system
1
What do you guys think of this:
Logfile of HijackThis v1.97.7
Scan saved at 5:32:04 PM, on 12/15/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINNT\system32\musirc4.72.exe
C:\aim.exe
D:\HijackThis.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [Windows MeTaLRoCk service] metalrock.exe
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM..\Run: [MusIRC (irc.musirc.com) client] musirc4.72.exe
O4 - HKLM..\Run: [Services] C:\aim.exe
O4 - HKLM..\RunServices: [Windows MeTaLRoCk service] metalrock.exe
O4 - HKLM..\RunServices: [MusIRC (irc.musirc.com) client] musirc4.72.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37966.6811458333
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab
Mac
2
what is metalrock.exe?
I see nothing obvious that could be spyware but wait for out hijackthis expert raman to awnser
raman
3
I think you are infected by some Malware. Let Hijackthis fix this:
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [Windows MeTaLRoCk service] metalrock.exe
O4 - HKLM..\Run: [MusIRC (irc.musirc.com) client] musirc4.72.exe
O4 - HKLM..\Run: [Services] C:\aim.exe
O4 - HKLM..\RunServices: [Windows MeTaLRoCk service] metalrock.exe
O4 - HKLM..\RunServices: [MusIRC (irc.musirc.com) client] musirc4.72.exe
Like MacLover2000 already said, it seems to be a worm(Randex variant?).
Test the files after a restart here: http://www.kaspersky.com/remoteviruschk.html and if they are infected, delete them, or send them to virus@asw.cz, so Avast can include them.
To make MacLover2000 a bit happy,
did RAV not find them?
Please post a new log after all this.
Mac
4
To make MacLover2000 a bit happy, did RAV not find them?
oh that WOULD brighten my day :D :D :D ;D
Mac
5
system
6
hey raman,
i am new at this, do you want me to delete these:
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [Windows MeTaLRoCk service] metalrock.exe
O4 - HKLM..\Run: [MusIRC (irc.musirc.com) client] musirc4.72.exe
O4 - HKLM..\Run: [Services] C:\aim.exe
O4 - HKLM..\RunServices: [Windows MeTaLRoCk service] metalrock.exe
O4 - HKLM..\RunServices: [MusIRC (irc.musirc.com) client] musirc4.72.exe
and then go to http://www.kaspersky.com/remoteviruschk.html ??
Mac
7
there is a box beside them put a check in them and have the program “fix” them
system
8
Here is the newest log, does it look alright??
Logfile of HijackThis v1.97.7
Scan saved at 3:18:05 PM, on 12/16/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
D:\HijackThis.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37966.6811458333
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab
Mac
9
looks clean to me I see you have used housecall 
system
10
yeah, thanks for telling me about housecall and thanks raman for telling what to fix.
p.s. i might be getting a new computer for x-mas do you really prefer mac’s over pc’s and what are the pros and cons of each?
system
11
Check the smss.exe file; it’s a backdoor
i would like too advise for this one!!
raman
12
No that file is a System(2000/XP) process, if it is startet from %windir%/system32!
Mac
13
p.s. i might be getting a new computer for x-mas do you really prefer mac's over pc's and what are the pros and cons of each?
Cons:
PC's can run more programs than macs can
PC's are cheaper
PC's are More commonly used
Pros:
1)Viruses are rare
2)round pixels are better for video editing
3)Programs can run on less resorces (ex James bond game can run on 750mhz windows and 450 mhz mac)
4)Apple actually SUPPORTS their OS as Microsoft takes ages to awnser 
5)Less security holes in the OS
IF you want a desktop from mac try an eMac.
and if you want windows you can buy virtual PC and have the choice on boot to run windows 2000 or Mac OS
system
14
ML,
Of course the old MAC v PC debate has been going on since time began and I would’nt want to comment 8) 
I would however, taken from a recent experience, add to your item No.4 that MS don’t know what their talking about when they do answer :-\ and that’s from an old PC/unix fan. 
W.
system
16
thanks for the help on the mac vs. pc.
Also how do you keep those things from coming back, because musirc4.72.exe came back?
Mac
17
someone check this but some trojans Dyfuca for example download things and install them also some spyware do the same.
check with spy bot or adaware for spyware and trend or kaspersky for the trojan