Author Topic: Could you have a look to this hjackthis log?  (Read 7079 times)

0 Members and 1 Guest are viewing this topic.

Targa

  • Guest
Could you have a look to this hjackthis log?
« on: April 06, 2010, 07:40:31 PM »
Hi:

After catching some bugs in my XP SP2 system I've recollected these logs, could you comment what next to do? Thank you:


--------------
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Versión de la base de datos: 3958

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

06/04/2010 4:10:06
mbam-log-2010-04-06 (04-10-06).txt

Tipo de examen: Examen completo (C:\|D:\|F:\|)
Objetos examinados: 205529
Tiempo transcurrido: 55 minuto(s), 22 segundo(s)

Procesos en Memoria Infectados: 0
Módulos de Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Archivos Infectados: 3

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos de Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Archivos Infectados:
C:\WINDOWS\Temp\_avast5_\unp208321634.tmp (Malware.Packer.Krunchy) -> Quarantined and deleted successfully.
C:\Documents and Settings\fer001\Mis documentos\WPDOCS\PERSONAL\Componentes ordenador\Win3_11\ACTCALCU\WW1138.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
F:\System Volume Information\_restore{65E27E88-48AD-498E-AFC5-E766917777A2}\RP1477\A0064230.exe (Trojan.Agent) -> Quarantined and deleted successfully.
F:\Zona Clasificacion\Adobe Acrobat Professional 8.10\Keygen.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

---------------------

Targa

  • Guest
Re: Could you have a look to this hjackthis log?
« Reply #1 on: April 06, 2010, 07:42:45 PM »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:15:03, on 06/04/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Acronis\Schedule2\schedul2.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIVOS DE PROGRAMA\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\Archivos de programa\CyberLink\PowerCinema\PCMService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Archivos de programa\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Archivos de programa\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Archivos de programa\Archivos comunes\Acronis\Schedule2\schedhlp.exe
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\ARCHIV~1\ALWILS~1\Avast5\avastUI.exe
C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

Targa

  • Guest
Re: Could you have a look to this hjackthis log?
« Reply #2 on: April 06, 2010, 07:43:58 PM »
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.128.167.131:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ARCHIVOS DE PROGRAMA\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PCMService] "C:\Archivos de programa\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Archivos de programa\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Archivos de programa\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Archivos de programa\Archivos comunes\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast5] C:\ARCHIV~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [swg] "C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_1_0 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Inicio rápido de Adobe Acrobat.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.targa-online.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185934666375
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://www.earthetc.com/ecwplugins/NCS.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CA46AAC-8FC6-4D26-A8BC-674724112CE8}: NameServer = 80.58.61.250,80.58.61.254
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Archivos de programa\Archivos comunes\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Licencia del cliente CA (CA_LIC_CLNT) - Computer Associates - C:\Archivos de programa\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: Servidor de licencias CA (CA_LIC_SRVR) - Computer Associates - C:\Archivos de programa\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Archivos de programa\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Archivos de programa\Archivos comunes\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 11278 bytes

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37644
  • F-Secure user
Re: Could you have a look to this hjackthis log?
« Reply #3 on: April 06, 2010, 07:51:20 PM »
If you update Malwarebytes and scan again, does it come up clean ?

Update your XP-SP2 to XP-SP3

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33990
  • malware fighter
Re: Could you have a look to this hjackthis log?
« Reply #4 on: April 06, 2010, 08:22:54 PM »


Hi

Check these entries at virustotals:
C:\Archivos de programa\Archivos comunes\Acronis\Schedule2\schedul2.exe
Because it runs in an uncommon location
C:\Archivos de programa\CA\SharedComponents\CA_LIC\LogWatNT.exe
System tasks results:
our system seems clean of harmfull software. But we could not detect an active firewall.

Overview of running tasks:
smss.exe   

System process
   

Session Manager Subsystem
winlogon.exe   

System process
   

Microsoft Windows Logon Process
services.exe   

System process
   

Windows Service Controller
lsass.exe   

System process
   

Local Security Authority Service
Ati2evxx.exe   

Driver
   

ATI Display Adapter Assistant
svchost.exe   

System process
   

Microsoft Service Host Process
svchost.exe   

System process
   

Microsoft Service Host Process
AvastSvc.exe   

Virusscan
   

avast! Antivirus
spoolsv.exe   

System process
   

Microsoft Printer Spooler Service
schedul2.exe   

Backgroundtask
   

Acronis True Image Scheduler
jqs.exe   

Backgroundtask
   

Java Quick Starter Service
LogWatNT.exe   

Backgroundtask
   

Logwatnt
HPZipm12.exe   

Driver
   

HP Taskbar Utility
slserv.exe   

System process
   

modem software on CLEVO 2200C/27
svchost.exe   

System process
   

Microsoft Service Host Process
TrueImageTryStartService.exe   

Backgroundtask
   

TrueImageTryStartService.exe
wmiapsrv.exe   

System process
   

Microsoft WMI Performance Adapter
Explorer.EXE   

System process
   

Microsoft Windows Explorer
ATIPTAXX.EXE   

Backgroundtask
   

ATI Utilitiy
SynTPLpr.exe   

Driver
   

Synaptics TouchPad Driver Helper
SynTPEnh.exe   

Driver
   

Synaptics touchpad tray icon
PCMService.exe   

Application
   

Dell media experienc
WkUFind.exe   

Backgroundtask
   

Microsoft Picture-It
SOUNDMAN.EXE   

Backgroundtask
   

Realtek Avance Logic Inc
Acrotray.exe   

Backgroundtask
   

Acrobat Traybar Assistant
TrueImageMonitor.exe   

Backgroundtask
   

Part of Acronis True Image
TimounterMonitor.exe   

Backgroundtask
   

Acronis TrueImage Monitor
schedhlp.exe   

Backgroundtask
   

Acronis True Image Component
jusched.exe   

Backgroundtask
   

Sun Java Update Scheduler
avastUI.exe   

Virusscan
   

avast! Antivirus
GoogleToolbarNotifier.exe   

Backgroundtask
   

GoogleToolbarNotifier
wuauclt.exe   

System process
   

AutoUpdate Client
HijackThis.exe   

Application
   

Trend Micro HijackThis v2.0.2

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Could you have a look to this hjackthis log?
« Reply #5 on: April 06, 2010, 09:23:02 PM »
Hi did you set this proxy
 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.128.167.131:8080

What problems are you having at the moment ?

Targa

  • Guest
Re: Could you have a look to this hjackthis log?
« Reply #6 on: April 06, 2010, 11:35:20 PM »
Thank both from kick responses!

@pondus: It's appears to be clean.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Versión de la base de datos: 3961

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

06/04/2010 22:17:42
mbam-log-2010-04-06 (22-17-42).txt

Tipo de examen: Examen completo (C:\|D:\|F:\|G:\|H:\|)
Objetos examinados: 207768
Tiempo transcurrido: 52 minuto(s), 35 segundo(s)

Procesos en Memoria Infectados: 0
Módulos de Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Archivos Infectados: 0

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos de Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Archivos Infectados:
(No se han detectado elementos maliciosos)
----------

@Polonus: I've checked those files, here are the results:
C:\Archivos de programa\Archivos comunes\Acronis\Schedule2\schedul2.exe

Análisis del archivo schedul2.exe recibido el 2010.04.06 18:40:47 (UTC)

Result OK: 0/39 (0%)

pdfid.: -
sigcheck:
publisher....: Acronis
copyright....: Copyright (C) 2000-2004 Acronis
product......: Acronis Scheduler 2
description..: Acronis Scheduler 2
original name: schedul2.exe
internal name: Scheduler2
file version.: 1,0,0,247
comments.....: Acronis Scheduler 2
signers......: Acronis, Inc
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 7:07 PM 10/30/2007
verified.....: -
------

C:\Archivos de programa\CA\SharedComponents\CA_LIC\LogWatNT.exe

Análisis del archivo LogWatNT.exe recibido el 2010.04.06 18:52:02 (UTC)

Result: 1/38 (2.64%)

McAfee-GW-Edition 6.8.5 2010.04.06 Heuristic.BehavesLike.Win32.Suspicious.L

pdfid.: -
trid..: Win64 Executable Generic (58.7%)
Win32 Executable MS Visual C++ (generic) (25.8%)
Win32 Executable Generic (5.8%)
Win32 Dynamic Link Library (generic) (5.2%)
Win32 Executable MS Visual FoxPro 7 (1.5%)
sigcheck:
publisher....: Computer Associates
copyright....: Copyright (c) 2002
product......: Computer Associates LogWatNT
description..: LogWatNT
original name: LogWatNT.exe
internal name: LogWatNT
file version.: 1.52
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned
------

Computer are behind a 4 port router and firewall running is Windows thingy. It would  be stopping inbound traffic except for ISP diagnostic tools, Azureus, XP subnet diagnostics, UPnP subnet environment, Messenger and VLC media player, such it is configured, or at less it should be. :)

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33990
  • malware fighter
Re: Could you have a look to this hjackthis log?
« Reply #7 on: April 07, 2010, 12:30:13 AM »
Hi Targa,

Considering the generic find there, possibly a false positive:
http://www.file.net/process/logwatnt.exe.html
and here: http://www.neuber.com/taskmanager/process/logwatnt.exe.html
You had CA innoculate it on that machine previously, could be a remnant,
you probably know the uninstall or install history on your machine,
so you can read up in the given links what is appropriate for your situation,
I think it is benign,

Con Dios,

polonus



Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Targa

  • Guest
Re: Could you have a look to this hjackthis log?
« Reply #8 on: April 07, 2010, 12:47:35 AM »
Hi did you set this proxy
 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.128.167.131:8080
Yes, this was an anonymizer proxy that I haven't used in years, but it is disabled in IE. If you think this are a threat I can delete it in IE.
What problems are you having at the moment ?

Well, I've missed application buttons in task bar, checking for virusses... I've found the bugs in OP, now it's appears they are cleared and I'm checking this would be the case (I'm not a geek in using these application bug trappers). First I've checked with avast! 5.0 and found some of them, but not all, and coming here and lurking for some days I've tried to follow the established protocol to get rid of bugs. Actually I'm beginning to think that the missed buttons are a corrupted file and not malware.

Thank you for you response!

@polonus:

Thank you, you are fast on responses :)
Yes this machine was previously in CA hands. It was a package that was originaly installed by the computer manufacturer. When license expired, I had it uninstalled with uninstaller, but it seeems that it didn't a good job.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89443
  • No support PMs thanks
Re: Could you have a look to this hjackthis log?
« Reply #9 on: April 07, 2010, 02:04:26 AM »
If you leave that anonymizer proxy registry key then the web shield may not be monitoring your http 'port 80' traffic (I don't know if that registry entry would automatically use that for IE), unless you add the 8080 port to the web shield redirect ports and uncheck the Ignore local communication.

So my guess would be since you haven't used it for years, fix that entry using hijackthis.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Targa

  • Guest
Re: Could you have a look to this hjackthis log?
« Reply #10 on: April 07, 2010, 02:41:06 AM »
If you leave that anonymizer proxy registry key then the web shield may not be monitoring your http 'port 80' traffic (I don't know if that registry entry would automatically use that for IE), unless you add the 8080 port to the web shield redirect ports and uncheck the Ignore local communication.

So my guess would be since you haven't used it for years, fix that entry using hijackthis.

I've done through IE, checked with HijackThis, the entry has disappeared.
Thank you for your wise clarification.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89443
  • No support PMs thanks
Re: Could you have a look to this hjackthis log?
« Reply #11 on: April 07, 2010, 03:21:46 AM »
You're welcome.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Shiw Liang

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1432
Re: Could you have a look to this hjackthis log?
« Reply #12 on: April 07, 2010, 05:22:38 PM »
@Targa: If your windows is a genuine one you can enable the windows update to upgrade to windows xp service pack 3
^_^