unknown owner - C:\Windows\system32\CISVC.EXE (file missing)

Hope it helps!
 :)

Are you a trained Malware removal expert?

HijackThis is not a tool for beginners to mess about with and I see no reason to suggest deleting the entries for Comodo DNS which is what you are suggesting.
James

Offline jay2007tech

  • Malware Research Group
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2113
Re: need assistance, please take a look at this HijackThis Log
« Reply #9 on: November 11, 2010, 06:54:10 PM »
Could a mod please remove the post by jagdish.  There is no justification to remove those entries. 

For the entries in O17 from the hijack this log.  Those are comodo dns entries  <-- those are safe

as for CISVC.EXE (file missing)
It has 2 purposes
it's for windows indexing and the other it can be used for a key logger (repairing the altered file will solve those problems).  The file just needs to be repaired.  That's all.  If the person doesn't like windows indexing service, all the person needs to do is go to services.msc and set it to "manual"  But the file needs to be fixed first before.  If the person asks I show how step-by-step
Follow the link below to repair the altered files
http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html



It's hard being a crooked Admin when the files won't pass an md5checksum test.  But like any other good crooked Admin it can be done, it just takes time(and lots of it) and a few aspirins

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek