Results 1 to 2 of 2
  1. #1
    Member
    Join Date
    Aug 2006
    Posts
    27
    Points
    2

    Default Second HiJackThis log due to suspicious entries

    7) Some suspicious entries have been found in your log. The next step is to run HijackThis again and create another log file. Click here to create a new topic in our Spyware Help forum and paste your log within, along with a note that the Detective prompted you to do so. One of our experts will analyze your log and post a response if there is anything else you need to fix.

    These items always results in a scan by BitDefender:

    C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe=>(NSIS o)=>zlib_nsis0018
    Infected with: Trojan.Exploit.Html.Codebaseexec.CC

    C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe=>(NSIS o)=>zlib_nsis0018
    Disinfection failed

    C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe=>(NSIS o)=>zlib_nsis0018
    Deleted

    C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe=>(NSIS o)
    Update failed
    I get about 15 requests a day from Sygate requesting to allow dll's for Logitech. This is an item in my HiJackThis log:
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    I attached a copy of the Bit Defender scan results also.


    HiJackThis log file:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:04:39 PM, on 8/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\netdde.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\clipsrv.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    C:\WINDOWS\System32\imapi.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\sessmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\System32\tlntsvr.exe
    C:\WINDOWS\System32\vssvc.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\WINDOWS\System32\dmadmin.exe
    C:\WINDOWS\MXOALDR.EXE
    C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Webshots\webshots.scr
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
    C:\Program Files\HJT\analyse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://mailcenter.comcast.net
    O15 - Trusted Zone: http://*.ebay
    O15 - Trusted Zone: http://forum.majorgeeks.com
    O15 - Trusted Zone: http://www.tigerdirect.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resourc...scbase7617.cab
    O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1...datePortal.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1127569617863
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/is...29/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0918B227-C6F1-473C-AD2E-CB27060693B3}: NameServer = 24.34.240.34,192.168.0.1
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\rthlpsvc.exe
    O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

    Thanks . . . Denise

  2. #2
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe=>(NSIS o)=>zlib_nsis0018 Infected

    Trojan.Exploit.Html.Codebaseexec.CC

    This is being tagged because it is WildTangent..

    The WildTangent Web Driver is not technically considered spyware, but it does have components to update itself and gather

    information about your computer system ...

    Anything which updates itself could be considered a downloader Trojan, even if it's doing nothing bad... and anything which

    gathers information, even totally anonymous, is deemed to be spyware... personally I wouldn't worry about this... if multiple

    scanners were picking it up that's different, but only bitdefender ? ... and Ive seen a scan from jotti... nothing else

    tags it as a problem...

    File: blastrb2.exe
    Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false

    positives than the average scanner. Do not consider these results definitely accurate. Also, because of this, results of

    this scan will not be recorded in the database.)
    MD5 215e997c9f99febbada0b3563334ed45
    Packers detected: -
    Scanner results
    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found Trojan.Exploit.Html.Codebaseexec.CC
    ClamAV Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    Fortinet Found nothing
    Kaspersky Anti-Virus Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    UNA Found nothing
    VirusBuster Found nothing
    VBA32 Found nothing

    --
    This is legit :-

    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

    For a Logitech internet keyboard - loads the software for the shortcut keys on the keyboard. Also used to display your keyboard LEDs on-screen to indicate Caps Lock, etc if it doesn\'t have them...

    I see no reason to not allow logitech to update a driver... if you are sure it is a logitech updater program asking for permission to update your drivers...

    --
    Your hijackthis log is clean... this is what the detective questions :-

    O15 - Trusted Zone: http://mailcenter.comcast.net
    O15 - Trusted Zone: http://*.ebay
    O15 - Trusted Zone: http://forum.majorgeeks.com
    O15 - Trusted Zone: http://www.tigerdirect.com

    By Putting a url in the trusted zone, you giving that website permission to download anything to your computer, without asking you first...

    Would you go on holiday and leave your front door open, with a message pinned to it saying... please feel free to come inside and do what you want ? .... no... well that's what you are doing to your computer by putting url's in the trusted zone... you should only put a site in, if you trust it & you can't get it to work without the entry...


    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -