Looking for malware...created HijackThis log

VGI · October 12, 2009, 2:05am

Forgive me. I only have enough time to do a HijackThis system scan and save a logfile.
I know that I should make time to do all that I am asked to do in Comodo Forum

Just the same, I’d like someone to take a look.

I am nowhere near knowledgable enough to truly understand the log below, but even I suspect the last entry to be EVIL. (last entry: O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe)

I also notice that HijackThis did not scan my other two hard disks. (I have three, one is partitioned)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:41 AM, on 10/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
d:\Program Files\Avast4\aswUpdSv.exe
d:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\PnkBstrA.exe
d:\Program Files\Avast4\ashMaiSv.exe
d:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Comodo\COMODO Internet Security\cfp.exe
D:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
D:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [COMODO Internet Security] “D:\Program Files\Comodo\COMODO Internet Security\cfp.exe” -h
O4 - HKLM..\Run: [avast!] d:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Common Files\Logishrd\eReg\SetPoint\eReg.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - D:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - d:\Program Files\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

–
End of file - 5350 bytes

alaertsxan · October 12, 2009, 7:52am

Hi,

PnkBstrA.exe is part of PunkBuster, which is on his own part again of games like Battlefield 2142 and America’s Army. So it’s a legit application.

In your hijackthis logfile, I haven’t found anything, so you should be safe.

Hijackthis only checks the harddrive were Windows is installed on.

best regards,
eXPerience

VGI · October 12, 2009, 9:49am

So far, I have made thorough scans using AVAST, Spybot S&D, and Malwarebytes.

[b]Avast got these:
Win32:Spyware-gen [Spy]

F:\3Gb_backup\Psalm\downloads\Getright\getrt450.exe%MAINDIR%\fsg.exe
Win32:Adware-gen [Adw]

D:\Gamez\Game_Patches\Arcanum\Arcanum1074_exe.ace\Arcanum.exe
Win32:Trojan-gen [Virus/Worm]
[/b]

Also, I scanned using Spybot S&D. Disappointingly it did not find anything, which was surprising.

I was able to make a thorough scan using the latest updated Malwarebytes.
Malwarebytes got the most malware:
[b]
Malwarebytes’ Anti-Malware 1.41
Database version: 2944
Windows 5.1.2600 Service Pack 3

10/12/2009 3:35:03 PM
mbam-log-2009-10-12 (15-35-00).txt

Scan type: Full Scan (C:|D:|E:|F:|)
Objects scanned: 469491
Time elapsed: 52 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\Downloads & Drivers\Cracks\Sony Sound Forge\0fIKSt4146\Sony.Sound.Forge.v8.0.Incl.Keygen-SSG\keygen\keygen.exe (Trojan.Downloader) → No action taken.
D:\Downloads & Drivers\Cracks\Sony Sound Forge\0k8wc359HZ\Keygen\KeyGen [ Sony Sound Forge 8.0d Build 128 ].exe (Trojan.Downloader) → No action taken.
D:\Downloads & Drivers\Cracks\Sony Sound Forge\Zk3bMYvb81\Sony.Sound.Forge.v8.0b.Incl.Keygen-SSG\keygen\keygen.exe (Trojan.Downloader) → No action taken.
D:\Program Files\mIRC\mirc.exe (Trojan.Downloader) → No action taken.
D:\Program Files\mIRC\backup\mirc.exe (Trojan.Downloader) → No action taken.
E:\Downloads & Drivers\Cracks\Sony Sound Forge\0fIKSt4146\Sony.Sound.Forge.v8.0.Incl.Keygen-SSG\keygen\keygen.exe (Trojan.Downloader) → No action taken.
E:\Downloads & Drivers\Cracks\Sony Sound Forge\0k8wc359HZ\Keygen\KeyGen [ Sony Sound Forge 8.0d Build 128 ].exe (Trojan.Downloader) → No action taken.
E:\Downloads & Drivers\Cracks\Sony Sound Forge\Zk3bMYvb81\Sony.Sound.Forge.v8.0b.Incl.Keygen-SSG\keygen\keygen.exe (Trojan.Downloader) → No action taken.
E:\Program Files\mIRC\mirc.exe (Trojan.Downloader) → No action taken.
E:\Program Files\mIRC\backup\mirc.exe (Trojan.Downloader) → No action taken.

I have since had Malwarebytes remove these infections.

Did I do good? I am sure that, I would be able to find more although I do believe I should use other anti-virus/malware programs.

Also, my LEXMA mouse still won’t get detected.[/b]

alaertsxan · October 12, 2009, 1:18pm

That spybot didn"t detect something doesn’t surprise me, it’s not what it used to be…

MBAM only found some cracks and Mirc, http://www.mirc.com/, not sure if you need it, if so, it was a false positive.

I don’t know what files Avast got, I’m not much with the names :-.

I sujest you try A-squared antimalware free. (see guide) it has great detection, one of the best, but has a high FP’s rate, so be carefull

best regards,
eXPerience

VGI · October 14, 2009, 6:19am

Will try A-Squared then.

About Spybot S&D, its immunization function is still great, right?

HeffeD · October 14, 2009, 7:23am

Not really.

All it’s doing is adding hundreds of URL’s to your HOSTS file, which can slow your system down.

VGI · October 18, 2009, 12:12pm

What does this adding of URL’s do to make my system more secure?

Kyle142 · October 18, 2009, 12:16pm

EXP - Do you need to quote all of his post? It takes up most of the page needlessly…

jay2007tech · October 18, 2009, 6:13pm

D:\Gamez\Game_Patches\Arcanum\Arcanum1074_exe.ace\Arcanum.exe Win32:Trojan-gen [Virus/Worm]

in specific

Arcanum1074_exe.ace

The dual extensions caught my interest

Mirc

Do you use mirc??? Basicly do use IRC???

AVAST, Spybot S&D, and Malwarebytes.

IMO, Get rid of Spybot S&D. If you feel you need another opinion, get "Prevx" to use for a second opinion. You have to do the deletes manually. If you feel it maybe a false positive, submit the file here and you get instant results on your screen (in a few minutes) http://camas.comodo.com/cgi-bin/submit Give it a few minutes, before the results show. If you don't understand the results, copy and paste the results here and will give you an answer :)

alaertsxan · October 22, 2009, 3:07pm

Kyle, I deleted it.

D:\Gamez\Game_Patches\Arcanum\Arcanum1074_exe.ace\Arcanum.exe Win32:Trojan-gen [Virus/Worm] in specific Quote Arcanum1074_exe.ace The dual extensions caught my interest

you have better eyes than me ;). but I think you're wrong about this one = http://spywarefiles.prevx.com/RRFCHF11237467/ARCANUM%20ENGLISH%20PATCH%201074.EXE.html

eXPerience

HeffeD · October 23, 2009, 12:41am

Your system will not make a connection to any URL listed in the HOSTS file. So the theory is that by adding all these URL’s, you won’t get any malware because your system can’t visit those URL’s.